"HIPAA protects your medical information" is something almost everyone knows. What almost no one knows is how narrow that protection actually is, and the massive gap that leaves your health data exposed through completely legal channels.
What HIPAA Actually Covers
HIPAA (the Health Insurance Portability and Accountability Act) applies to "covered entities": healthcare providers (doctors, hospitals, clinics), health plans (insurance companies), and healthcare clearinghouses (companies that process health billing). It also applies to their "business associates" — contractors who handle protected health information on their behalf.
When you see a doctor, your medical records are protected. Your insurance company can't share your health history without your consent. Your hospital can't sell your diagnosis to an advertiser.
What HIPAA Does NOT Cover
Here's the gap: HIPAA only covers the entities listed above. The vast majority of health data collected today is collected by entities HIPAA doesn't cover:
- Fitness trackers and apps (Fitbit, Apple Health, period tracking apps) — not covered
- Mental health apps (Calm, BetterHelp, Talkspace) — not covered
- Search engines and websites where you research symptoms — not covered
- Grocery and pharmacy loyalty programs — not covered
- Direct-to-consumer genetic testing (23andMe, AncestryDNA) — not covered
- Life and disability insurers (separate from health insurers) — not covered
Real Consequences
BetterHelp, the mental health platform, paid $7.8 million in FTC settlements in 2023 for sharing users' mental health data — including whether they'd previously been in therapy — with Facebook and Snapchat for advertising targeting. This was not a HIPAA violation because BetterHelp is not a covered entity.
Period tracking apps were scrutinized after the Dobbs decision, with concern that data showing menstrual cycles and missed periods could be subpoenaed in states with abortion restrictions. None of this data is HIPAA-protected.
Protecting Your Non-HIPAA Health Data
Be selective about which apps have access to your health data. Review the privacy policies of any health, wellness, or fitness app before using it — specifically look for what they share with third parties and whether they sell data. Avoid apps that require more personal information than is necessary. Use apple Health's granular permissions to limit what health data each app can access.
For sensitive health searches, use a privacy-focused search engine (DuckDuckGo) in a browser not logged into any account.