oper ational
To effectively manage the complex and evolving regulatory landscape surrounding health data, consumer health
1. Take a holistic, proactive
approach to compliance
by mapping and minimizing
health data, collecting only
what is necessary, and securing
sensitive data with strong
access controls.
2. Regularly test and verify
privacy controls and
opt-out mechanisms to ensure
effectiveness, as enforcement
actions like Healthline demon-
strate the risks of inadequate
implementation.
3. Design granular, unbun-
dled consent flows and
keep records of user choices
to comply with laws requiring
opt-in consent or explicit
authorization.
4. Strengthen vendor
governance by updating
contracts to include required
privacy requirements, prohibit
improper data use, and require
compliance attestations and
audit rights. Regularly review
agreements and do not assume
third-party compliance.
HIPAA’s Reach
The HIPAA Privacy and Security
Rule (the HIPAA Rules) establishes foun-
dational standards for covered entities
and business associates, focusing on the
confidentiality, integrity, and availability
of protected health information (PHI).2
However, HIPAA’s scope is limited to
traditional healthcare providers, insurers,
and their business associates, leaving a
vast array of consumer health apps, wear-
ables, and wellness platforms largely
unregulated at the federal level. More
specifically, HIPAA applies to individ-
ually identifiable health information
obtained from patients related to their
past, present, or future physical or mental
health or condition, payment, or provi-
sion of care when received by a covered
entity or business associate on behalf of a
covered entity.3
Historically, marketing has always
required an individual’s authorization
under HIPAA. Authorization, which
requires a signed document with specific
language, is a higher bar than opt-in
consent under most state privacy laws.4
The Office of Civil Rights (OCR) within
the Department of Health and Human
Services (HHS) took the position, in their
2022 tracking technology guidance, that
any health data (e.g. browsing data related
to a health condition) that can be linked
to an identifiable user, even though an IP
address, constitutes PHI, requiring autho-
rization from the individual. However,
a recent decision5 by a District Court in
Texas invalidated part of OCR’s guid-
ance, holding that an IP address coupled
12 with browsing history on an unauthenti-
cated website (e.g., a general landing page
without a user log in) does not constitute
PHI. As a result, such data is not consid-
ered to be subject to HIPAA at this time
but may be subject to enforcement under
state privacy laws. However, the Texas
court did leave the remaining guidance
intact, suggesting that unique identi-
fiers explicitly used to identify users in
conjunction with their health could be
considered PHI subject to HIPAA.
Consumer health companies are regu-
lated as business associates to the extent
they engage with traditional healthcare
providers and receive PHI; yet most of
the health data collected by these compa-
nies falls outside the scope of HIPAA. But
the legal landscape surrounding HIPAA
is evolving, with ongoing interpretation,
enforcement actions, and guidance, which
could expand regulatory obligations.
Companies handling health data should
therefore take additional precautions and
stay informed about changes in the law.
The FTC, FDA, & State
Privacy Law’s Role: Regulation
beyond HIPAA
The FTC steps in for non-HIPAA enti-
ties, using its authority to address unfair or
deceptive practices in health data collec-
tion, sharing, and marketing. During the
prior administration, the FTC announced
numerous settlements, including GoodRx,
BetterHelp, Easy Healthcare, Monument,
and Vitagene, all cases concerning the
disclosure of sensitive health and personal
THE REPORT | September/October 2025 | CincyBar.org
data to third-party advertisers such as
Facebook and Google without proper
consent and notice. In addition, these
non-HIPAA entities were required to
comply with HBNR, which requires that
these companies notify individuals and
the FTC in the event of a data breach that
results from the unauthorized disclosure
of sensitive health information.6 Similar
to OCR’s wall of shame, the FTC period-
ically list companies who have notified
the agency of a breach.7 GoodRx was the
first enforcement settlement announced
under HBNR.8 The HBNR was recently
updated to require notification if sensitive
health information is disclosed without a
consumer’s consent.9
The FDA also plays a role, overseeing
digital health products that meet the defi-
nition of a medical device, including
certain AI/ML-based tools, with a partic-
ular focus on the claims and disclosures
made by consumer health companies
to consumers. While the FDA’s over-
sight is not specific to health data, it
extends to health companies’ marketing,
including disclosures, claims, and general
consumer protection. However, its juris-
diction does not extend to all consumer
health technologies, particularly those
making only general wellness claims.10
Generally, consumer health companies
making marketing claims that constitute
general wellness advice have been able to
avoid regulation; however, the tide may
be shifting with a recent warning letter11
sent to Whoop, a wearable fitness tracker,
concerning the inherent medical nature of
its blood pressure estimation offering.