The therapy company Headway has begun requiring online facial scans from clients of prescribing clinicians, and is planning to expand the practice, raising objections from clients and clinicians about the use of biometric data.
The new identity verification policy also includes scans of government identification papers like passports or drivers licenses, which is not uncommon elsewhere. But the use of biometric data, the facial scan, is the policy that sparked new objections. The company said the policy would expand to encompass all clients and all “providers,” seeming to encompass all therapists and psychiatrists, who prescribe medications.
The move is significant as an example of the ways therapy practice management companies have expanded their reach to set policies or take on tasks that an individual therapist or group practice might previously have handled alone in their independent practice, or might object to. Therapists and psychiatrists already verify identities, using insurance cards and Social Security numbers, for example. But when they sign up with the practice management companies like Headway, Alma, Rula, Grow and others, they cede certain tasks to these companies, giving up autonomy in exchange for the companies’ pledge to manage the business of therapy — things like getting therapists credentialed with insurance companies and paying them promptly.
The Headway news takes place amid an ongoing national conversation about the collection of biometric data like facial and retina scans. Often when medical or other data is collected, the collector promises that it will be anonymized — but a facial scan cannot be anonymized.
“There is no need to capture such information in order to provide psychotherapy,” Linda Michaels, a PsyD and M.B.A. who is the chair and co-founder of the trade association the Psychotherapy Action Network and a psychologist in private practice in Chicago, wrote in an email. “It is not necessary in order to provide patient care, and does not benefit the patient or the therapist in any way. In fact, such a privacy intrusion may harm the treatment alliance or prevent people from seeking out care altogether.
“It is a policy for the benefit of the practice management companies and their tech, insurance and finance partners. We have many examples already from other industries where the main goal is data capture and monetization of that data. This all comes at the expense of the person seeking help, who may be in a vulnerable or fragile state to begin with.”
In response to a query about the new policy, a Headway spokesperson emailed a statement saying: “Headway has recently started to enforce identity verification to part of our network. To clarify – today, we require identity verification for patients receiving prescriptions through Headway, as prescribers have a heightened obligation to confirm they are treating a verified patient before writing a prescription, and this process helps them meet that standard. It also protects patients by ensuring that prescriptions, medical records, and billing are tied to the right person.” The spokesperson dismissed concerns about privacy and patient and clinician objections to the new policy. (See full statement below.)
(If you have information to contribute on this or other topics, email jeanne@clearhealthcosts.com or call Signal 914-450-9499.)
Staged rollout
Explaining the policy, Headway said on its FAQ, dated May 6, that it saves “some data” (it doesn’t say what or where it is saved.) One of Headway‘s selling points is that all of its therapists and psychiatrists are covered by insurance, which makes it attractive to both clients and therapists, drawing therapists to sign up as Headway providers and thus avoid some of the cumbersome business aspects of therapy. Headway, like other practice management companies, has collected investments from private equity, venture capital and insurance-related investors like HCSC, the Blue Cross and Blue Shield affiliate.
Headway explains why it’s doing this: “Telehealth platforms have become targets for real, documented fraud — from stolen provider credentials and patients seeking controlled substances under borrowed identities, to increasingly sophisticated AI tools capable of impersonating real people on video calls. Identity verification helps prevent potential fraud, including stolen credentials, borrowed identities, med-seeking, and sophisticated AI tools and face filters.
“Once complete, you and your clients will have a tamper-proof identity record that supports you in any payer or regulatory audit.”
It said “identity verification for patients is rolling out in waves over the coming weeks, starting with patients of prescribers. We’ll notify you as this rollout progresses. Identity verification will also be required for all providers — you’ll receive a separate notification when it’s your turn.”
This passage seemed to be saying that patients of prescribing clinicians, and the prescribing clinicians, were first in line, but that all patients and all providers would eventually be required to verify. (We asked for confirmation but had not heard back by deadline. We will update when we hear.)
Headway is the subject of a class action suit accusing it of secretly sharing with Google website visitors’ private data, including information about their mental health conditions.
Downstream effects
Michaels wrote that, in addition to immediate effects, downstream consequences of such data collection can also be significant: “Also well documented in other industries is what comes next. There are many dangers and ill-defined risks in how these data will be used, how they will be retained or secured, who will have access to them, how the data can be accessed, tracked or used over time.
“It’s a brazen over-reach by these companies, and it’s focused on helping companies surveil, target, track, and ultimately profit — at the expense of the patient and the clinician.”
In response to a question about the difference between a facial scan and a drivers license or other ID, she wrote: “Drivers license and ID make sense. Of course, the clinician wants and needs to know who they’re working with. They need to have emergency contact info for their patients, in case they’d need to notify someone in an emergency.
“But there is absolutely no valid clinical rationale for biometrics or facial ID. The only rationale is a commercial one.”
‘A red line for me’
A number of therapists speaking on Reddit forums expressed concern over the new Headway policy.
“I’ve already had a few clients who said they would not be doing it and you also cannot verify sessions until it’s done so it’s going to also cause a delay in getting paid. Sorry for the rant, it’s just been on my mind,” wrote one therapist in a Reddit thread, identifying herself as a licensed clinical social worker and mom.
There are several threads on the topic. Here’s a sampling of responses on this one thread:
“This is scary sh*t and I sent an email letting my client’s know that if they wish to opt out, to please contact me.”
“I feel like this would be a red line for me. Absolutely not. I always refuse giving biometric data as it makes me incredibly uncomfortable. I agree with all your points here, hopefully you can find some resolution / way to avoid this.”
“Stopped therapy because of this. Kinda reinforcing my paranoia and conspiracy theories.”
“Headway is telling me I need to do this now or they will prevent me from having any further appointments even though I am not seeing a medication prescriber.”
“I just contacted the licensing board in my state and they do not require facial scanning for virtual therapy sessions. I plan to contact all the insurance companies I am credentialed with at Headway to see if they are aware and onboard with this. I am also contacting Fed govt to find out if it is a HIPPA [sic] violation to require a facial scan of a client. … This just smells like something more sinister like selling the data to a third party. … Headway tole me if I don’t comply I will not be able to continue using their platform, neither will my clients.”
“The more I think about this, the more worried I get about the possibility of Ai fraud. As clinicians, we don’t see any of the backend or billing from these companies. They interface on both sides, client and insurance, so there is no way any of us would know if they created an Ai clone of us and billed in our name. They’d be the only entity interfacing with that client (we don’t even know they exist), and the only one interfacing with the insurance, so we wouldn’t have a chance to know we are billing extra. The incentive to do this on their part is crazy big, and there’s very little chance they get caught.”
Headway response
I asked Headway some specific questions: Had it heard objections on the part of clinicians and clients to this plan? Had it heard of clients stopping treatment, or clinicians leaving Headway, because of this policy? Is there a public data retention policy pertaining to such scans, and can it be sent to me? Are other practice management companies in the mental health sphere using a facial scan or other biometric data collection policy?
In response, the Headway spokesperson wrote, referring to identity verification as “IDV”:
- “The response to IDV has been mostly positive from providers and patients.
- “Most providers and patients see identity verification as a key expectation and protection, because it gives them confidence that the person they’re working with is who they say they are. Providers, including our largest group practices, have told us they appreciate that Headway is taking this complexity off their plate and getting ahead of regulatory requirements rather than waiting and having to scramble with a less-than-ideal experience.
- “Adoption has been smooth; completion rates are high and most providers and patients finish verification in under a minute.
- “We have an obligation to protect patients, providers, and the healthcare system from fraud. IDV is an important part of making telehealth safe and trustworthy.
- “Identity verification is a standard safeguard in healthcare. When you visit a doctor’s office or pick up a prescription, you’re asked to show your ID — this is the telehealth equivalent of that same step with extra considerations for telehealth.
- “For patients, IDV ensures that someone else cannot use a patient’s identity to obtain medications, accumulate medical debt, or corrupt their health records. It guarantees that the person seeking care is who they say they are.
- “For providers (especially prescribers), IDV gives providers confidence they are treating verified patients. It protects them from being implicated in potential med-seeking, identity misuse, or fraudulent billing, and supports compliance with the licensing board and DEA requirements. It also protects them from fraud stemming from compromised NPI credentials.
- “Not to mention that healthcare fraud costs an estimated $300 billion per year. Telehealth fraud specifically is a growing target for organized schemes“
Regarding data security, the statement added that “We take data privacy and security extremely seriously, and patient data collected for verification is protected and only used for safety purposes” and “Identity verification is run through a HIPAA-compliant, SOC 2-certified platform” and “Identity data is stored in a centralized, encrypted, access-controlled record with detailed audit logs. It added: “Our biometric data policy is publicly available here.”
The statement concluded:
- “We’re committed to working with individuals for whom the standard process doesn’t work.
- “Providers or patients who encounter a barrier (a name discrepancy, a technical issue, a circumstance where the standard flow isn’t workable) can contact Headway support directly. Our support and clinical operations teams work with individuals case by case to find a path forward. We want a solution that works for everyone.”
Trade group response
The PsiAN group that Michaels heads wrote a blog post on the topic, reading, in part:
“Identity verification for fraud prevention is not new in healthcare. Licensed psychotherapists and insurance payers have long used it for specific, regulated purposes, including controlled substance prescribing and insurance eligibility. What is new is a billing intermediary requiring facial geometry scans from every patient and every psychotherapist on its network, without exception, as a condition of continued access to care. …
“When biometric data is linked to mental health records, diagnoses, medication histories, and session notes, the combination creates a data profile that is genuinely alarming. It cannot be anonymized after the fact. It cannot be revoked. …
“Headway has contracted with Persona, a venture-backed identity technology company, to provide this biometric verification service. In February 2026, Persona became the subject of controversy after a security researcher discovered publicly exposed code from the company. As that article states, ‘deeper concerns arise about the source of the data. When users submit their IDs and selfies for verification on popular platforms, the data likely ends up being analyzed and resold for many other purposes.’
“Whatever assurances Headway offers about HIPAA-compliant processes, the involvement of a third-party technology vendor means patient biometric data now sits with an entity entirely outside the clinical relationship, one with its own data infrastructure, its own investors, and its own incentives. …
“This policy is especially dangerous for transgender clients, whose biometric identity records may not align with their legal name or gender documentation, creating exposure risks that extend well beyond a data breach. It is also dangerous for undocumented individuals, for survivors of stalking and domestic violence, and for anyone who sought care during a moment of acute vulnerability and trusted that the treatment relationship was a protected space.
“Requiring a facial scan as a condition of mental health care does not just create abstract privacy risk. For specific, identifiable populations, it creates concrete, direct harm.”
In conclusion, PsiAn writes: “Psychotherapy Action Network is tracking this issue and will continue to speak publicly as it develops. …
“If you are a clinician currently using Headway or a similar platform, we encourage you to review the terms of your provider agreement, understand what biometric data you and your patients are being asked to provide, and consider what your ethical obligations are in the context of informed consent. Talk to your patients. Make sure they understand what they are agreeing to. Assess the risks and benefits of continuing to do business with Headway, for your patients and your practice.”
(If you have information to contribute on this or other topics, email jeanne@clearhealthcosts.com or call Signal 914-450-9499.)
Other biometric concerns
There is growing concern about industry use of biometric data, and in the absence of a federal law controlling it, “23 states have now passed or expanded laws to restrict the mass scraping of biometric data, according to the National Conference of State Legislatures,” NPR reported in August 2025.
“Biometric privacy laws and regulations generally require businesses to track, inform employees or consumers of, and provide methods for employees or consumers to consent to, the collection of biometric information or biometric identifiers,” according to Bryan Cave Leighton Paisner LLP. “BCLP has been tracking enacted biometric privacy laws and proposed legislation across the United States.” It then lists existing laws and proposed bills introduced across the country about private sector companies’ collection or use of biometric data.
Illinois, Bryan Cave writes, requires “a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information.”
Washington state, Bryan Cave writes, has a law providing “that a person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”
Other states and municipalities also have laws.
Stolen biometric data
The use of biometric information has had a complicated history. The AI facial recognition platform Clearview AI sparked controversy when it compiled massive facial-scan databases by scraping photos from social media platforms and other places on the internet, then using the scans to train machine learning algorithms. In a 2022 legal settlement with the American Civil Liberties Union, Clearview AI agreed to stop selling access to its tool to private businesses, but Clearview was not banned from working with law enforcement. The Clearview facial recognition tool mistakenly matched a Tennessee grandmother with a bank fraud suspect in North Dakota, which sent the Tennessee woman to prison for 5 months, causing her to lose her home, income, car and health insurance, Mashable reported.
Recently Discord had an age verification policy relying on mandatory face scans and government-style ID checks. This age verification data was breached in October 2025, when hackers stole government ID’s of 70,000 users from a third-party service that Discord used to verify ages in the United Kingdom and Australia.
“Discord is hitting the brakes on its controversial global age assurance rollout after a firestorm of user backlash over privacy nightmares and forced ID uploads,” VP.net wrote in March 2026, “with CEO Jason Citron owning up to the botched messaging in a candid blog post. “We knew this rollout was going to be controversial. Any time you introduce something that touches identity and verification, people are going to have strong feelings. Rightfully so,” Citron confessed, revealing how vague plans fueled panic that every user would face mandatory face scans or government-style ID checks….
“Critics slammed the setup as a Big Tech data grab masquerading as teen protection … while Citron admitted industry skepticism is ‘earned’ amid fears of breaches and misuse. Marginalized communities raised alarms over real-world risks from identity-linked systems, proving even ‘trust us’ promises can’t quell the revolt.”
But despite the controversy, Discord started up again: It began requiring a policy beginning in March 2026 that essentially says your account is treated like a child’s account unless you can prove you are older. Two ways of proving that are allowed, according to State of Surveillance:
“Facial age estimation: You record a video selfie. Discord’s system analyzes your face to estimate your age.
“Government ID: You upload a photo of your passport, driver’s license, or national ID card to a third-party vendor.”
Interestingly, at least one industry source recommends the facial scan selfie option over the government ID for security, at least for Discord. “If you’re going to verify, the facial age estimation option is less risky,” Stateofsurveillance.org writes. “Discord claims video selfies stay on your device. A government ID upload goes to a third-party vendor you can’t vet — and the last vendor got breached. Neither option is great, but one creates less attack surface.”
‘Facial age estimation’
Another social media company, Roblox, is requiring age checks for communications between users, using facial age estimation (FAE) as a biometric option. Age checks are optional, but some features like chat will not be available unless facial age estimation is complete, Biometric Update reported. …
“‘After users complete the age check process, we will inform them of their assigned age group: Under 9, 9-12, 13-15, 16-17, 18-20, or 21+. Users will be able to chat with those in their own age group and similar age groups, as appropriate,’ Roblox says. So if Sofia is estimated to be 12, no one over 15 will be allowed to interact with her account, unless they are a Trusted Connection.”
The Illinois law restricting biometric data use is among the most restrictive in the nation. It gives individuals the right to sue companies for improperly collecting or using biometric data such as facial images, fingerprints or retina scans. An Illinois real estate news site posted an article recently quoting a Chicago newspaper as saying that AI giants might feel the biometric law is a threat and thus decide to place their data centers outside of Illinois. The article quoted Brad Tietz, state policy director for the Data Center Coalition, whose members include Amazon, Google, Microsoft and Meta.
(If you have information to contribute on this or other topics, email jeanne@clearhealthcosts.com or call Signal 914-450-9499.)
