Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from Duke University, the FTC, CalMatters, Congressional records, and other sources.
Most Americans believe their health data is protected by law. According to a ClearDATA/Harris Poll survey of 2,000 U.S. adults, 81% mistakenly believe that health data collected by digital health apps is covered by HIPAA. It is not. The gap between what people assume HIPAA does and what it actually covers is enormous โ and an entire industry operates in that gap.
What HIPAA Actually Covers
HIPAA applies to “covered entities” โ healthcare providers, health plans, and healthcare clearinghouses โ and their business associates. That’s it. It does not cover fitness apps, wearable devices, period trackers, mental health apps, data brokers, employer wellness programs, or direct-to-consumer genetic testing companies. If your data passes through any of those channels, HIPAA has nothing to say about it.
An FTC study of 12 mobile health apps found they sent consumer data to 76 third-party companies. More than half of 43 fitness apps analyzed shared data with third-party analytics services. None of this violates HIPAA because none of these apps are covered entities.
The Data Broker Market
The de-identified health data market was valued at $8.8 billion in 2025 and is projected to reach $17.9 billion by 2033. “De-identified” is doing a lot of work in that sentence โ researchers have repeatedly demonstrated that combining a few data points like zip code, age, and diagnosis can re-identify individuals.
A landmark 2023 study from Duke University’s Sanford School of Public Policy contacted 37 data brokers about purchasing mental health data. Eleven were willing to sell. The data included records on individuals with depression, anxiety, ADHD, bipolar disorder, and insomnia โ bundled with ethnicity, age, zip code, net worth, and credit score. The price: as low as $275 for 5,000 records. Minimal vetting of buyers was performed.
This is not hypothetical harm. The FTC fined GoodRx $1.5 million in 2023 for sharing prescription data and health conditions with Facebook, Google, and Criteo. BetterHelp, the online therapy platform, was fined $7.8 million for sharing therapy data with advertisers while falsely claiming HIPAA compliance.
Pharmacies and Law Enforcement
A Congressional investigation found that the nation’s largest pharmacy chains โ CVS Health, Kroger, and Rite Aid among them โ hand over prescription records to law enforcement without requiring a warrant. None of the eight chains studied required a warrant, and some did not even require legal review before releasing patient records. Your prescription history โ antidepressants, pain management, anything โ can be accessed by law enforcement with nothing more than a request.
The Report That Follows You
One company illustrates how health data can go wrong in ways most people never see coming. Milliman IntelliScript, registered with the Consumer Financial Protection Bureau as a consumer reporting agency, aggregates prescription histories, medical claims, and billing codes from pharmacies, insurers, and pharmacy benefit managers. It then sells these reports to life and health insurance underwriters.
The reports are generated when a consumer signs a HIPAA authorization as part of an insurance application โ often buried in pages of consent forms. But the underlying database is built from data flows that most people have no idea exist.
And the data is not always right. In one class-action lawsuit, a plaintiff’s IntelliScript report contained 13 medications never prescribed and 176 entries for medical care never received, including false diagnoses of osteoarthritis, diabetes, liver disease, and sleep apnea. Life insurance was denied. Another plaintiff’s report listed 15 medications never prescribed and over 1,000 records of treatments never received. A recent Reddit post described being denied life insurance after an IntelliScript report falsely indicated HIV and gastric cancer โ the result of incorrect ICD codes entered by a physician’s office and a lab seven and eight years earlier.
These errors originate in the same medical coding systems that healthcare organizations use every day. An incorrect ICD code in a billing system can follow a patient for a decade through channels they never knew existed.
What’s Being Done
The legislative response is still early. Senator Bill Cassidy introduced the Health Information Privacy Reform Act (HIPRA) in November 2025, which would extend HIPAA-like protections to health apps, wearables, wellness platforms, and providers who only accept cash pay. It remains in committee. Washington state’s My Health My Data Act, the first state law specifically targeting consumer health data outside HIPAA, took effect in March 2024. Nevada has passed similar protections. More states are expected to follow.
The FTC has also started using the Health Breach Notification Rule โ a dormant authority from 2009 โ to go after non-HIPAA entities that mishandle health data. The GoodRx and BetterHelp actions were brought under this rule. But enforcement is reactive and the penalties are small relative to the market.
The Reality
None of this is likely to change quickly. The health data economy is too large, too entrenched, and too profitable. What people can do is understand that HIPAA is not the comprehensive shield they assume it to be. Every health app downloaded, every prescription filled, and every fitness tracker worn generates data that may end up somewhere its owner never intended โ and that, for now, is perfectly legal.
Sources
- Duke Tech Policy โ Data Brokers and the Sale of Americans’ Mental Health Data
- FTC โ Enforcement Action Against GoodRx
- FTC โ BetterHelp Final Order
- The Record โ Congressional Report on Pharmacies and Law Enforcement
- HIPAA Journal โ Americans Mistakenly Believe Health App Data Is HIPAA-Protected
- Senate HELP Committee โ HIPRA Introduction