Health Data Privacy Beyond HIPAA

Health data privacy in the United States extends well beyond the Health Insurance Portability and Accountability Act of 1996, encompassing a fragmented landscape of state statutes, federal consumer protection frameworks, and sector-specific rules that collectively govern how health-related information is collected, shared, and protected outside traditional clinical settings. This page maps the regulatory categories, enforcement mechanisms, and classification standards that define health data privacy obligations for entities that fall outside HIPAA's covered-entity structure. As consumer health applications, employer wellness programs, and data brokers proliferate, the gap between HIPAA's scope and the full universe of health data in circulation has become one of the most consequential compliance blind spots in the cybersecurity and privacy service sector.

Definition and scope

HIPAA's Privacy Rule (45 CFR Parts 160 and 164) applies specifically to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their business associates. That definition excludes a substantial category of actors: mobile health app developers, wearable device manufacturers, general-purpose technology platforms, data brokers, and employers acting outside a group health plan relationship.

Health data itself, for purposes of the broader regulatory landscape, refers to any information that relates to an individual's physical or mental health condition, healthcare treatment, or payment for care. This definition is broadened further under state law. Washington State's My Health MY Data Act (ESSB 1155, enacted 2023) defines "consumer health data" to include data that identifies a consumer's health conditions, attempts to obtain health services, and precise geolocation data that could be used to infer a health condition — a scope that goes materially beyond HIPAA's framing (Washington State Legislature, ESSB 1155).

The Federal Trade Commission's jurisdiction under Section 5 of the FTC Act (15 U.S.C. § 45) reaches health data held by non-HIPAA entities, treating unauthorized disclosures or deceptive practices as unfair or deceptive acts. The FTC's Health Breach Notification Rule (16 CFR Part 318) further requires vendors of personal health records — a category that includes many consumer wellness platforms — to notify consumers and the FTC of breaches involving unsecured identifiable health information.

How it works

Regulatory obligation for non-HIPAA health data flows from four principal frameworks, each with distinct trigger conditions and enforcement authorities:

1. FTC Act and Health Breach Notification Rule — Applies to personal health record vendors and related service providers not subject to HIPAA. Breach notification must reach affected individuals within 60 calendar days of discovery; if more than 500 residents of a state are affected, media notification is also required (FTC, 16 CFR Part 318).
2. State comprehensive privacy laws — California's CPRA (Cal. Civ. Code §§ 1798.100–1798.199.100), Virginia's CDPA, Colorado's CPA, and a growing set of additional state statutes classify health data as sensitive personal information requiring opt-in consent for processing.
3. Washington My Health MY Data Act — Creates a private right of action for violations, meaning individual consumers — not only state regulators — can sue entities that collect, share, or sell consumer health data without authorization.
4. State genetic privacy statutes — At least 50 states have enacted some form of genetic information privacy law, with direct-to-consumer genetic testing companies subject to disclosure, consent, and data retention restrictions independent of HIPAA (NCSL Genetics and Health Insurance State Anti-Discrimination Laws).

For sensitive data handling standards, health data at the non-HIPAA tier typically requires explicit affirmative consent, documented data minimization, and contractual restrictions on third-party sharing that parallel — but are legally distinct from — HIPAA's minimum necessary standard.

Common scenarios

Three operational scenarios account for the majority of non-HIPAA health data compliance exposures:

Consumer health applications — A fitness tracking app or menstrual health platform collects symptom logs, biometric measurements, or inferred diagnoses. Unless the developer is a HIPAA business associate, no HIPAA obligation attaches. FTC jurisdiction applies, and state privacy law opt-in requirements govern data sales or disclosures to advertisers. The FTC's 2023 action against GoodRx Holdings for sharing health data with advertising platforms illustrated the enforcement scope under the Health Breach Notification Rule (FTC Press Release, February 2023).

Employer wellness programs — An employer-administered wellness program that operates outside the group health plan structure falls outside HIPAA's direct reach. The Equal Employment Opportunity Commission's rules under the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act impose separate constraints on voluntary health information collection. Employee privacy rights in this context are governed by a combination of ADA, GINA, and applicable state employment statutes.

Data brokers and health inference — Data brokers aggregate location signals, purchase history, and behavioral data to construct health-related profiles without direct health data collection. Washington's ESSB 1155 and similar statutes increasingly treat inferred health data — such as geolocation associated with reproductive health clinics — as regulated consumer health data subject to consent requirements. Cross-referencing location data privacy obligations is essential for compliance assessments in this category.

Decision boundaries

Determining which framework governs a specific health data flow requires resolving three threshold questions:

• Is the entity a HIPAA covered entity or business associate? If yes, HIPAA's Privacy and Security Rules (45 CFR Parts 160, 162, 164) apply. If no, proceed to the next threshold.
• Does the entity operate a personal health record or related service under the FTC's definition at 16 CFR § 318.2? If yes, the Health Breach Notification Rule applies concurrently with FTC Act Section 5 authority.
• Where are the individuals whose data is processed located? State privacy laws are triggered by the residency of data subjects, not the location of the processing entity. California, Washington, Colorado, Virginia, Texas, and Connecticut each have operative health or sensitive data provisions with differing consent, deletion, and private-action rights as of 2024 (IAPP US State Privacy Legislation Tracker).

The HIPAA versus non-HIPAA distinction is not a binary safe harbor. An entity may be exempt from HIPAA and simultaneously subject to FTC enforcement, one or more state comprehensive privacy laws, genetic privacy statutes, and the Washington My Health MY Data Act simultaneously. Data breach notification requirements compound this layering — each framework carries distinct notification timelines, recipient categories, and regulatory filing obligations that do not consolidate into a single compliance pathway.

For entities subject to third-party data sharing rules, contractual controls over downstream health data use represent a minimum baseline; affirmative prohibition clauses for onward sale or advertising use are increasingly required by state statute rather than left to contractual discretion.

References

• FTC Health Breach Notification Rule, 16 CFR Part 318
• HIPAA Privacy Rule, 45 CFR Parts 160 and 164 — HHS Office for Civil Rights
• Washington State ESSB 1155 — My Health MY Data Act
• FTC Press Release: GoodRx Action, February 2023
• IAPP US State Privacy Legislation Tracker
• NCSL Genetics and Health Insurance State Anti-Discrimination Laws
• FTC Act, Section 5 — 15 U.S.C. § 45
• California Civil Code §§ 1798.100–1798.199.100 (CPRA)