# Privacy & Data-Protection Analysis — Boojee Companion Care

**DRAFT — for legal review, not legal advice.** Prepared for review by qualified privacy counsel and a clinical/compliance director. Citations reflect law current as of **July 2026**. Nothing here should be read as a claim that the product *is* compliant; it is an assessment of *how compliance would be achieved* and where the exposures sit.

**Product in scope:** a wellness-tier conversational AI companion for older adults (`/companion-care/`) that (a) captures daily well-being check-ins, (b) administers validated screening instruments (UCLA-3 loneliness, PHQ-2, PHQ-9, GAD-7), (c) uses voice (Amazon Polly text-to-speech + browser/cloud speech recognition), (d) stores data in AWS (Lambda + DynamoDB, account 060276830882, us-east-1), and (e) can notify a designated caregiver and surface crisis resources (988 / 911). The data involved is **sensitive health data**, screens for depression/anxiety/suicidality, and involves **voice**, which raises biometric questions.

---

## 0. The core framing: are we HIPAA or not?

The single most important classification decision is whether Companion Care handles **Protected Health Information (PHI) under HIPAA** or **consumer health data outside HIPAA**. This drives everything downstream. The two are **mutually exclusive at the data level but the product can straddle both** depending on the go-to-market.

### 0.1 HIPAA applies only to Covered Entities and Business Associates

HIPAA does not regulate "health information." It regulates **who holds it**. The HIPAA Rules apply only to (1) **Covered Entities** — health plans, health-care clearinghouses, and health-care providers who transmit health information electronically in connection with a HIPAA standard transaction — and (2) their **Business Associates**. HHS and the FTC are explicit that health information maintained by a party that is *neither* a covered entity nor a business associate is **not** governed by HIPAA — *even if the information originated from a covered entity.* ([HHS/FTC joint guidance](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-ftc-act/index.html); [FTC business guidance](https://www.ftc.gov/business-guidance/resources/collecting-using-or-sharing-consumer-health-information-look-hipaa-ftc-act-health-breach)).

### 0.2 Where does Companion Care fall? Three fact-patterns

**(A) Consumer-wellness / direct-to-consumer (default posture today).** A senior (or their family) signs up and pays Boojee directly; Boojee is not delivering care on behalf of a provider or plan and is not conducting HIPAA standard transactions. In this posture Boojee is **neither a covered entity nor a business associate — HIPAA does not apply.** Fitness trackers, diet apps, and consumer mental-health apps sit here. ([FTC: "Many companies that collect health information aren't covered by HIPAA"](https://www.ftc.gov/business-guidance/resources/collecting-using-or-sharing-consumer-health-information-look-hipaa-ftc-act-health-breach).) **This does not mean "no rules" — it means the FTC Act, the FTC Health Breach Notification Rule, and the state consumer-health-data laws (MHMDA, Nevada SB370, CCPA sensitive-data, etc.) govern instead.** See §2–§4. This is the regime that actually bites us.

**(B) Business Associate (payer/provider channel).** If Boojee contracts with a health plan, ACO, Medicare Advantage plan, hospital, home-health agency, or similar covered entity to deliver check-ins/screenings *on that entity's behalf* and receives/creates PHI for them (the `INSURANCE-VALUE-BLUEPRINT.md` and `/payers/` path point in this direction), Boojee becomes a **Business Associate**. A signed **Business Associate Agreement (BAA)** with the covered entity is then mandatory before any PHI flows, and Boojee owes the Security Rule, applicable Privacy Rule provisions, and the Breach Notification Rule directly. Boojee must in turn have a **BAA with AWS** (subcontractor BA) — the backend config already flags `baa_status: NOT_EXECUTED`, so this is a live gap.

**(C) Both at once.** If Boojee acts as a BA for covered-entity clients **and** offers the same service direct-to-consumer as a personal health record, it can be subject to *both* the HHS Breach Notification Rule (for the PHI it holds as a BA) *and* the FTC Health Breach Notification Rule (for the consumer PHR side). ([FTC guidance](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0).)

**Recommendation:** Segregate the two channels architecturally and contractually. Treat the consumer channel as a non-HIPAA "PHR / connected health app" and build to the FTC HBNR + state consumer-health-data laws. For any payer/provider channel, gate it behind an executed BAA (with the client *and* with AWS) and a documented HIPAA Security Rule program. **Do not represent the consumer product as "HIPAA compliant"** — that phrasing is both inaccurate for the DTC posture and an FTC deception risk.

---

## 1. HIPAA track (only if/when acting as a Business Associate)

Trigger: a signed BAA with a covered-entity client. Then the following apply to the PHI Boojee creates/receives/maintains for that client.

### 1.1 BAA requirements
- Written BAA with each covered-entity client (45 CFR §164.504(e)) and a **downstream BAA with AWS** and any other subcontractor that touches PHI. AWS offers a BAA via **AWS Artifact**; Lambda and DynamoDB are HIPAA-eligible services. ([HIPAA Journal — BAA 2026 update](https://www.hipaajournal.com/hipaa-business-associate-agreement/).) *Status: not executed — blocker for the payer channel.*
- BAA must specify permitted uses/disclosures, safeguards, breach reporting up-chain, return/destruction on termination, and flow-down to subcontractors.

### 1.2 Security Rule (45 CFR §164.302–318)
Administrative, physical, and technical safeguards: risk analysis, access controls, unique user IDs, audit controls, integrity controls, transmission security (TLS), and encryption at rest/in transit (addressable but effectively expected). The DynamoDB tables (`checkins`, `screenings`, `alerts`, `consent`, `audit`) must be encrypted at rest (KMS), access-scoped by IAM least-privilege, and access-logged.

### 1.3 Privacy Rule + Minimum Necessary
As a BA, Boojee may use/disclose PHI only as the BAA and Privacy Rule permit, and must apply the **minimum-necessary** standard — collect and expose only the data needed for the check-in/screening/alert purpose. The outcome reports to payers/clinicians should be **de-identified or minimum-necessary**, not raw transcripts.

### 1.4 Breach Notification Rule (45 CFR §164.400–414)
A breach of unsecured PHI requires notice **without unreasonable delay and no later than 60 days** from discovery to affected individuals (as a BA, up-chain to the covered entity, who notifies individuals/HHS/media). Breaches ≥500 residents of a state trigger media + prompt HHS notice. Apply the **4-factor risk assessment** to determine whether an impermissible use/disclosure is a reportable breach. ([Accountable — 18-identifier Safe Harbor + 4-factor test](https://www.accountablehq.com/post/the-hipaa-formula-simplified-18-identifier-safe-harbor-4-factor-breach-test).)

### 1.5 De-identification (relevant to payer analytics + labs)
Two lawful routes to strip data of PHI status: **Safe Harbor** (remove the 18 enumerated identifiers + no actual knowledge of re-identifiability) or **Expert Determination** (a qualified statistician certifies re-identification risk is "very small"). Once properly de-identified, data is no longer PHI and falls outside the Privacy/Security/Breach rules — the correct basis for aggregate outcome dashboards. ([Censinet — Safe Harbor vs Expert Determination](https://censinet.com/perspectives/safe-harbor-vs-expert-determination-phi).) **Caution:** de-identification for HIPAA does **not** exempt data from MHMDA/CCPA, which use their own (stricter, harder-to-meet) de-identification/"deidentified data" standards.

---

## 2. FTC track (the default regime for the consumer product)

Because the DTC product is outside HIPAA, the FTC is the primary federal regulator.

### 2.1 FTC Act §5 — deception & unfairness
Section 5 prohibits **misleading** statements and **unfair** practices. Every privacy/marketing claim must be true and substantiated: do not say "HIPAA compliant," "medical-grade," "diagnoses," "secure/anonymous" beyond what is actually done, or misstate who sees the data. The FTC has brought enforcement (GoodRx, BetterHelp, Flo, Cerebral) against health apps that shared health data with advertisers contrary to their representations — directly analogous to a mental-wellness companion. Marketing and the privacy policy must match the code.

### 2.2 FTC Health Breach Notification Rule (HBNR) — **major exposure**
The HBNR applies to **vendors of personal health records (PHRs), PHR-related entities, and their third-party service providers that are NOT covered by HIPAA.** The FTC's **2024 amendments (final rule published May 30, 2024; effective July 29, 2024)** make explicit that **health apps and connected devices that draw health data from multiple sources are covered.** ([FTC final rule press release](https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule); [Federal Register](https://www.federalregister.gov/documents/2024/05/30/2024-10855/health-breach-notification-rule).)

Companion Care draws health data from multiple sources (user input, screening scores, voice, potentially device/health-app integrations), which is the fact-pattern the amendments target. Key obligations if covered:
- **"Breach of security" now includes unauthorized *disclosures*, not just cyber-intrusions** — e.g., sending health data to an ad SDK/analytics/third party without authorization is itself a reportable "breach." ([Venable](https://www.venable.com/insights/publications/2024/07/final-changes-to-health-breach-notification).)
- Notify **affected individuals, the FTC, and (for ≥500 individuals) the media**.
- **Timing:** notify the FTC for breaches affecting **500+ individuals contemporaneously with individual notice, without unreasonable delay and no later than 60 calendar days** after discovery (tightened from the old 10-business-day framing). ([FTC](https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule).)
- Expanded notice **content** and modernized (e.g., electronic) **delivery**.
- Penalties accrue per-violation-per-day under the FTC's civil penalty authority.

**Practical takeaway:** the HBNR converts "we quietly shared wellness data with a tracker/analytics vendor" into a federally reportable breach. **No advertising/marketing trackers or third-party analytics SDKs that receive health data should touch the companion surfaces.** This is both an HBNR and an MHMDA issue.

---

## 3. State consumer-health-data laws — the largest exposure

These laws were written for exactly this product (non-HIPAA apps handling health/mental-health data) and two of them carry teeth beyond an AG action.

### 3.1 Washington My Health My Data Act (MHMDA) — RCW 19.373 — **highest-risk statute**
Effective **March 31, 2024** (geofencing ban since **July 23, 2023**). Applies to any "regulated entity" that collects/processes/shares/sells **consumer health data** and does business in WA or targets WA residents. ([RCW 19.373](https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true); [IAPP overview](https://iapp.org/resources/article/washington-my-health-my-data-act-overview); [Goodwin](https://www.goodwinlaw.com/en/insights/publications/2024/03/alerts-technology-hltc-my-health-my-data-act-mhmda).)

- **Very broad definition of "consumer health data":** personal information that identifies a consumer's past/present/future physical or mental health status — explicitly including **mental-health data, biometric data, precise location that could indicate an attempt to receive health services, and data *inferred* from non-health data.** Our mood/loneliness/depression/anxiety data, screening scores, crisis flags, and voice sit squarely inside this. "Consumer" excludes data in an employment context but includes ordinary users.
- **Consent architecture (two separate consents):**
  - **Consent** (opt-in, GDPR-grade, freely given, specific, informed) is required to **collect or share** consumer health data beyond what is strictly necessary to provide the product the consumer asked for.
  - **Separate, distinct "authorization"** is required to **sell** consumer health data (a valid MHMDA authorization has specific statutory content and a ≤1-year term). Practically: **do not sell consumer health data at all** — the authorization bar is high and reputationally toxic here.
  - Consent must be **separate and distinct** from other terms — you cannot bundle it into a general ToS click. This drives our separate Care-Mode informed-consent flow.
- **Consumer rights:** right to confirm collection/sharing, to a **list of third parties/affiliates** the data is shared with, to **withdraw consent**, and to **delete** consumer health data (including having the entity notify downstream recipients).
- **Geofencing ban:** may not use a **geofence (≤2,000 ft)** around any in-person health-care facility to identify/track consumers, collect their health data, or send targeted messages/ads. Our product uses **no geofencing** — keep it that way and document the negative.
- **Privacy policy:** a **separate, dedicated "Consumer Health Data Privacy Policy"** linked prominently from the homepage, disclosing the categories collected, sources, purposes, categories shared, and how to exercise rights.
- **Data minimization / access controls:** restrict internal access to consumer health data to what's necessary; contractually bind processors.
- **ENFORCEMENT — this is the exposure:** MHMDA has a **private right of action** via the WA Consumer Protection Act, in addition to AG enforcement (civil penalties up to **$7,500/violation**). The **first class actions were filed in 2025.** ([Baker — private right of action](https://www.bakerdatacounsel.com/blogs/examining-the-private-right-of-action-in-washingtons-my-health-my-data-act/); [Cooley — enforcement risk](https://cdp.cooley.com/washington-states-my-health-my-data-act-faq-part-three-enforcement-risks-2/).) Because *any* violation can support a claim and health data is per se sensitive, MHMDA is our **top litigation risk**. Design decisions (separate consent, no sale, no trackers, honest sharing list, working deletion) are effectively MHMDA controls.

### 3.2 Nevada SB370 (NRS 603A.400 et seq.) — consumer health data
Effective **March 31, 2024**. Structurally similar to MHMDA: protects **consumer health data outside HIPAA**; requires **affirmative, voluntary consent** to collect/share and separate consent to sell; requires a **conspicuous consumer-health-data privacy policy** (categories + sources + purposes + sharing); grants rights to know, to a list of third parties, to **delete**, and to **withdraw consent**; **bans geofencing** around medical facilities. **No private right of action** — enforced by the Nevada AG as a deceptive trade practice, civil penalties up to **$5,000/violation**. ([Bass Berry](https://www.bassberry.com/news/nevada-consumer-health-data-law-takes-effect-on-march-31-2024/); [Epstein Becker Green](https://www.healthlawadvisor.com/nevada-joins-washington-and-connecticut-to-protect-consumer-health-data-privacy).) A single compliant consumer-health-data consent + policy design satisfies both WA and NV.

### 3.3 Connecticut (CTDPA health-data amendments) & the trend
Connecticut amended its comprehensive law to add **consumer-health-data** provisions (consent to process, geofencing ban) effective 2023–2024, mirroring the WA/NV pattern; more states are following. Build to the strictest common denominator (WA/MHMDA).

---

## 4. Comprehensive state privacy laws (CCPA/CPRA + ~20 states)

Independent of the health-data statutes, ~20 states now have comprehensive consumer-privacy laws in effect (2026). ([Recording Law state guide](https://www.recordinglaw.com/us-laws/data-privacy-laws/); [State of Surveillance 2025–26](https://stateofsurveillance.org/articles/government/state-privacy-laws-2025-2026-guide/).) Common-denominator obligations if thresholds are met:

### 4.1 California CCPA/CPRA — Sensitive Personal Information (SPI)
Health/mental-health information is **Sensitive Personal Information**. Consumers have the rights to **know/access, delete, correct, opt out of sale/share, and to limit use of sensitive data**, plus non-discrimination for exercising rights. ([CA AG — CCPA](https://oag.ca.gov/privacy/ccpa); [CPPA FAQ](https://cppa.ca.gov/faq.html).)
- **Notice at Collection** at or before collection: categories collected, purposes, retention period, whether sold/shared.
- **Do not "sell" or "share" (cross-context behavioral advertising)** SPI — no ad trackers on companion surfaces; honor Global Privacy Control opt-out signals.
- **Right to Limit Use of Sensitive PI** — offer a mechanism.
- **Data-minimization, purpose-limitation, retention disclosure** are required.
- **2026 CPPA regulations** (effective Jan 1, 2026) add **ADMT (automated decision-making)**, **risk-assessment**, and **cybersecurity-audit** requirements — relevant because the AI companion makes automated determinations (crisis flags, alert triggers). ([Jackson Lewis](https://www.jacksonlewis.com/insights/navigating-california-consumer-privacy-act-30-essential-faqs-covered-businesses-including-clarifying-regulations-effective-1126).) Assess whether crisis-flagging is "ADMT" requiring notice + opt-out/appeal.

### 4.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon, Montana, others
Common denominators:
- **Opt-in consent to process "sensitive data"** (which includes mental/physical health-condition data) — this aligns with the MHMDA/NV consent design.
- **Rights** to access, correct, delete, portability, and opt-out of targeted advertising / sale / certain profiling.
- **Data Protection Assessment / risk assessment** required for processing sensitive data and for targeted advertising/profiling. Companion Care should have a written **DPIA/DPA** on file.
- **Contracts with processors** (AWS, any vendor) with prescribed terms.
- **Reasonable data security** and purpose/collection minimization.

**Net:** the consumer product should treat all health signals as sensitive data requiring **opt-in consent, a DPIA, no targeted-ad sale/sharing, honored access/delete/correct rights, and processor contracts** — which simultaneously satisfies the comprehensive-law common denominator and much of MHMDA.

---

## 5. Biometric law — is voice a biometric identifier here? (analyze honestly)

The companion **uses voice**: Amazon Polly (text-to-speech *output*, not biometric) and **speech recognition (voice *input*)**. The legal question is narrow: **do we create, store, or use a *voiceprint* — a mathematical representation of vocal characteristics used to identify a person?** or do we merely **transcribe speech to text** and discard the audio?

### 5.1 Illinois BIPA (740 ILCS 14) — **strict, private right of action**
BIPA regulates **biometric identifiers** — retina/iris scans, fingerprints, **voiceprints**, hand/face geometry — and derived "biometric information." ([ABA overview](https://www.americanbar.org/groups/tort_trial_insurance_practice/resources/tortsource/2024-fall/biometric-information-privacy-act/); [Recording Law — BIPA](https://www.recordinglaw.com/us-laws/data-privacy-laws/bipa/).)
- Requirements when a voiceprint *is* collected: **written policy + retention/destruction schedule**, **informed written consent (release) before collection**, **no sale/profit** from biometrics, disclosure limits, and **reasonable security**.
- **Damages:** **$1,000 per negligent** and **$5,000 per reckless/intentional** violation, **with a private right of action** — the reason BIPA drives massive class actions.
- **2024 amendment (SB 2979, signed Aug 2, 2024):** a repeated collection/disclosure of the *same* biometric from the *same* person by the *same* method is a **single violation / single recovery** (limiting per-scan multiplication), and **"written release" now includes electronic signature**. The Seventh Circuit held the damages limitation applies **retroactively**. ([Greenberg Traurig](https://www.gtlaw.com/en/insights/2024/8/bipa-update-illinois-limits-liability-and-clarifies-electronic-consent-for-biometric-data-collection); [Sidley Data Matters, Apr 2026](https://datamatters.sidley.com/2026/04/08/seventh-circuit-limits-potential-damages-under-bipa-holds-2024-amendment-applies-retroactively/).) This reduces but does **not** eliminate exposure — a single $1,000–$5,000 award × class size is still severe.

### 5.2 Texas CUBI (Tex. Bus. & Com. Code §503.001) and Washington (RCW 19.375)
Both regulate biometric identifiers including **voiceprints**, require **notice + consent before capture for a commercial purpose**, limit retention, and require reasonable care. **Enforcement is AG-only (no private right of action)**, so litigation risk is lower than BIPA, but the compliance duties are similar.

### 5.3 Honest posture and how to stay clear
The safe, defensible design is **speech-to-text only, no voiceprint**:
- **Do not enroll, extract, store, or match voiceprints / speaker-recognition templates.** Use speech recognition solely to transcribe words; do not use vocal biometrics to *identify or authenticate* the user.
- **Discard raw audio** as soon as transcription completes (or don't retain audio server-side at all); retain only the text needed for the check-in/screening.
- **Document, in the policy and a DPIA, that no biometric identifier is created** — this is the factual basis for taking the position that BIPA/CUBI/WA biometric duties are not triggered. (Counsel should confirm; some plaintiffs argue that any voice processing implicates BIPA — the transcription-only, no-voiceprint, audio-discarded design is the strongest defense.)
- **If** the product ever adds **voice-based user identification/authentication** or emotion/health inference *from vocal characteristics* (e.g., vocal biomarkers of depression), that **does** create a biometric identifier — then full BIPA-grade written policy + retention schedule + prior written (e-signature OK) consent + no-sale is mandatory **before launch**, and MHMDA's biometric-data provisions also attach.

**Recommendation:** obtain **biometric-style written consent anyway** (belt-and-suspenders) in the enrollment agreement covering voice processing, state plainly that no voiceprint is retained, and hard-code short audio retention. Cheap insurance against the strict-liability BIPA regime.

---

## 6. GDPR / UK GDPR (only if EU/UK data subjects)

If the service is offered to or monitors EU/UK residents, GDPR/UK GDPR applies. Health data is **special-category data (Art. 9)**, whose processing is prohibited unless an Art. 9(2) condition is met.
- **Lawful basis:** an Art. 6 basis (contract/consent) **plus** an Art. 9 condition — for a consumer wellness product the realistic condition is **explicit consent (Art. 9(2)(a))**, which must be **expressly stated** (written/e-signed declaration or clearly recorded), specific, and separate. ([gdpr-info Art. 9](https://gdpr-info.eu/art-9-gdpr/); [ICO special-category data](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-rules-on-special-category-data/).)
- **DPIA (Art. 35)** is **required** — large-scale special-category processing and evaluation/scoring of individuals both trigger a mandatory DPIA. ([Secure Privacy Art. 9 2026 guide](https://secureprivacy.ai/blog/gdpr-article-9-special-categories-lawful-processing-and-compliance-guide-2026).)
- **Data-subject rights:** access, rectification, erasure, restriction, portability, objection, and rights re: automated decision-making (Art. 22 — the crisis-flag/alert automation may implicate this).
- **Other:** records of processing (Art. 30), Art. 28 processor contract with AWS, **cross-border transfer** mechanism (SCCs / adequacy) for US storage, breach notice to the supervisory authority **within 72 hours**, and possibly an **EU/UK representative** and DPO.

**Recommendation:** if not launching in the EU/UK yet, **geo-restrict signups** and state a US-only scope; revisit before any EU/UK launch. Much of the Art. 9-consent + DPIA design overlaps with the MHMDA/state work already required.

---

## 7. Cross-cutting: security, breach timing, retention, cross-border, de-identification

### 7.1 Data security expectations (all regimes)
"Reasonable" administrative/technical/physical safeguards are the floor across FTC, MHMDA, state comprehensive laws, and (if applicable) HIPAA Security Rule. Concretely: **encryption in transit (TLS) and at rest (KMS), IAM least-privilege, an append-only audit log, MFA on admin access, network isolation, secrets in Secrets Manager (not code), logging/monitoring, and a written incident-response plan.**

### 7.2 Breach-notification timelines (quick reference)
- **FTC HBNR (non-HIPAA):** individuals + FTC without unreasonable delay, **≤60 days**; media for ≥500; **unauthorized disclosure counts as a breach**.
- **HIPAA (if BA):** ≤60 days; report up-chain to covered entity; media/HHS thresholds at 500.
- **State breach laws (all 50):** notify affected residents (often "most expedient time possible / without unreasonable delay"; several states set 30–60-day outer limits); several require AG notice.
- **GDPR:** supervisory authority **within 72 hours**; affected individuals without undue delay if high risk.
Maintain a single incident-response runbook that satisfies the **shortest** applicable clock and the **broadest** notice content.

### 7.3 Retention & minimization
Collect only what the check-in/screening/alert needs (minimum necessary / data minimization). Set explicit **retention periods with automated deletion** — DynamoDB **TTL** on records is the mechanism. Disclose the retention period (CCPA requires it). **Discard raw voice audio quickly.** Honor deletion requests end-to-end, including downstream recipients (MHMDA/NV).

### 7.4 Cross-border
US-only for now → state that. If EU/UK later, implement SCCs + transfer-impact assessment for AWS US-region storage.

### 7.5 De-identification standards differ by regime
HIPAA Safe Harbor/Expert Determination ≠ CCPA "deidentified"/aggregate ≠ MHMDA. **De-identifying for HIPAA does not exempt data from MHMDA/CCPA.** Payer/labs analytics should be built on data de-identified to the **strictest** applicable standard and contractually barred from re-identification.

---

## 8. Special populations — older adults, capacity, and surrogate/caregiver consent

The target users are **older adults**, some of whom may have **diminished decisional capacity** (cognitive impairment is common with acute illness and in dementia populations). This raises consent-validity and elder-protection issues beyond ordinary privacy law. ([JAGS 2026 — consent for older adults who may lack capacity](https://agsjournals.onlinelibrary.wiley.com/doi/10.1111/jgs.70473?af=R); [UCSF HRPP — decisional capacity](https://irb.ucsf.edu/enrolling-individuals-cognitive-impairments-and-assessing-decisional-capacity).)

- **Capacity to consent:** valid consent requires the person understand what data is collected, the caregiver-notification/crisis-escalation, and that this is wellness support, not medical care. Use **plain language, large type, teach-back-friendly phrasing, voice read-aloud**, and allow re-consent/withdrawal at any time.
- **Surrogate / caregiver consent:** where an older adult lacks capacity, a **legally authorized representative** (health-care proxy, agent under a durable/health-care power of attorney, guardian/conservator) may be needed. Surrogates should apply **substituted judgment**. The definition of an authorized surrogate is **state-law-specific** — do not assume a family "caregiver" is legally authorized. Capture the surrogate's authority basis and relationship.
- **Elder-protection overlay:** be alert to elder-abuse/exploitation and undue-influence concerns; caregiver access to sensitive mental-health data must be **scoped, consented, and revocable**, not a backdoor for a controlling family member. Consider limiting what the caregiver dashboard exposes (alerts/trends, not raw transcripts).
- **Crisis handling:** the 988/911 escalation is protective but must be **disclosed in consent** and must not be marketed as an emergency-response service (it is not — see ToS and the regulatory dossier's crisis-duty analysis).
- **Do not treat capacity as a checkbox:** document a simple capacity/eligibility gate and a surrogate-consent path.

---

## 9. Summary of exposures (ranked)

1. **Washington MHMDA** — private right of action + class actions already filed; our mental-health + voice data is squarely "consumer health data." Requires separate opt-in consent, dedicated consumer-health-data policy, no sale, honest sharing list, working deletion, no geofencing. **Top risk.**
2. **Illinois BIPA (voice)** — strict, private right of action, statutory damages. Mitigated by a transcription-only / no-voiceprint / discard-audio design + belt-and-suspenders written consent. Becomes severe if voice ID or vocal biomarkers are ever added.
3. **FTC Health Breach Notification Rule** — the 2024 amendments cover exactly this kind of app; an unauthorized disclosure to any tracker/analytics vendor is itself a reportable federal breach. Drives the "no ad/analytics trackers on companion surfaces" rule.
4. **FTC Act §5 deception** — any "HIPAA compliant," "diagnoses," "secure/anonymous," or "answers every call"-style overstatement is an enforcement hook. Marketing must match the code.
5. **State comprehensive laws (CA CCPA/CPRA + ~20 states)** — sensitive-data opt-in, notice-at-collection, delete/access/correct, no ad-sale/sharing, DPIA, processor contracts, 2026 ADMT rules for automated crisis-flagging.
6. **Nevada SB370** — AG-only but same consent/policy/deletion/geofencing design as MHMDA.
7. **HIPAA (payer channel only)** — needs BAAs (client + AWS, currently `NOT_EXECUTED`) and a Security Rule program before any PHI flows.
8. **GDPR/UK GDPR** — only if EU/UK; Art. 9 explicit consent + DPIA + 72-hr breach + transfers. Geo-restrict until ready.
9. **Elder capacity / surrogate consent** — validity of consent and elder-protection; needs a capacity gate + surrogate path + scoped caregiver access.

---

### Sources
- HHS/FTC, *Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule* — https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-ftc-act/index.html and https://www.ftc.gov/business-guidance/resources/collecting-using-or-sharing-consumer-health-information-look-hipaa-ftc-act-health-breach
- FTC, *Complying with the Health Breach Notification Rule* — https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0
- FTC, *FTC Finalizes Changes to the Health Breach Notification Rule* (Apr 26, 2024) — https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule
- Federal Register, *Health Breach Notification Rule* (May 30, 2024) — https://www.federalregister.gov/documents/2024/05/30/2024-10855/health-breach-notification-rule
- Venable, *Final Changes to Health Breach Notification* — https://www.venable.com/insights/publications/2024/07/final-changes-to-health-breach-notification
- HIPAA Journal, *HIPAA Business Associate Agreement — 2026 Update* — https://www.hipaajournal.com/hipaa-business-associate-agreement/
- Accountable, *HIPAA 18-Identifier Safe Harbor + 4-Factor Breach Test* — https://www.accountablehq.com/post/the-hipaa-formula-simplified-18-identifier-safe-harbor-4-factor-breach-test
- Censinet, *Safe Harbor vs. Expert Determination for PHI* — https://censinet.com/perspectives/safe-harbor-vs-expert-determination-phi
- RCW 19.373 (My Health My Data Act) — https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&full=true
- IAPP, *Washington's My Health My Data Act* — https://iapp.org/resources/article/washington-my-health-my-data-act-overview
- Goodwin, *Washington's MHMDA Comes Into Force* — https://www.goodwinlaw.com/en/insights/publications/2024/03/alerts-technology-hltc-my-health-my-data-act-mhmda
- Baker, *Examining the Private Right of Action in MHMDA* — https://www.bakerdatacounsel.com/blogs/examining-the-private-right-of-action-in-washingtons-my-health-my-data-act/
- Cooley, *MHMDA FAQ Part Three — Enforcement Risks* — https://cdp.cooley.com/washington-states-my-health-my-data-act-faq-part-three-enforcement-risks-2/
- Bass Berry, *Nevada Consumer Health Data Law Takes Effect Mar 31 2024* — https://www.bassberry.com/news/nevada-consumer-health-data-law-takes-effect-on-march-31-2024/
- Epstein Becker Green, *Nevada Joins Washington and Connecticut* — https://www.healthlawadvisor.com/nevada-joins-washington-and-connecticut-to-protect-consumer-health-data-privacy
- CA AG, *CCPA* — https://oag.ca.gov/privacy/ccpa ; CPPA FAQ — https://cppa.ca.gov/faq.html
- Jackson Lewis, *Navigating CCPA — 2026 regulations (ADMT/risk assessment/cyber audits)* — https://www.jacksonlewis.com/insights/navigating-california-consumer-privacy-act-30-essential-faqs-covered-businesses-including-clarifying-regulations-effective-1126
- Recording Law, *Data Privacy Laws by State (2026)* — https://www.recordinglaw.com/us-laws/data-privacy-laws/
- Greenberg Traurig, *BIPA Update — SB 2979 (2024)* — https://www.gtlaw.com/en/insights/2024/8/bipa-update-illinois-limits-liability-and-clarifies-electronic-consent-for-biometric-data-collection
- Sidley Data Matters, *Seventh Circuit Limits BIPA Damages — Retroactive (Apr 2026)* — https://datamatters.sidley.com/2026/04/08/seventh-circuit-limits-potential-damages-under-bipa-holds-2024-amendment-applies-retroactively/
- ABA, *The Biometric Information Privacy Act* — https://www.americanbar.org/groups/tort_trial_insurance_practice/resources/tortsource/2024-fall/biometric-information-privacy-act/
- Recording Law, *BIPA Explained (740 ILCS 14)* — https://www.recordinglaw.com/us-laws/data-privacy-laws/bipa/
- GDPR Art. 9 — https://gdpr-info.eu/art-9-gdpr/ ; ICO special-category data — https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-rules-on-special-category-data/
- Secure Privacy, *GDPR Article 9 Special Categories (2026)* — https://secureprivacy.ai/blog/gdpr-article-9-special-categories-lawful-processing-and-compliance-guide-2026
- JAGS 2026, *Designing Consent Processes for Older Adults Who May Lack Decisional Capacity* — https://agsjournals.onlinelibrary.wiley.com/doi/10.1111/jgs.70473?af=R
- UCSF HRPP, *Assessing Decisional Capacity* — https://irb.ucsf.edu/enrolling-individuals-cognitive-impairments-and-assessing-decisional-capacity
