Regulators crack down on non-HIPAA health data practices

New enforcement trends are expanding how courts and regulators police sensitive health data outside HIPAA’s reach.

What happened

According to The National Law Review, digital health companies that fall outside the scope of HIPAA are now facing increased enforcement for sharing sensitive health data without meaningful consent. Regulatory agencies, state attorneys general, and private litigants are using a combination of existing federal and state laws, including consumer protection rules and wiretapping statutes, to pursue legal action against platforms with opaque or misleading data practices.

At the heart of this shift is a focus on companies that collect, track, or share health-adjacent data, such as through mobile apps, SDKs, or AI-powered tools, without clearly informing users or obtaining valid consent.

Going deeper

Several legal authorities are being used to hold digital health and wellness platforms accountable:

• Section 5 of the FTC Act targets deceptive practices, especially where privacy policies say one thing but companies do another. A recent FTC case treated undisclosed third-party sharing via tracking tools as an unfair practice, resulting in fines and mandatory privacy programs.
• HITECH Act’s Health Breach Notification Rule is now being applied more widely. The FTC has clarified that health apps, connected devices, and APIs fall under this rule, requiring breach notifications even if a company is not a HIPAA-covered entity.
• State privacy statutes in places like California and Washington allow both regulators and consumers to pursue violations. These laws often treat health-related data as especially sensitive, regardless of whether the company is a healthcare provider.
• Wiretapping laws are being interpreted to include embedded tracking technologies, such as SDKs or call recording tools, when they capture sensitive communications like reproductive health details without adequate disclosure. One example includes a class action over AI-powered call recording that allegedly intercepted patient conversations without consent.
  
  

What was said

The authors note that privacy enforcement is no longer limited to traditional healthcare entities. They state that simply being outside HIPAA’s scope is no longer sufficient protection. Any public claims about privacy practices must accurately reflect actual data behavior, and companies should assume that trackers and analytics tools could fall under scrutiny.

“Being outside the scope of HIPAA is no shield,” they write, “consumer protection laws, wiretapping statutes, and class actions are filling the gap.”

FAQs

What is the difference between HIPAA and the HITECH Health Breach Notification Rule?

HIPAA applies to covered entities like healthcare providers and insurers, while the HITECH Rule fills the gap by requiring breach notifications from non-HIPAA vendors such as health apps and device makers.

Can consumer health apps be sued under wiretapping laws?

Yes. If apps or tools record or transmit sensitive user data without clear consent, especially via SDKs or call recordings, they may be liable under broad interpretations of wiretapping statutes.

What types of data are considered “health-adjacent”?

This includes information like menstrual tracking, fitness patterns, medication reminders, behavioral health indicators, and any other data linked to personal health, even if collected outside of clinical settings.

How can digital health companies reduce legal exposure?

They should audit their tracking tools, data flows, and third-party integrations to ensure all privacy disclosures are accurate and that consent mechanisms are clear and specific to the type of data being collected.

Are class action lawsuits a growing risk in this space?

Yes. With many state privacy laws granting private rights of action, companies can face class actions over undisclosed data practices, significantly increasing potential liability.