Looking at a platform like Better Help, their information sharing policy was kind of buried.
Terms of Service didn't explicitly state anything but pointed to a separate Privacy Policy Document.
The privacy policy document starts with definitions of "Therapists" and defining them as people who 'Provide Services'.
Then they mention sharing policy with "Service Providers', which is explicitly defined elsewhere. (The sleight of hand is they are trying to have the reader associate and conflate the therapist 'providing services' and 'service providers'.
Later in the document, 'Service Providers' are defined as anyone defined by Better Help as someone they want to enter an agreement with who may otherwise have some limitations on handling the data themselves.
*For purposes of this Policy and unless otherwise specified, “data” includes information that is linked to one person or household including things like name, email address, phone numbers, device ID, Third Party identifiers, contact information, and communications with Therapists using our digital communication platform (the “Platform”) to provide services (“Therapists”). Some jurisdictions might consider this to be “personal data,” “personally identifiable information,” or “sensitive personal data” in certain circumstances. When you use and access our app or website, you accept and agree to both the Terms and Conditions and this Privacy Policy, including that we’ll share certain data with Service Providers.
Service Provider **We define a Service Provider as a person or company that we have a legal agreement with to Process data collected by us or on our behalf. **Data that is Processed on our behalf is required to be done only at our direction - no other person or company can authorize it. Our Service Providers are not permitted to disclose data that is individually identifiable to any other person or company, other than to us or the Service Providers’ own subcontractors provided that they’re bound to data Processing terms that are no less restrictive than the Service Provider’s terms.
The data obtained by Service Providers from their relationship with us must only be used for performing the services specified in our agreement with them, or as reasonably necessary to perform one or more of the following:
Comply with applicable law, regulation, or legal process; Detect, prevent or mitigate fraud or security vulnerabilities; Debug to identify and repair errors impairing existing intended functionalities; and/or Conduct internal research for technological development and demonstration of our products or services, if such use is reasonably necessary and proportionate to achieve the purpose for which the data was shared.*
Sounds irrefutable to me