As digital health tools, artificial intelligence, and targeted marketing accelerate across the healthcare and consumer health sectors, longstanding cracks in the U.S. regulatory foundation for health data are becoming more complex. What was once a system anchored primarily by the Health Insurance Portability and Accountability Act (HIPAA) has morphed into a fragmented landscape where federal and state authorities impose overlapping, and sometimes conflicting, rules regarding the use of health data, especially for marketing purposes.
Digital technology and consumer health companies collect more health data from individuals than traditional healthcare providers and face a high-stakes regulatory minefield. To remain compliant, they must thread the needle between HIPAA’s coverage limits, the Federal Drug Administration’s medical device oversight under the Food, Drug, and Cosmetic Act (FD&C Act), the Federal Trade Commission’s consumer protection authorities under the FTC Act and Health Breach Notification Rule (HBNR), and a rapidly growing slate of comprehensive state privacy laws.
The emergence of artificial intelligence only heightens the stakes. AI-driven features further complicate the landscape. These technologies can discover health status or conditions from non-traditional sources, such as browsing behavior or wearable device data, blurring the line between regulated and unregulated health data. These features introduce not only novel efficiencies but also uncharted risks, amplifying concerns over data minimization, algorithmic bias, cybersecurity, and consent. This increasingly complex ecosystem demands a recalibration of risk management strategies, compliance protocols, and legal interpretations.
The U.S. health data regulatory landscape is fragmented, with HIPAA applying only to traditional healthcare providers, insurers, and their business associates, leaving most consumer health apps and devices outside its scope. The FTC fills some of this gap by regulating non-HIPAA entities through its authority over deceptive practices and HBNR, which now requires notice to both individuals and the FTC for unauthorized disclosures of specific health data without consent. The FDA also adds a layer by regulating the marketing claims made about digital health tools for general wellness or that qualify as medical devices. Although many consumer wellness products have previously avoided FDA oversight by avoiding medical claims, recent actions, such as the recent warning letter1 to Whoop, suggest this loophole may be narrowing.
Adding to this complexity, state laws like the California Consumer Privacy Act (CCPA), Colorado Privacy Act (CPA), and Washington My Health My Data Act (MHMDA), impose additional, and sometimes conflicting, obligations related to health data because of their differing definitions of what personal data qualifies as health data. The result is not a lack of regulation but a web of overlapping and evolving requirements at both the federal and state levels.
This divided regulation of health data leads to confusion in compliance, particularly as AI-driven personalization and marketing increase the volume, sensitivity, and inferencing ability of the data collected.
The HIPAA Privacy and Security Rule (the HIPAA Rules) establishes foundational standards for covered entities and business associates, focusing on the confidentiality, integrity, and availability of protected health information (PHI).2 However, HIPAA’s scope is limited to traditional healthcare providers, insurers, and their business associates, leaving a vast array of consumer health apps, wearables, and wellness platforms largely unregulated at the federal level. More specifically, HIPAA applies to individually identifiable health information obtained from patients related to their past, present, or future physical or mental health or condition, payment, or provision of care when received by a covered entity or business associate on behalf of a covered entity.3
Historically, marketing has always required an individual’s authorization under HIPAA. Authorization, which requires a signed document with specific language, is a higher bar than opt-in consent under most state privacy laws.4 The Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) took the position, in their 2022 tracking technology guidance, that any health data (e.g. browsing data related to a health condition) that can be linked to an identifiable user, even though an IP address, constitutes PHI, requiring authorization from the individual. However, a recent decision5 by a District Court in Texas invalidated part of OCR’s guidance, holding that an IP address coupled with browsing history on an unauthenticated website (e.g., a general landing page without a user log in) does not constitute PHI. As a result, such data is not considered to be subject to HIPAA at this time but may be subject to enforcement under state privacy laws. However, the Texas court did leave the remaining guidance intact, suggesting that unique identifiers explicitly used to identify users in conjunction with their health could be considered PHI subject to HIPAA.
Consumer health companies are regulated as business associates to the extent they engage with traditional healthcare providers and receive PHI; yet most of the health data collected by these companies falls outside the scope of HIPAA. But the legal landscape surrounding HIPAA is evolving, with ongoing interpretation, enforcement actions, and guidance, which could expand regulatory obligations. Companies handling health data should therefore take additional precautions and stay informed about changes in the law.
The FTC steps in for non-HIPAA entities, using its authority to address unfair or deceptive practices in health data collection, sharing, and marketing. During the prior administration, the FTC announced numerous settlements, including GoodRx, BetterHelp, Easy Healthcare, Monument, and Vitagene, all cases concerning the disclosure of sensitive health and personal data to third-party advertisers such as Facebook and Google without proper consent and notice. In addition, these non-HIPAA entities were required to comply with HBNR, which requires that these companies notify individuals and the FTC in the event of a data breach that results from the unauthorized disclosure of sensitive health information.6 Similar to OCR’s wall of shame, the FTC periodically list companies who have notified the agency of a breach.7 GoodRx was the first enforcement settlement announced under HBNR.8 The HBNR was recently updated to require notification if sensitive health information is disclosed without a consumer’s consent.9
The FDA also plays a role, overseeing digital health products that meet the definition of a medical device, including certain AI/ML-based tools, with a particular focus on the claims and disclosures made by consumer health companies to consumers. While the FDA’s oversight is not specific to health data, it extends to health companies’ marketing, including disclosures, claims, and general consumer protection. However, its jurisdiction does not extend to all consumer health technologies, particularly those making only general wellness claims.10 Generally, consumer health companies making marketing claims that constitute general wellness advice have been able to avoid regulation; however, the tide may be shifting with a recent warning letter11 sent to Whoop, a wearable fitness tracker, concerning the inherent medical nature of its blood pressure estimation offering.
Adding to the complexity, state laws, such as the CCPA, CPA and MHMDA, add further intricacy by imposing additional, and sometimes conflicting, obligations on data collection, sharing, and security practices, with special attention to sensitive health data. Recent enforcement actions underscore the risks of non-compliance with these state laws. For example, the California Attorney General’s lawsuit against Healthline Media highlights the risks of failing to honor privacy principles like purpose limitation and effective opt-out mechanisms. Healthline was found to have transmitted information regarding sensitive article titles viewed by users to advertising vendors even after users opted out and failed to ensure contractual protections or test opt-out mechanisms.12 This case demonstrates how privacy risks, such as over-collection, inadequate disclosures, or ineffective opt-outs, can quickly become regulatory risks, even for companies outside HIPAA’s direct scope.
Eric Cook is Secretary of the CBA Board of Trustees and serves as Of Counsel and plays an integral role on KMK’s Data Privacy & Cybersecurity Team, where he provides strategic guidance at the intersection of health, emerging technologies, and data privacy. His practice focuses on mitigating regulatory and litigation risks associated with tracking technologies, AI-driven tools, and digital health innovations.
1 fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/whoop-inc-709755-07142025
2 hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
3 Id.
4 hhs.gov/hipaa/for-professionals/privacy/guidance/marketing/index.html
5 American Hospital Association et al v. Becerra et al, No. 4:2023cv01110 - Document 67 (N.D. Tex. 2024) (available at law.justia.com/cases/federal/district-courts/texas/txndce/ 4:2023cv01110/382855/67/).
6 ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rul e-0
7 ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20b y%20the%20FTC.pdf
8 ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc
9 ftc.gov/business-guidance/blog/2024/04/updated-ftc-health-breach-notification-rul e-puts-new-provisions-place-protect-users-health-apps
10 fda.gov/media/90652/download
11 fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning -letters/whoop-inc-709755-07142025
12 oag.ca.gov/news/press-releases/attorney-general-bonta-announces-largest-ccpa-settleme nt-date-secures-155