Mental-health software has the deepest regulatory stack of any vibe-coded vertical: state licensing boards police diagnosis claims, the FTC has settled three major actions against similar apps in the last 24 months, and the app stores require crisis-resources disclosure on pain of rejection. Comply Code is the first-pass triage that surfaces what your model didn’t know to flag.
Diagnosis, treatment, and therapy are reserved to licensed clinicians. Software that does these things triggers unlicensed-practice statutes in every state.
Mental-health data sharing without granular disclosure is the consistent enforcement theme. BetterHelp, Cerebral, Monument all settled on this theory.
Apps that diagnose or treat conditions enter SaMD scope and require 510(k) clearance or enforcement-discretion documentation.
Mental-health and wellness categories both require crisis-resources disclosure. Rejection at review is the most common operational consequence.
Mental-health data has elevated state protections even outside HIPAA. Washington's MHMDA is broadest; CT, NV, AZ have similar frameworks.
Mental-health data is 'special category' under GDPR — explicit consent required for any processing, including by the operator.
If it diagnoses ('you have anxiety'), treats ('here's your therapy plan'), prescribes, or markets itself as a clinician replacement, then yes — every state's psychology / counseling licensure statutes apply. The word 'treatment' is the operative term and state boards interpret it broadly. Replace clinical language with experiential framing ('what you're describing is something many people associate with anxiety') and the test is generally not met.
$7.8M in 2023 for sharing user mental-health intake data with Meta, Snap, Pinterest, and Criteo via tracking pixels, despite privacy-policy claims to the contrary. The consent order's remediation prescriptions — granular disclosure of every data category shared with every third party, affirmative express consent before sharing health information for advertising — became the de-facto compliance template for the entire category. Most subsequent FTC mental-health-app actions cite the same theory.
Operationally yes, on three independent grounds: (1) Apple App Store and Google Play both require it for apps in the mental-health and wellness categories — rejection at review is the most common consequence; (2) it's the duty-of-care floor in negligence theories if a user in crisis is harmed; (3) the APA's ethical guidelines treat it as baseline for any mental-health-adjacent product. Add 988 / findahelpline.com to your footer AND chat-interface header.
Usually no — HIPAA applies only to 'covered entities' (insurers, providers, clearinghouses) and 'business associates' of them. Most consumer mental-health apps don't trigger HIPAA. But that doesn't mean you're unregulated: Washington's My Health My Data Act, state mental-health-data privacy laws (often modelled on HIPAA), FTC Section 5, and Section 9 of GDPR (for EU users) all cover mental-health data in overlapping ways. The BetterHelp consent-order template satisfies most.
Software-as-a-Medical-Device (SaMD) applies when software is intended to diagnose, cure, mitigate, treat, or prevent disease. An app that journals mood and offers reflection prompts is generally not SaMD; an app that diagnoses anxiety or recommends a treatment plan likely is. The same language audits that keep you out of state-board scope (avoid diagnose/treat/cure) also keep you out of FDA SaMD scope.
Free unlimited scans. $19 unlocks every fix prompt on a scan. $29/mo for unlimited. Read the full licensing guide →
Run a free audit →