Marketing, AI,
& Health Data
Regulation
Navigating a Fragmented
Legal Landscape
By Eric Cook
As digital health tools, artificial intelligence, and targeted
marketing accelerate across the healthcare and consumer
health sectors, longstanding cracks in the U.S. regulatory
foundation for health data are becoming more complex. What
was once a system anchored primarily by the Health Insurance
Portability and Accountability Act (HIPAA) has morphed into a
fragmented landscape where federal and state authorities impose
overlapping, and sometimes conflicting, rules regarding the use
of health data, especially for marketing purposes.
Digital technology and consumer health companies collect
more health data from individuals than traditional health-
care providers and face a high-stakes regulatory minefield. To
remain compliant, they must thread the needle between HIPAA’s
coverage limits, the Federal Drug Administration’s medical device
oversight under the Food, Drug, and Cosmetic Act (FD&C Act),
the Federal Trade Commission’s consumer protection authorities
under the FTC Act and Health Breach Notification Rule (HBNR),
and a rapidly growing slate of comprehensive state privacy laws.
The emergence of artificial intelligence only heightens the
stakes. AI-driven features further complicate the landscape.
These technologies can discover health status or conditions from
non-traditional sources, such as browsing behavior or wearable
device data, blurring the line between regulated and unregulated
health data. These features introduce not only novel efficien-
cies but also uncharted risks, amplifying concerns over data
minimization, algorithmic bias, cybersecurity, and consent.
This increasingly complex ecosystem demands a recalibration
of risk management strategies, compliance protocols, and legal
interpretations.
The Current Regulatory Landscape:
Overlapping and Divergent Frameworks
The U.S. health data regulatory landscape is fragmented,
with HIPAA applying only to traditional healthcare providers,
insurers, and their business associates, leaving most consumer
health apps and devices outside its scope. The FTC fills some of
this gap by regulating non-HIPAA entities through its authority
over deceptive practices and HBNR, which now requires notice
to both individuals and the FTC for unauthorized disclosures of
specific health data without consent. The FDA also adds a layer by
regulating the marketing claims made about digital health tools
for general wellness or that qualify as medical devices. Although
many consumer wellness products have previously avoided FDA
oversight by avoiding medical claims, recent actions, such as the
recent warning letter1 to Whoop, suggest this loophole may be
narrowing.
Adding to this complexity, state laws like the California
Consumer Privacy Act (CCPA), Colorado Privacy Act (CPA), and
Washington My Health My Data Act (MHMDA), impose addi-
tional, and sometimes conflicting, obligations related to health
data because of their differing definitions of what personal data
qualifies as health data. The result is not a lack of regulation but a
web of overlapping and evolving requirements at both the federal
and state levels.
This divided regulation of health data leads to confusion
in compliance, particularly as AI-driven personalization and
marketing increase the volume, sensitivity, and inferencing ability
of the data collected.
THE REPORT | September/October 2025 | CincyBar.org 11