Montana has expanded its Uniform Health Care Information Act to include mental health digital service platforms, requiring them to comply with state privacy and security standards starting October 1, 2025.
The Montana Legislature passed House Bill 397, updating the state's Uniform Health Care Information Act to include "mental health digital service" platforms under its privacy and security requirements. The Act already creates standards for privacy and security of health care information maintained by Montana health care providers. This expansion means that mobile-based applications and internet websites that collect mental health or substance use disorder information, market mental health services, and use that information to facilitate treatment will now be subject to the same standards as traditional healthcare providers. The new requirements take effect October 1, 2025. Companies such as management services organizations that offer web or mobile platforms through which licensed therapists provide online counseling and therapy services to patients will likely fall within the scope of the expanded Act.
The Act defines "mental health digital service" broadly as platforms that:
The Act requires compliance with various privacy and security standards similar to HIPAA, including adopting reasonable safeguards for security, prohibiting disclosure without written authorization (with limited exceptions), maintaining disclosure records, following specific processes for patient requests to examine or amend information, and providing immunity for authorized disclosures. However, the Act only applies to providers not already subject to HIPAA privacy provisions.
According to House Bill 397, the legislation states that "a mental health digital service is subject to the disclosure and confidentiality provisions of Title 50, chapter 16, part 5, when handling health care information as defined in 50-16-504 on behalf of an individual." The bill defines mental health digital service as a platform that "collects, obtains, uses, possesses, or accesses information related to an individual's inferred or diagnosed mental health or substance use disorder."
The Uniform Health Care Information Act creates standards for privacy and security of health care information maintained by Montana health care providers. Mental health digital service platforms include mobile applications and websites that collect mental health information and facilitate treatment services. The Act's requirements are similar to federal HIPAA standards but apply specifically to providers not already covered by HIPAA.
This expansion addresses the growing use of digital mental health platforms and apps that collect sensitive mental health data but may fall outside traditional healthcare privacy protections. Many mental health apps and digital platforms operate without the same privacy safeguards as traditional healthcare providers, creating potential gaps in protection for users' sensitive mental health information. By bringing these platforms under Montana's healthcare privacy law, the state ensures that individuals using digital mental health services receive the same privacy protections as those receiving traditional healthcare services. This matters particularly because mental health information is highly sensitive, and users of digital platforms may not realize their data lacks the same protections as information shared with traditional healthcare providers.
Mental health digital service providers operating in Montana should assess whether they fall under the new requirements and evaluate their current privacy and security practices for compliance before the October 1, 2025 effective date. Platforms may face monetary damages up to $5,000 plus actual losses for willful or grossly negligent violations.
Yes, if the app offers services to Montana residents or collects data from them, it falls under the law’s jurisdiction.
“Inferred” data includes behavioral patterns, responses, or metadata that suggest mental health or substance use conditions, even without a formal diagnosis.
If they collect or use mental health or substance use data to facilitate services, they may be covered even if they do not offer licensed therapy.
Enforcement may involve complaints, investigations, civil actions, and fines brought by state authorities or affected individuals.
The law specifically targets platforms not already subject to HIPAA, avoiding duplication but filling privacy gaps.