Health Data Privacy Beyond HIPAA

Health data privacy in the United States extends well beyond the Health Insurance Portability and Accountability Act, encompassing a layered framework of federal statutes, state laws, sector-specific regulations, and emerging consent standards that govern how personal health information is collected, shared, and protected. This page maps the regulatory landscape for health data that falls outside HIPAA's covered entity framework — a gap that has grown substantially as consumer health apps, wearable devices, and direct-to-consumer genetic testing have moved health-sensitive data into commercial ecosystems. Understanding where HIPAA ends and other legal frameworks begin is essential for compliance professionals, privacy officers, and researchers operating in the health technology sector.

Definition and scope

HIPAA's Privacy Rule (45 CFR Parts 160 and 164) applies specifically to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their business associates. An estimated 80% of consumer health data generated through mobile applications, fitness trackers, and direct-to-consumer wellness platforms falls outside HIPAA's jurisdictional reach (Federal Trade Commission, Mobile Health Apps Interactive Tool, 2016).

Health data beyond HIPAA includes:

1. Consumer-generated wellness data — fitness, sleep, and activity metrics collected by non-covered entities
2. Direct-to-consumer genetic data — raw genomic data and ancestry profiles generated outside clinical settings
3. Mental health and substance use records — subject to 42 CFR Part 2 as a separate federal framework
4. School health records — governed by the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g)
5. Employment-related health data — regulated by the Americans with Disabilities Act and EEOC guidelines
6. State-designated sensitive categories — reproductive health, HIV status, and mental health data governed under state-level statutes

The privacy providers available through this provider network reflect the breadth of service providers operating across all these frameworks.

How it works

The regulatory mechanisms operating outside HIPAA function through four distinct channels: federal sectoral law, state comprehensive privacy statutes, FTC enforcement authority, and consent-based frameworks.

Federal sectoral law assigns jurisdiction by data type rather than by covered entity status. The FTC Act Section 5 (15 U.S.C. § 45) prohibits unfair or deceptive practices, giving the FTC enforcement authority over health app developers and data brokers. The agency has pursued enforcement actions against companies that shared health data without adequate consumer notice.

State comprehensive privacy laws in California (CPRA), Virginia (VCDPA), Colorado (CPA), and Texas (TDPSA) classify health data as a sensitive category requiring explicit opt-in consent, separate from any HIPAA obligations. California's Consumer Privacy Act, amended by Proposition 24 in 2020, applies to businesses meeting revenue or data volume thresholds regardless of whether they are HIPAA covered entities (Cal. Civ. Code §§ 1798.100–1798.199.100).

The 42 CFR Part 2 framework imposes stricter requirements on substance use disorder treatment records than HIPAA does — prohibiting redisclosure without patient consent even to other treating providers. The Coronavirus Aid, Relief, and Economic Security Act (CARES Act, Pub. L. 116-136) modified Part 2 in 2020 to allow limited alignment with HIPAA, but the core consent protections remain distinct.

The My Health Data framework, proposed by HHS through the Office of the National Coordinator for Health Information Technology, addresses information blocking under 45 CFR Part 171, which interacts with but does not duplicate HIPAA's privacy framework.

For context on how this regulatory landscape shapes the privacy services sector, see Privacy Provider Network Purpose and Scope.

Common scenarios

Four operational scenarios illustrate where non-HIPAA frameworks govern health data:

Scenario 1 — Consumer health app. A fitness platform collects menstrual cycle data and shares it with third-party advertisers. Because the platform is not a HIPAA covered entity, HIPAA does not apply. The FTC's Health Breach Notification Rule (16 CFR Part 318) requires notification when identifiable health data held by a personal health record vendor is breached — a rule the FTC updated in 2024 to explicitly cover health apps.

Scenario 2 — Direct-to-consumer genetics. A consumer submits a DNA sample to a genealogy service. That data is not covered by HIPAA. The Genetic Information Nondiscrimination Act (Pub. L. 110-233) prohibits use of genetic information in employment and health insurance but does not regulate the primary collection or commercial use of genetic data by non-covered entities.

Scenario 3 — School health records. A student's medication records held by a school district fall under FERPA, not HIPAA, because the school is an educational agency. HIPAA explicitly carves out records covered by FERPA (45 CFR § 164.501).

Scenario 4 — Employer wellness program. An employer-sponsored wellness platform collects biometric screening data. If the employer self-administers the program without routing data through a health plan, EEOC regulations under the ADA and GINA govern the permissible scope of data collection, not HIPAA.

Decision boundaries

Determining which framework applies requires a structured classification analysis. The primary decision variables are:

• Entity type — Is the data holder a HIPAA covered entity or business associate?
• Data origin — Was the data generated in a clinical encounter or through consumer self-reporting?
• State of operation — Does the state have a comprehensive privacy law or a specific health data statute (e.g., Washington's My Health MY Data Act, RCW Chapter 70.372)?
• Data category — Does the data fall within a federally protected category (genetic, substance use, student health)?
• Commercial use — Does the entity meet FTC jurisdiction thresholds or state revenue/data-volume triggers?

HIPAA vs. non-HIPAA frameworks differ materially on enforcement mechanisms: HIPAA violations are enforced by the HHS Office for Civil Rights with civil penalties reaching $2,067,813 per violation category per year (HHS OCR Civil Money Penalties), while FTC enforcement proceeds through consent orders and, under the FTC Act, civil penalties of up to $51,744 per violation (FTC Penalty Amounts, adjusted annually).

Privacy professionals navigating multi-framework environments can reference the How to Use This Privacy Resource page for orientation within this network's classification structure.