HIPAA, the Health Insurance Portability and Accountability Act of 1996, was written primarily to let people keep insurance coverage when changing jobs. The privacy protections came later, through the Privacy Rule that took effect in 2003, and they attach to institutions rather than to information. The rule binds three kinds of covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit billing and related transactions electronically. Since the 2013 Omnibus Rule, it also directly binds their business associates, the contractors who process health data on their behalf.
That structure produces the fact this whole article turns on: HIPAA regulates who holds the data, not the data itself. The identical blood pressure reading is protected when it sits in your cardiologist's records system and unprotected when it sits in the wellness app you logged it into yourself. Nothing about the sensitivity of the information carries any legal weight; only the identity of the holder does.
The list of things HIPAA does not touch
Once you apply the holder test, most of the modern health data economy falls outside the law:
- Fitness trackers and wearables. Your heart rate, sleep, workouts, and step counts belong to the device maker under its terms of service, not under HIPAA. We covered where that data goes in our post on fitness tracker privacy.
- Period and fertility apps. Cycle data logged by users is not protected health information, a fact that moved from academic to urgent after Dobbs. Our reproductive health app post goes deeper.
- Direct-to-consumer DNA tests. A genome sequenced by a consumer genetics company is not covered the way the same test ordered by your physician would be. The 23andMe bankruptcy made the consequences concrete; see our DNA testing analysis.
- Most health and mental wellness apps. A meditation app, a symptom checker, or a therapy-adjacent chat platform operating outside insurance billing is just an app company holding sensitive data under a privacy policy it wrote itself.
- Your searches and purchases. Queries about symptoms, pharmacy loyalty card data, and pregnancy-test purchases are ordinary commercial data, eligible for sale to data brokers.
- Your employer, acting as employer. Employment records are expressly excluded, even when the employer is itself a hospital. The clinic treating you is covered; the HR department holding your sick notes is not.
Ask who holds the data, not what the data is. If the holder is not a health plan, a clearinghouse, a billing provider, or a contractor working for one of those, HIPAA is not in the room, no matter how medical the information looks.
The FTC has been patching the gap, case by case
The main federal cop on the uncovered side turns out to be the Federal Trade Commission, using its general authority over unfair and deceptive practices plus a long-dormant rule written for exactly this territory. The Health Breach Notification Rule, on the books since 2009, was enforced for the first time in February 2023 against GoodRx, which paid a $1.5 million civil penalty after the FTC found it had shared users' medication and health condition data with advertising platforms. A month later, the online therapy service BetterHelp agreed to pay $7.8 million over allegations it shared the health information of people seeking therapy with advertisers after promising not to. In May 2023, the fertility app Premom settled similar allegations.
These actions matter, and they signal that "not covered by HIPAA" no longer means "consequence-free." But case-by-case enforcement is not a privacy regime. There is no private right of action, penalties arrive years after the sharing, and the underlying business model, monetizing user data through advertising integrations, remains legal so long as the privacy policy does not lie about it.
What HIPAA permits even where it does apply
The second half of the misconception is overestimating the protection inside the covered zone. HIPAA permits disclosure without your authorization for treatment, payment, and healthcare operations, a set of purposes broad enough to cover most routine data flows among providers, insurers, and their contractors. It permits disclosures to law enforcement under enumerated conditions, some of which require only an administrative request rather than a judge's signature. And it places no restrictions at all on de-identified data: strip the eighteen identifiers listed in the Safe Harbor standard, or have a statistician certify low re-identification risk, and the result can be sold and shared freely. Whether de-identification holds up against modern re-identification techniques is a live research question; the law treats it as settled.
None of this makes HIPAA useless. Inside its zone it mandates security safeguards, breach notification, patient access rights, and real penalties. The point is narrower: the zone's borders were drawn in the 1990s around the institutions of that era's healthcare system, and the data economy simply grew around them.
States are drawing new lines
The most significant recent development is state law aimed squarely at the uncovered zone. Washington's My Health My Data Act, passed in 2023, regulates "consumer health data" held by companies that HIPAA ignores, requires consent for collection and sharing, and, unusually, includes a private right of action. Nevada passed a companion law the same year, and health data provisions have been folded into several of the broader state privacy statutes that followed CCPA. The result is a patchwork: your period app faces real obligations to a user in Seattle and nearly none to the same user in most other states.
What to do with this
Three practical conclusions follow. First, read any health-adjacent app as an ordinary data company, because legally it is one; the meaningful question is its business model, not its medical subject matter. Second, prefer tools that keep data on your device or encrypt it end-to-end, because architecture protects you in every state and country regardless of which statute applies. A provider that cannot read your data cannot share it with an advertiser or produce it to an administrative request, whatever its privacy policy says this quarter. Third, when a sensitive conversation matters, have it over an end-to-end encrypted channel rather than a portal or an app that holds plaintext. The law protects categories of institutions. Encryption protects the data itself, which is what most people believed HIPAA was doing all along.