The Health Data Privacy Gap

When most people think about health data privacy, they think about HIPAA β€” the Health Insurance Portability and Accountability Act, enacted in 1996. HIPAA protects health information held by healthcare providers, health plans, and their business associates. It's a meaningful protection within its scope.

But here's the problem: HIPAA covers only a fraction of health data being collected about you today.

Your fitness tracker doesn't transmit your heart rate to your doctor β€” it transmits it to a tech company. Your period tracking app doesn't share your cycle data with your OB/GYN β€” it stores it on commercial servers. Your mental health app's conversation logs are not protected by HIPAA. Your pharmacy's loyalty program data may not be protected. The health data you share with wellness programs, employer-sponsored health apps, genetic testing services, and dozens of other "digital health" products is largely outside HIPAA's reach.

And much of this data is being sold, licensed, or shared with data brokers, insurance companies, and advertisers.

What Data Is and Isn't Protected by HIPAA

Data covered by HIPAA (Protected Health Information / PHI):

Any individually identifiable health information created, received, maintained, or transmitted by a covered entity (healthcare providers, health plans, healthcare clearinghouses) or their business associates. This includes: diagnoses, treatment records, test results, prescriptions, billing records, and communication with your healthcare team.

Data NOT covered by HIPAA:

Health data collected directly by consumers through: fitness trackers (Fitbit, Apple Watch, Garmin), health apps on your phone (MyFitnessPal, period tracking apps, mental health apps, diet apps), genetic testing services (23andMe, AncestryDNA), employer wellness programs (when not connected to a health plan), and direct-to-consumer telehealth companies (many fall outside HIPAA even if they connect you with doctors).

This is the data gap that state laws are beginning to address.

Washington's My Health MY Data Act: A Breakthrough

In 2023, Washington became the first state to enact comprehensive health data privacy protections that extend beyond HIPAA to cover the digital health data gap. The My Health MY Data Act is groundbreaking in several ways:

Broad definition of "health data": The Act covers not just traditional medical information, but also: precise geolocation data when inferred to indicate health conditions (like proximity to a medical facility or abortion clinic), data about reproductive health, mental health, gender-affirming care, and substance use disorders. Essentially, any information about a consumer's physical or mental health condition or attempt to seek health information.

Applies to non-HIPAA entities: The Act explicitly targets the apps, wearables, and digital health services that HIPAA doesn't cover.

Geofencing prohibition: The Act prohibits geofencing around sensitive healthcare facilities β€” meaning companies cannot use location data to identify people who have visited abortion clinics, mental health facilities, addiction treatment centers, or similar locations.

Private right of action: Washington consumers can sue companies directly for violations, without waiting for government enforcement β€” creating a powerful deterrent.

Nevada has enacted a similar law. Other states are actively considering following Washington's lead.

Period Tracking Apps: A Special Concern

The post-Dobbs landscape has made reproductive health data privacy an acute concern. Period tracking apps and fertility apps collect extraordinarily sensitive data: menstrual cycle dates, sexual activity, pregnancy status, pregnancy outcomes, and related health information.

After the Supreme Court's Dobbs decision in 2022, privacy advocates raised significant alarms about this data potentially being used in states that have criminalized abortion β€” either by law enforcement seeking evidence of illegal abortions or by private parties authorized to sue those who assist with abortions.

Research has confirmed that many popular period tracking apps share data with third parties, have inadequate privacy policies, and could be subject to law enforcement data demands.

Recommended period tracking apps with strong privacy practices: Euki (privacy-focused, data stored locally), Drip (open-source, data never leaves your device), and Clue (strong encryption, European headquarters subject to GDPR). Avoid apps that sync data to commercial clouds without strong encryption and clear data minimization practices.

How to Protect Your Health Data

Given the fragmented state of health data privacy law, protecting your health data requires active choices:

Audit your health apps: Go through every health-related app on your phone. Read their privacy policies (look for what data is shared with "partners" or "third parties for advertising"). Delete any apps where the data collection is disproportionate to the benefit you receive.

Use privacy-focused alternatives: For fitness tracking, consider devices that store data locally (some Garmin watches have offline modes). For health journaling, use a local app or encrypted notes rather than cloud-synced commercial apps.

Submit opt-out requests: If you've used health apps in California (or other covered states), you may have the right to opt out of the sale of your health data and request deletion of historical data.

Check your state's protections: If you're in Washington, you have additional rights under the My Health MY Data Act. If you're in other states, the health data you share with apps may be subject only to the app's own privacy policy β€” read it carefully before sharing sensitive information.

Be wary of "free" health services: Free health apps and services often monetize through data. If you're not paying for the product, your health data may be the product.

In This Article

Related Articles

πŸ” What Is Opt-Out? πŸ“œ CCPA vs CPRA πŸ•΅οΈ Data Brokers 🌐 GPC Guide

Your State's Law

🌴 California πŸ›οΈ Virginia πŸ—ΊοΈ All States β†’