Healthcare Privacy (HIPAA) in Apps: What "HIPAA-Compliant" Actually Requires
Health and wellness apps have exploded in popularity, with users tracking everything from menstrual cycles to mental health to chronic conditions. When evaluating these apps, you might notice claims of being "HIPAA-compliant" or "secure and private." But what do these claims actually mean? And when does a health app actually fall under HIPAA's strict privacy protections versus merely claiming to follow similar standards?
The distinction matters enormously for your health data privacy. Understanding when HIPAA applies, what compliance actually requires, and how to evaluate health app privacy claims helps you make informed decisions about entrusting apps with your most sensitive personal information.
When HIPAA Actually Applies to Health Apps
The Health Insurance Portability and Accountability Act (HIPAA) and its Privacy Rule don't apply to all health-related apps—far from it. HIPAA applies only to "covered entities" (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their "business associates" (vendors who handle protected health information on their behalf).
The Coverage Gap
Most consumer health apps operate outside HIPAA's scope:
Direct-to-consumer apps: Apps you download directly from app stores, create accounts for, and use without healthcare provider involvement generally aren't subject to HIPAA.
Wellness vs. healthcare: Apps focused on general wellness, fitness, and lifestyle—even if health-related—typically fall outside HIPAA. Only apps handling "protected health information" (PHI) in connection with healthcare services are covered.
No covered entity relationship: If your doctor didn't prescribe the app, your insurer doesn't pay for it, and no healthcare provider is involved in your use of it, HIPAA probably doesn't apply.
When HIPAA Does Apply
HIPAA covers health apps when:
Provider-prescribed apps: Your healthcare provider offers the app as part of treatment, and the app receives PHI from the provider.
Business associate arrangements: The app developer has a Business Associate Agreement (BAA) with a covered entity and handles PHI on their behalf.
Health plan apps: Apps provided by your health insurance plan that access your claims or coverage information.
Hospital system apps: Patient portals and apps provided by healthcare systems that access medical records.
Example: If your doctor recommends a diabetes tracking app and the app receives your medical records from the doctor's office, the app is likely a business associate subject to HIPAA. If you independently download the same app and manually input your data, HIPAA likely doesn't apply.
What "HIPAA-Compliant" Claims Really Mean
Many apps claim to be "HIPAA-compliant" even when HIPAA doesn't actually apply to them. These claims typically mean one of three things:
1. Voluntary HIPAA Standards Adoption
Some apps voluntarily implement HIPAA's security and privacy standards as a competitive differentiator, even when not legally required. This is commendable but not the same as HIPAA regulation.
What to look for: Ask whether the app has a Business Associate Agreement with any covered entity. If not, "HIPAA-compliant" likely means self-certified adherence to similar standards.
2. Technical Security Measures
Apps may claim HIPAA compliance based solely on technical security implementations—encryption, access controls, audit logging—without the full legal framework of HIPAA.
What to look for: HIPAA requires more than technical security. It includes specific privacy practices, patient rights, breach notification procedures, and administrative safeguards. Technical measures alone don't equal HIPAA compliance.
3. Marketing Misdirection
Unfortunately, some apps use "HIPAA-compliant" as marketing language without meaningful basis, counting on users not understanding HIPAA's limited scope.
What to look for: Verify claims by asking specific questions about BAAs, covered entity relationships, and how the app handles PHI.
Business Associate Agreements: The Key Document
When HIPAA does apply, the Business Associate Agreement (BAA) is the critical document defining privacy obligations. If an app claims HIPAA compliance but can't produce a BAA with a covered entity, be skeptical.
BAA Requirements
Business Associate Agreements must specify:
Permitted uses and disclosures: Exactly how the business associate can use PHI—typically limited to purposes necessary to provide services to the covered entity.
Safeguards: The specific administrative, physical, and technical safeguards the business associate will implement.
Reporting obligations: Requirements to report security incidents and breaches to the covered entity.
Subcontractor agreements: Requirements that any subcontractors handling PHI also agree to HIPAA obligations.
Termination provisions: Requirements to return or destroy PHI upon agreement termination.
Obligation to comply: Direct obligation to comply with HIPAA Security Rule and applicable Privacy Rule requirements.
The Flo Health Settlement: A Cautionary Tale
In 2021, the FTC settled with Flo Health, a popular period tracking app, over allegations that despite promising to keep health data private, the company shared sensitive user information with Facebook, Google, and other third parties for advertising purposes.
Critically, Flo Health was not a HIPAA-covered entity or business associate—the FTC acted under Section 5 of the FTC Act, which prohibits unfair or deceptive practices. This case illustrates that even when HIPAA doesn't apply, health apps face privacy regulation through consumer protection laws.
The settlement required Flo Health to:
- Obtain users' affirmative express consent before sharing health information
- Notify users about the unauthorized disclosures
- Implement a comprehensive privacy program
- Obtain independent privacy assessments
What HIPAA Compliance Actually Requires
For apps that are covered by HIPAA, compliance involves three major rule sets:
The Privacy Rule
The Privacy Rule establishes standards for protecting individuals' medical records and other PHI. Key requirements include:
Minimum necessary standard: Using or disclosing only the minimum PHI necessary to accomplish the intended purpose.
Individual rights: Providing individuals rights to access, amend, and receive accounting of disclosures of their PHI.
Notice of Privacy Practices: Providing individuals with notice of how their PHI will be used and disclosed.
Authorization requirements: Obtaining specific authorization for most uses and disclosures not for treatment, payment, or healthcare operations.
The Security Rule
The Security Rule establishes safeguards for electronic PHI (ePHI):
Administrative safeguards: Security management processes, workforce training, security awareness, access management, and security incident procedures.
Physical safeguards: Facility access controls, workstation security, and device and media controls.
Technical safeguards: Access controls, audit controls, integrity controls, person/entity authentication, and transmission security.
The Breach Notification Rule
The Breach Notification Rule requires covered entities and business associates to:
Notify affected individuals: Within 60 days of discovering a breach affecting their unsecured PHI.
Notify HHS: Report breaches affecting 500 or more individuals to the Department of Health and Human Services immediately; report smaller breaches annually.
Notify media: For breaches affecting 500 or more individuals in a state or jurisdiction, notify prominent media outlets.
FTC Act Regulation: Privacy for Non-HIPAA Apps
When HIPAA doesn't apply to health apps, the Federal Trade Commission (FTC) Act fills some gaps through its prohibition on unfair or deceptive practices. The FTC has actively enforced against health apps that misrepresent their privacy practices.
Deception Enforcement
The FTC pursues health apps that:
- Promise privacy protections they don't actually provide
- Share data with third parties contrary to privacy policy promises
- Fail to implement promised security measures
- Use dark patterns to trick users into sharing more data than intended
The Health Breach Notification Rule
In 2024, the FTC finalized updates to the Health Breach Notification Rule, clarifying that it applies to health apps and similar technologies not covered by HIPAA. This rule requires vendors of personal health records and related entities to notify consumers, the FTC, and sometimes media when security breaches occur.
Key updates include:
- Explicit coverage of health apps and connected devices
- Specific notification timelines (60 days, similar to HIPAA)
- Expanded definition of "breach" to include unauthorized access, not just acquisition
State Law Protections
Beyond federal HIPAA and FTC requirements, state laws increasingly protect health data privacy:
California Consumer Privacy Act (CCPA/CPRA)
California's comprehensive privacy law grants consumers rights over their personal information, including health data collected by apps. The California Privacy Rights Act (CPRA), effective 2023, created a new category of "sensitive personal information" that includes health data, with enhanced protections and opt-out rights.
State-Specific Health Privacy Laws
States including Washington, Connecticut, and Virginia have enacted comprehensive privacy laws with specific health data protections. Other states have health-specific statutes protecting certain categories of health information.
The Washington My Health My Data Act
Washington state's My Health My Data Act, effective 2024, specifically targets health apps not covered by HIPAA. It:
- Requires explicit consent for collecting, sharing, or selling consumer health data
- Grants consumers rights to access, delete, and withdraw consent
- Prohibits geofencing around healthcare facilities
- Creates a private right of action for violations
This law represents a potential template for other states seeking to close the HIPAA gap for consumer health apps.
Evaluating Health App Privacy: A User Checklist
When choosing a health app, assess privacy protections using this framework:
Is HIPAA Compliance Claimed?
- Does the app claim to be HIPAA-compliant?
- Can they explain the basis for this claim (BAA with covered entity)?
- Is the app provided by your healthcare provider or insurer?
Data Practices
- What data does the app collect beyond what's necessary for functionality?
- Does the app share data with third parties? For what purposes?
- Is data used for advertising or monetization?
- Can you access, export, and delete your data?
Security Measures
- Does the app use encryption for data in transit and at rest?
- Does the app implement strong authentication (not just passwords)?
- Has the app published security practices or undergone audits?
Privacy Policy Quality
- Is the privacy policy clear and specific about health data handling?
- Does the policy distinguish between HIPAA-covered and non-covered data handling?
- Are data retention and deletion policies specified?
Company Reputation
- Has the company faced FTC enforcement or privacy complaints?
- Does the company have a track record of privacy-focused practices?
- Is the company transparent about ownership and data practices?
The Reproductive Health Data Exception
Following the Supreme Court's Dobbs decision overturning Roe v. Wade, concerns about reproductive health data in apps have intensified. Period tracking apps, fertility trackers, and pregnancy apps collect data that could potentially be used in abortion-related prosecutions.
Key considerations:
- HIPAA generally protects reproductive health information in covered healthcare contexts
- Consumer apps not covered by HIPAA may share data with law enforcement under certain circumstances
- Some apps have implemented additional protections specifically for reproductive health data
- Cross-border data flows may implicate foreign jurisdictions' data access laws
Users concerned about reproductive health data privacy should:
- Understand that HIPAA doesn't protect data in most consumer apps
- Consider apps that explicitly commit not to share data with law enforcement
- Review whether data is stored in jurisdictions with protective or hostile reproductive health laws
- Consider local-only data storage options where available
Practical Recommendations
For users navigating health app privacy:
Prefer provider-connected apps: When your healthcare provider offers an app as part of your care, it's likely a HIPAA business associate with stronger protections than consumer alternatives.
Read privacy policies carefully: Don't rely on app store descriptions or marketing claims. The privacy policy reveals actual data practices.
Limit permissions: Grant only the minimum permissions necessary for app functionality. Does a meditation app really need location access?
Use privacy-focused alternatives: Some health apps specifically market on privacy, offering local storage, end-to-end encryption, and no data sharing.
Regular data audits: Periodically review what health apps you're using and whether you still need them. Delete apps you no longer use.
Understand export options: Before committing extensive data to an app, verify you can export your data in usable formats if you decide to switch.
Conclusion
The "HIPAA-compliant" label on health apps often obscures more than it reveals. HIPAA applies to a relatively narrow set of health apps—those connected to healthcare providers, health plans, or their business associates. Most consumer health apps operate in a regulatory gap where HIPAA doesn't apply, leaving users to rely on the FTC Act, state privacy laws, and company self-regulation.
Understanding this landscape helps you evaluate health app privacy claims critically. When an app claims HIPAA compliance, ask the follow-up questions: What covered entity relationship creates this obligation? Where is the Business Associate Agreement? What specific HIPAA rules does the app follow?
For apps outside HIPAA's scope, examine actual privacy practices rather than regulatory claims. The FTC's enforcement against Flo Health demonstrates that consumer protection laws provide some recourse against deceptive health app practices, but prevention through informed selection remains your best protection.
Your health data is among the most sensitive information about you. Understanding who protects it—and who doesn't—empowers you to make choices that align with your privacy expectations.
Related Articles: