What HIPAA actually does (and does not) cover

HIPAA (the Health Insurance Portability and Accountability Act) focuses on “covered entities”health care providers, health plans, and health care clearinghousesand
their business associates (vendors handling PHI on their behalf).
If your doctor’s office stores your lab results, HIPAA is in the room. If your insurer processes claims, HIPAA is also in the room.

But HIPAA’s protection is context-based, not “data-based.” It’s not a magic label that sticks to a piece of information forever.
The same health detail can be protected in one setting and basically free-range in another.

A quick reality check

• Your hospital portal messages? Often HIPAA-protected.
• Your period-tracker app? Usually not.
• Your smartwatch heart rate data? Often not.
• Your “I googled chest pain at 2 a.m.” search history? Not HIPAA. (Also: same.)

Even the U.S. Department of Health and Human Services notes that HIPAA generally doesn’t protect health info once it’s stored on or accessed through your personal phone/tablet,
and it doesn’t cover things like search history, data you voluntarily share online, or location information. In other words: your “digital life” can become a health dossier with zero HIPAA involvement.

The core problem: HIPAA was built for a different internet

HIPAA is a 1990s law that grew up in a world of fax machines, filing cabinets, and “the cloud” meaning weather.
Today, health data flows through ad tech, mobile SDKs, analytics scripts, and third-party vendors that didn’t exist when the original rules were written.

HIPAA has been updated (and interpreted) over time, but its structure still assumes something like:
“Health data lives with health care organizations.” That assumption is increasingly false.

Modern health data is a buffet

A single patient journey can involve:

• a hospital visit (HIPAA world)
• a telehealth platform (sometimes HIPAA world, sometimes not)
• a payment processor and customer support tools (vendor ecosystem)
• a pharmacy discount app (often outside HIPAA)
• a wearable device (often outside HIPAA)
• online tracking and marketing pixels (the Wild West, with good branding)

When your health data crosses those borders, the rules can change dramatically.

Gap #1: Health apps, wearables, and “wellness” companies often sit outside HIPAA

Most consumer health apps aren’t covered entities. They’re not your doctor. They’re not your insurer.
They’re software companies that collect “consumer health data” and govern it primarily through their privacy policyaka the document you “agree” to while your thumb is still hovering over “Install.”

And yes, people are confused about this

Research and consumer surveys repeatedly show a misconception: many Americans assume HIPAA covers health data inside apps.
One Pew project found that concern about privacy jumps sharply when people learn that federal laws like HIPAA don’t cover health data downloaded to apps and that terms of service may be the main protection instead.

Translation: lots of people think they’re protected when they’re notan awkward starting point for “informed consent.”

Gap #2: HIPAA doesn’t stop “lawful but creepy” data uses

HIPAA is often described as a privacy law, but it also includes wide permissions for how PHI can be used and shared for core operations:
treatment, payment, and health care operations. That’s practicalbut it also means your data can move around within a health system in ways that feel surprising.

Where the discomfort shows up

• Data sharing for operations: quality improvement, audits, business management, and more.
• Large vendor chains: subcontractors supporting billing, IT, analytics, transcription, and call centers.
• De-identified data: often shareable more broadly, with real debate about re-identification risk (more on that next).

HIPAA tries to balance privacy and the business of running health care. But “balanced” doesn’t always feel like “private,” especially when patients don’t know who has access.

Gap #3: “De-identified” isn’t always “anonymous” in practice

HIPAA has pathways for de-identification, and HHS provides guidance on methods like Safe Harbor and Expert Determination.
The idea is straightforward: remove identifiers so the data can’t reasonably identify a person.

The hard part: modern data ecosystems make re-identification easier. When datasets can be linkedespecially with location, device identifiers, demographics, or unique patterns“anonymous” can become “oh wow, that’s definitely Bob.”

Re-identification risk is not theoretical

Researchers have analyzed re-identification risks even with HIPAA Safe Harbor-style data, showing how privacy can be compromised when “anonymous” records can be matched with outside information.

To be clear: de-identified data can power valuable research and public health. The point isn’t “never share data.”
The point is: HIPAA’s de-identification framework isn’t a time machine that makes modern linkage risks disappear.

Gap #4: Tracking pixels and “marketing tech” can leak health signals

One of the most modern HIPAA headaches: online tracking technologies (cookies, pixels, web beacons, SDKs).
When used on patient portals or appointment pages, these tools can collect data about how a user interacts with a site or app.
HHS has issued guidance about online tracking technologies and HIPAA-regulated entities.

But this is messy territory. There’s been litigation over OCR’s tracking technology guidance, including a federal court vacating key points (per major law-firm analysis), which adds uncertainty about how guidance is interpreted and enforced.

Why this matters for health data privacy

You don’t need a lab result to create a sensitive health inference. An IP address visiting “oncology appointment scheduling” is a clue.
A browser event that fires on a page about addiction treatment is a clue.
Advertisers love clues. Data brokers love clues. And once a clue becomes part of a profile, it can be bought, sold, and used for targeting.

Gap #5: Breaches are still everywhere (HIPAA doesn’t prevent ransomware)

HIPAA includes security requirements, but compliance isn’t the same as invincibility.
Health care remains a prime target for ransomware because hospitals can’t exactly “turn it off and on again” when patient care is on the line.

The American Hospital Association reported that by the end of 2024, PHI for 259 million Americans had been reported as hackeddriven in large part by major incidents,
including the Change Healthcare ransomware attack affecting tens of millions.

HIPAA can punish poor safeguards after the fact. It can’t un-steal data, un-leak Social Security numbers, or un-traumatize patients who learn their diagnoses may be floating around the internet like a cursed coupon.

Gap #6: Reproductive health privacy shows the limits (and fragility) of HIPAA-based fixes

In response to concerns about reproductive health data, HHS issued a HIPAA Privacy Rule final rule designed to strengthen protections related to lawful reproductive health care
(including requirements like attestations in certain disclosure scenarios).

But court challenges have complicated the picture. Reuters reported that a federal judge invalidated a Biden administration rule intended to strengthen privacy protections related to abortion and gender transition treatments,
underscoring how policy solutions can shift with litigation and politics.

Regardless of where you land politically, the privacy lesson is the same:
if privacy depends on a narrow legal framework and is vulnerable to court fights, it’s not a stable foundation for protecting sensitive data in a digital ecosystem.

So what protects your health data outside HIPAA?

The answer is: a patchwork. Some of it is strong. Some of it is vibes.

1) The FTC (sometimes) steps in

For many consumer health apps, the main federal watchdog is the Federal Trade Commissionespecially when companies misrepresent their privacy practices or misuse sensitive health data.
A headline example: the FTC’s enforcement action against GoodRx for sharing consumers’ sensitive health information with advertising companies, involving a $1.5 million civil penalty and restrictions on sharing health data for advertising purposes.

That mattersbut it’s also reactive. The FTC often comes in after harm happens.

2) State privacy laws are filling gaps

States are increasingly passing laws aimed at “consumer health data.”
Washington’s My Health My Data Act is explicit about the problem: people assume HIPAA covers their health data, but HIPAA only covers certain entitiesso the state created broader protections.

This is progress, but it also creates complexity: your rights can depend on where you live and what kind of company collected the data.

3) Company privacy policies (the least comforting sentence in America)

Outside HIPAA, you often rely on a company’s privacy policy and your willingness to read it.
Pew research suggests many people click “agree” without reading, and most think privacy policies are ineffective at explaining how data is used.

A privacy policy can be honest and still terrifying:
“We may share information with partners to improve services.”
Cool. Which partners? Improve which services? And why do I suddenly feel like my cholesterol is being used to sell me a treadmill?

Practical steps to protect your health data (without moving to a cabin)

You shouldn’t need a law degree to keep your medical life private. But while we wait for better protections, here are realistic moves:

For patients and consumers

• Treat health apps like financial apps: if it’s free, you might be the product. Check what data is collected and shared.
• Limit permissions: location, contacts, and ad tracking are optional more often than apps imply.
• Use patient portals when possible: not perfect, but more likely inside HIPAA boundaries than random third-party messaging.
• Be careful with “symptom searches” on logged-in platforms: your search history can become targeting fuel.

For health organizations and digital health brands

• Map your data flows: know exactly where PHI and consumer health data travelespecially into analytics and ad tech.
• Minimize tracking: default to privacy-preserving analytics, and avoid embedding third-party pixels on sensitive pages.
• Vendor discipline: business associate agreements where appropriate, plus security reviews and least-privilege access.
• Design for consent: real choices, plain language, and revocable permissions.

What “better than HIPAA” could look like

HIPAA isn’t “bad.” It’s just not built to cover the full modern health data universe.
Stronger health data privacy would likely include:

A data-based rule, not just an entity-based rule

If data can reveal health status (or be reasonably linkable to it), protections shouldn’t vanish because the collector is a “wellness company” instead of a hospital.

Limits on secondary use and targeted advertising

Health inference targeting is uniquely sensitive. “You might like new shoes” is one thing. “We noticed you searched for bipolar medication” is dystopian.

Clear, enforceable rights

Access, deletion, opt-out of sale/sharing, and meaningful consent should be consistent across the U.S.not dependent on your ZIP code.

Security baseline + accountability

HIPAA requires safeguards, but breaches keep happening. Stronger incentives for security maturity, plus consequences for avoidable failures, would reduce harm.
Frameworks and standards work best when they’re actually adopted, audited, and resourced.

Conclusion

HIPAA is essentialbut it’s not enough.
It protects a meaningful slice of your health data, mostly inside traditional health care.
Meanwhile, your health story leaks through apps, trackers, purchases, location data, and inferences that HIPAA was never designed to police.

The next era of health data privacy needs to match the reality of how health data is created today:
by clinics and consumer devices, by portals and ad tech, by insurers and “free” apps that quietly monetize what you thought was personal.

Until protections catch up, the best move is awareness: know when HIPAA applies, know when it doesn’t, and demand better standards from the companies asking you to hand over your most sensitive data.
Your health is personal. Your data should be, too.

Experience section : real-world patterns that show why HIPAA isn’t enough

I can’t count how many times I’ve heard a version of: “But isn’t that a HIPAA violation?”
The question usually arrives right after someone discovers their “private” health moment wasn’t as private as advertised.
Here are a few common, reality-based scenarios (shared as composites so nobody gets accidentally doxxed by a blog post).

1) The “I used a health app, then the ads got weird” moment

Someone downloads a wellness app for sleep, fertility, mental health, or weight management.
It asks a lot of questionsmood, medications, cycles, cravings, anxiety triggersthen thanks them with soothing gradients and a daily reminder to hydrate.
A week later, they’re scrolling and seeing ads that feel… oddly specific. Maybe it’s a product “for stress support,” maybe it’s a targeted clinic ad, maybe it’s something that makes them say,
“Did my phone just read my therapy homework?”

Often the culprit isn’t mind-reading. It’s tracking. Device identifiers, ad networks, SDKs, and “partners” that connect behavior to marketing profiles.
The punchline (except it’s not funny): HIPAA frequently isn’t involved because the company isn’t a covered entity. So the consumer experience becomes a lesson in privacy policy fine print.

2) The “hospital website that behaved like an e-commerce checkout”

Hospitals and clinics want modern websites: appointment scheduling, patient education, service line marketing.
Marketing teams want analytics: what pages perform, what campaigns drive visits, which keywords convert.
In other industries, the tool stack includes pixels and third-party analytics by default.

In health care, that default can be risky. If a tracking tool collects information that links a visitor to a sensitive page (like oncology, addiction treatment, or reproductive care),
it can create a privacy problemeven if no one intended to “share PHI with advertisers.”
This is why OCR guidance about online tracking technologies exists in the first place, and why health systems keep revisiting what “PHI” means in a web context.

The experience people describe is simple: they visited a hospital site, and later felt like the internet “remembered” the visit.
That’s not paranoia; that’s modern tracking doing what it does.

3) The “de-identified data” surprise

Many patients are okay with their data being used for researchespecially if it helps cure diseases, improve care, or spot public health trends.
The discomfort shows up when they learn that “de-identified” doesn’t always mean “impossible to re-identify,” particularly when datasets can be linked.
Research has long discussed the risks of re-identification in supposedly anonymized health data under common de-identification standards.

The lived experience here is trust: people want to believe their data can help without coming back to haunt them.
The more the data economy grows, the more that trust needs actual guardrailsnot just good intentions.

4) The “breach fatigue” era

After years of breach headlines, many people have a numbness: “Another breach? Okay, what’s the free credit monitoring this time?”
But health data breaches aren’t like retail breaches.
You can cancel a card. You can’t cancel a diagnosis.

When major incidents expose PHI at scale, patients experience a mix of anger and resignation.
They didn’t choose to “opt in” to risk; they needed care.
And while HIPAA shapes security obligations and penalties, it doesn’t prevent ransomware gangs from trying their luck.

These experiences all point to the same conclusion: HIPAA is a critical baseline inside health carebut health data privacy today requires protections that follow the data wherever it goes,
including the consumer tech ecosystem that increasingly defines modern health.

SEO tags (JSON)