Hundreds of millions of people have downloaded mental health apps. The clinical evidence is mixed, the privacy practices are questionable, and the regulation barely touches it.
The app stores contain thousands of applications with some claim to mental health benefit. Meditation guides, mood trackers, CBT-based tools, crisis support lines, journaling apps with sentiment analysis, sleep coaching apps that cross-market into anxiety management. They are downloaded by hundreds of millions of people worldwide, often by people who are genuinely struggling and who cannot or will not access traditional clinical care. The intentions behind many of them, both from the developers and from the people downloading them, are sincere. What troubles me is the gap between those intentions and what we can actually say with confidence about what these tools do.
The evidence is mixed. Not mixed in the sense that researchers disagree about interpretation, but mixed in the sense that some of these apps have been studied in randomized controlled trials and show modest positive effects for mild to moderate anxiety and depression symptoms, and others have never been studied at all. The evidence is weakest for the most severe presentations and strongest for structured, clinician-backed interventions that happen to be delivered via a digital interface. A CBT-based app developed in collaboration with clinical researchers and tested in multiple trials is a different thing from a general wellness app that says it supports mental health because it includes a breathing exercise. Both are in the same app store category. There is no shelf divider between them.
Part of the problem is regulatory. In the US, most mental health apps are not regulated as medical devices because they do not make specific clinical diagnostic or treatment claims. If an app says "this app treats generalized anxiety disorder," the FDA has a basis to require evidence of safety and efficacy before it can be marketed. If an app says "this app supports emotional wellness and mindfulness," it generally does not. This is not a loophole exactly. It reflects a genuine policy choice about not over-regulating consumer wellness products. But the practical effect is that many apps can market mental health benefits without meeting the evidentiary standards required of regulated products. The FTC has authority over deceptive marketing claims and has brought enforcement actions against companies making unsupported health claims generally, though I want to be careful here about citing specific mental health app cases I cannot directly verify.
The digital therapeutics category is the one that straddles this line most visibly. Digital therapeutics, sometimes abbreviated DTx, are software-based interventions designed to prevent, manage, or treat medical conditions. Some have received FDA clearance or authorization. Those that have gone through the FDA process have had to demonstrate safety and efficacy evidence in a way that the broader app ecosystem has not. Gartner has identified digital therapeutics as an emerging category in health IT, sitting between consumer wellness apps and traditional medical devices, though I would hedge any specific market sizing claims they have attached to that observation. The category is real and growing, the outcome data is accumulating, and whether it will develop into a stable and well-governed part of healthcare delivery is still an open question.
The privacy side of this is where I think the IS research community has more work to do. Mental health apps collect sensitive data by definition. Mood logs, journal entries, sleep patterns, crisis triggers, self-reported symptom severity. Several investigative journalism outlets have found through their own analyses that mental health apps shared user data with advertisers or analytics firms in ways that were inconsistent with or not adequately disclosed in their privacy policies. I am citing this as "widely reported investigative journalism findings" rather than citing specific articles, because I have seen multiple reports in this space but want to be honest that I am not verifying the specifics of each individual investigation here. The pattern, that health apps with sensitive data sometimes monetize that data in ways users do not understand, is consistent with what IS privacy researchers have found more broadly about the gap between privacy policy language and actual data practice.
The privacy problem for mental health data is particularly acute because of the sensitivity of the information and because of who might be interested in it. Health data generally gets some protection in the US under HIPAA, but HIPAA applies to covered entities like healthcare providers and health insurers, and to their business associates. A consumer mental health app that operates entirely outside the clinical care context is generally not a HIPAA-covered entity. The data is not protected by HIPAA even though its nature is identical to what would be protected inside a clinical context. Someone's depression log in an EHR is a protected health record. The same information entered into a consumer app that is not connected to a clinical provider is not. This is a genuine governance gap that the current regulatory framework was not designed to close, because HIPAA was designed before apps existed.
There is a version of this problem in the enterprise context too. Companies are increasingly offering mental health apps as employee benefits. The employer-provided wellness app that an employee uses to manage stress or track their mood creates a data trail that, depending on the app's data practices and the employer's relationship with the vendor, might or might not be kept private from the employer. Even if the data is technically protected by contract, the employee who does not read the terms of service does not know what they agreed to. This is the privacy paradox playing out in a high-stakes context: people share information about their mental health because the perceived benefit of support outweighs the perceived risk of exposure, but they are often making that calculation without full information about the risk side.
The design tension here is real. A mental health app that collected no data would be worse at providing personalized support. Personalization requires data. The question is what data, retained for how long, shared with whom, under what governance, and with what transparency to the user. These are IS design questions, not just ethics questions, and they have answers that vary considerably across apps. The field needs better frameworks for evaluating mental health apps along both efficacy and governance dimensions, not just one or the other.
About the author
Share
More notes
Related notes