Is your health app covered by HIPAA? (Usually not.)
Many people assume a health app is protected by HIPAA. Most consumer apps are not. Here is what actually governs the data you enter — and what that means for you.
Key takeaways
- HIPAA protects specific information held by specific organizations — mainly health providers, health plans, and their business associates. It does not cover most consumer apps.
- A standalone wellness or nutrition app you download yourself usually falls outside HIPAA, even when it holds detailed health information.
- What protects that data instead is a patchwork of FTC rules and state privacy laws — and, in practice, the specific privacy policy of the app you use.
What does HIPAA actually cover?
HIPAA is often assumed to be a blanket shield over anything health-related. It is narrower than that. The law was written to govern how your medical records move between the people providing your care and the people paying for it. It keys on who holds the data and why — not on how sensitive the information feels.
Under HIPAA, the regulated parties are "covered entities" (health providers, health plans, and health-care clearinghouses) and the "business associates" that handle protected health information on their behalf. If an organization isn't one of those, HIPAA generally doesn't reach it, no matter how personal the data it collects.
Is your app covered? Usually not.
Most apps people download on their own — to log meals, track supplements, follow a cycle, or read health articles — aren't acting for a provider or a health plan. They sit outside the covered-entity definition, so HIPAA usually doesn't apply. The same app can be inside or outside HIPAA depending entirely on how it reaches you:
| How you got the app | Covered by HIPAA? | What governs the data instead |
|---|---|---|
| Your clinic's patient portal | Usually yes | HIPAA — the provider is a covered entity |
| An app a provider has handle records for them | Usually yes | HIPAA — the app is a business associate |
| A wellness or nutrition app you downloaded yourself | Usually no | FTC rules, state privacy laws, and the app's own policy |
The point isn't that consumer apps are lawless — it's that a different set of rules applies, and "HIPAA-protected" is the wrong thing to look for.
What protects your data instead
When HIPAA doesn't apply, two things do most of the work:
- The FTC's Health Breach Notification Rule, which requires many health apps outside HIPAA to notify both users and the FTC when identifiable health data is exposed without authorization.
- State privacy laws — broad ones like California's CCPA and health-specific ones like Washington's My Health My Data Act — which can grant rights to access, delete, or limit the sharing of health data regardless of HIPAA.
How to check a specific app
Because coverage turns on details, the practical move is to read what a specific app commits to rather than assume. A few things worth looking for:
- Whether the policy says data is sold or shared with advertisers or data brokers.
- Whether you can delete your data, and what actually happens when you do.
- Whether the app names the laws or rights that apply to you, such as state privacy rights or breach notification.
A short, specific privacy policy that names what it does — and doesn't do — tells you more than the presence or absence of the word "HIPAA."
References (4)
- HHS — Covered Entities and Business Associates — U.S. Department of Health and Human Services
- FTC — Health Breach Notification Rule (16 CFR Part 318) — U.S. Federal Trade Commission / eCFR
- FTC — Collecting, Using, or Sharing Consumer Health Information? (business guidance) — U.S. Federal Trade Commission
- Washington My Health My Data Act — Washington State Office of the Attorney General
Wellthrive
Get early access to Wellthrive
Join the waitlist for Wellthrive — a nutrition and wellness app for clearer, more practical health decisions.
Get early access to Wellthrive
