Legal & Policy

HIPAA Does Not Cover Your Health App: Where Medical Privacy Law Actually Stops

July 8, 2026 7 min read Haven Team

Ask an American where their health data is protected and the answer is usually one word: HIPAA. The acronym has become shorthand for medical privacy itself. But HIPAA is a narrow law that regulates a specific list of institutions, and most of the health data generated in 2026, by apps, wearables, DNA kits, and search bars, never passes through anything on that list. The gap between what people think HIPAA covers and what it covers is one of the widest in privacy law.


HIPAA, the Health Insurance Portability and Accountability Act of 1996, was written primarily to let people keep insurance coverage when changing jobs. The privacy protections came later, through the Privacy Rule that took effect in 2003, and they attach to institutions rather than to information. The rule binds three kinds of covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit billing and related transactions electronically. Since the 2013 Omnibus Rule, it also directly binds their business associates, the contractors who process health data on their behalf.

That structure produces the fact this whole article turns on: HIPAA regulates who holds the data, not the data itself. The identical blood pressure reading is protected when it sits in your cardiologist's records system and unprotected when it sits in the wellness app you logged it into yourself. Nothing about the sensitivity of the information carries any legal weight; only the identity of the holder does.

The list of things HIPAA does not touch

Once you apply the holder test, most of the modern health data economy falls outside the law:

The one-sentence test

Ask who holds the data, not what the data is. If the holder is not a health plan, a clearinghouse, a billing provider, or a contractor working for one of those, HIPAA is not in the room, no matter how medical the information looks.

The FTC has been patching the gap, case by case

The main federal cop on the uncovered side turns out to be the Federal Trade Commission, using its general authority over unfair and deceptive practices plus a long-dormant rule written for exactly this territory. The Health Breach Notification Rule, on the books since 2009, was enforced for the first time in February 2023 against GoodRx, which paid a $1.5 million civil penalty after the FTC found it had shared users' medication and health condition data with advertising platforms. A month later, the online therapy service BetterHelp agreed to pay $7.8 million over allegations it shared the health information of people seeking therapy with advertisers after promising not to. In May 2023, the fertility app Premom settled similar allegations.

These actions matter, and they signal that "not covered by HIPAA" no longer means "consequence-free." But case-by-case enforcement is not a privacy regime. There is no private right of action, penalties arrive years after the sharing, and the underlying business model, monetizing user data through advertising integrations, remains legal so long as the privacy policy does not lie about it.

What HIPAA permits even where it does apply

The second half of the misconception is overestimating the protection inside the covered zone. HIPAA permits disclosure without your authorization for treatment, payment, and healthcare operations, a set of purposes broad enough to cover most routine data flows among providers, insurers, and their contractors. It permits disclosures to law enforcement under enumerated conditions, some of which require only an administrative request rather than a judge's signature. And it places no restrictions at all on de-identified data: strip the eighteen identifiers listed in the Safe Harbor standard, or have a statistician certify low re-identification risk, and the result can be sold and shared freely. Whether de-identification holds up against modern re-identification techniques is a live research question; the law treats it as settled.

None of this makes HIPAA useless. Inside its zone it mandates security safeguards, breach notification, patient access rights, and real penalties. The point is narrower: the zone's borders were drawn in the 1990s around the institutions of that era's healthcare system, and the data economy simply grew around them.

States are drawing new lines

The most significant recent development is state law aimed squarely at the uncovered zone. Washington's My Health My Data Act, passed in 2023, regulates "consumer health data" held by companies that HIPAA ignores, requires consent for collection and sharing, and, unusually, includes a private right of action. Nevada passed a companion law the same year, and health data provisions have been folded into several of the broader state privacy statutes that followed CCPA. The result is a patchwork: your period app faces real obligations to a user in Seattle and nearly none to the same user in most other states.

What to do with this

Three practical conclusions follow. First, read any health-adjacent app as an ordinary data company, because legally it is one; the meaningful question is its business model, not its medical subject matter. Second, prefer tools that keep data on your device or encrypt it end-to-end, because architecture protects you in every state and country regardless of which statute applies. A provider that cannot read your data cannot share it with an advertiser or produce it to an administrative request, whatever its privacy policy says this quarter. Third, when a sensitive conversation matters, have it over an end-to-end encrypted channel rather than a portal or an app that holds plaintext. The law protects categories of institutions. Encryption protects the data itself, which is what most people believed HIPAA was doing all along.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →