Is your AI health bot spilling your secrets? What to check in its privacy policy

AI health chatbots have become a go‑to tool for quick medical advice. They can answer questions about symptoms, suggest remedies, and even offer mental health support, all without an appointment. But a growing number of experts say that the privacy policies of these tools are often vague or incomplete—and that federal rules are not doing enough to protect your health data.

A recent investigation by Healthcare Brew examined privacy policies of several popular AI health bots and found that many lack clear statements on who owns user data, how long it is stored, and whether it is sold to third parties. The report also noted that current federal regulations, such as HIPAA, often do not apply because most of these bots are not considered “covered entities” under the law. This leaves users in a gray area where their sensitive health information may be treated more like a customer service log than a medical record.

What happened

The Healthcare Brew story highlighted that experts—including privacy researchers and consumer advocates—are calling out the opacity of these policies. For example, some bots state they “may share aggregated data” without specifying what “aggregated” means or whether individual conversations could be re‑identified. Others bury key details about data retention in long, legalistic documents that most users never read. The report cited a privacy researcher who noted that even when a policy claims to comply with HIPAA, the bot itself might not be covered if it is marketed as a general wellness tool rather than a medical device.

Federal guidance from the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) does exist, but it is often too broad or outdated to address the specific risks of conversational AI. The FTC has taken action against a few companies for deceptive privacy claims, but enforcement is sporadic. Meanwhile, HHS has issued guidelines on health data and AI, but these are not legally binding for many consumer‑facing chatbots.

Why it matters

When you type a question like “What might cause these chest pains?” into an AI health bot, you are sharing information that is highly personal and potentially stigmatizing. Unlike a visit to a doctor’s office, there is no guarantee of confidentiality. Your conversation might be used to train the model, shared with advertisers, or stored indefinitely in a cloud server that could be breached. If the policy is unclear, you cannot make an informed choice about whether to trust the tool.

The gap in federal rules means that many health bots fall into a regulatory blind spot: they are not subject to HIPAA because they are not operated by a health provider or health plan, and they are not necessarily covered by the FTC’s health‑breach notification rule if they do not directly collect “medical records.” This creates a situation where the most sensitive information you give can be handled with the same level of protection as a weather app query, when it should be treated with much more care.

What readers can do

Before you type your first symptom into a health chatbot, take a few minutes to check its privacy policy. Here are key things to look for:

  • Data collection and sharing. Does the policy say exactly what information is collected (including conversations, device data, and location)? Does it mention selling or sharing data with third parties? Look for explicit statements, not phrases like “may share with affiliates.”
  • Data retention. How long are your chats stored? Some policies state “for as long as necessary,” which is too vague. Better policies give a specific timeframe, such as 90 days, after which data is deleted or anonymized.
  • Health vs. wellness classification. Is the bot marketed as a “medical device” or a “wellness tool”? If it is the latter, it likely does not have to follow HIPAA. Be especially cautious if it offers diagnostic advice—there is a big difference between “find a nearby pharmacy” and “suggest a treatment for a rash.”
  • Opt‑out rights. Can you request deletion of your chat history? Is there a way to stop the bot from using your conversations to improve its model? Many policies allow this, but not all make it easy.
  • Security measures. Does the policy describe encryption (in transit and at rest), access controls, and breach notification procedures? If it does not mention security at all, that is a red flag.

If the policy is unclear or missing these details, consider using a different tool—or avoid sharing identifiable information. Some experts recommend treating health bots like public text boxes: assume anything you type could become visible to others.

For a more thorough approach, you can search the website for “privacy policy” or “data processing” and read it before you start a conversation. If you are uncomfortable with what you find, stick with established telehealth services that are clearly covered by HIPAA and overseen by licensed professionals.

Sources

  • Healthcare Brew article on AI health bot privacy policies and limited federal rules (June 2026).
  • Federal Trade Commission (FTC) guidance on AI and health‑related claims.
  • U.S. Department of Health and Human Services (HHS) Office for Civil Rights – Health Information Privacy and AI.

Note: Regulations and policies change. The information above reflects the state of affairs as of mid‑2026. Always verify the most current rules for any service you use.