Wil Schuehler, Contributing Member 2025-2026
Intellectual Property and Computer Law Journal
I. Introduction
Eighty-one percent of Americans believe health data collected by mobile apps is protected under the Health Insurance Portability and Accountability Act (HIPAA). However, this is not true.[1] This blog explores existing privacy gaps under federal statutes and agency rules. Collectively, these rules and regulations create loopholes that leave millions of consumers exposed to personal health data leaks. Part II examines existing privacy gaps, concerns, and current enforcement limitations under HIPAA, the Federal Trade Commission (FTC), and the Health Breach Notification Rule (HBNR). Part III proposes a solution to close gaps by incorporating health apps under the HBNR with preventative safeguards. Finally, Part IV concludes by arguing existing rules and regulations must be bolstered to match the public’s perception of data privacy.
II. Background: Current Privacy Frameworks
HIPAA’s Narrow Scope: Limits on Protection
Enacted in 1996, HIPAA established national standards protecting medical records and personal health information (“PHI”)[2] for covered entities (health plans and providers) and their business associates[3] who create, receive, or maintain health information.[4] However, HIPAA does not apply to consumer health or wellness data collected by apps like Flo, GoodRx, BetterHelp, FitBit, or Strava,[5] because these apps are neither classified as covered entities nor business associates under HIPAA. This gap leaves large volumes of consumer health data outside the scope of federal privacy protections, setting the stage for other regulatory approaches to fill the gap.
FTC Privacy Enforcement: Reactive Protection
To address HIPAA’s limitations, the FTC relies on two primary authorities. First, Section 5 of the FTC Act prohibits unfair or deceptive practices, including those involving personal data collection, use, or disclosure.[6] Specifically, this section applies to all persons engaged in commerce, including virtually all health app developers.[7] Second, the HBNR requires vendors of personal health records (PHR), PHR-related entities, and certain service providers to notify consumers, regulators, and frequently, the media of data breaches.[8] It is important to know that health apps not covered by HIPAA are responsible for adhering to the HBNR when they fall into one of the listed categories.[9]
In 2024, the FTC revised the HBNR, expanding the definition of a “breach of security”[10] to include the unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.[11] The revision also clarified that mobile health apps can qualify as PHR-entities[12] if they access or transmit unsecured PHR information.[13] However, this approach still remains largely reactive in nature.
FTC Enforcement Actions
FTC enforcement actions against GoodRx and BetterHelp illustrate the agency’s enforcement model. In 2023, the FTC alleged that GoodRx improperly shared user data with third parties, misrepresented HIPAA compliance, and failed to implement adequate safeguards.[14] GoodRx paid $1.5 million in penalties for violating the HBNR and was ordered to stop sharing data for advertising, obtain user consent for disclosures, implement a privacy program, and limit data retention.[15]
Later that same year, the FTC fined BetterHelp $7.8 million for similar conduct by proving that BetterHelp disclosed consumers’ email addresses, IP addresses, and health questionnaire information to third parties like Facebook, Snapchat, Criteo, and Pinterest for advertisement purposes, despite promising consumers that their personal healthcare data would be protected.[16] Similarly to GoodRx, BetterHelp was prohibited from data-sharing for advertising purposes and was required to implement a privacy program.[17] Collectively, these cases highlight the FTC’s role in addressing privacy breaches while simultaneously underscoring the flawed, reactive nature of current protections that apply only after privacy violations occur.
III. Discussion
Limitations of Current Protections
The data privacy protections provided by HIPAA and HBNR are limited, reactive in nature, and largely inconsistent.[18] The cases detailed above indicate enforcement occurs only after harm has occured, leaving consumers without meaningful recourse. Moreover, the cases suggest the FTC cannot realistically audit the vast number of health care and wellness apps in the marketplace.[19] These issues reveal the underlying weaknesses of the current approach as meaningful privacy protections are imposed only after violations occur, providing no redress for data already leaked. While enforcement actions like those brought against GoodRx and BetterHelp send a message, they do not solve the systemic issue that the existing regulatory framework creates—allowing sensitive health data to remain vulnerable. This shortcoming reveals the need for a more proactive model.[20]
Proposed Framework for Proactive, Preventative Safeguards
A more effective approach would involve two steps.[21] First, the HBNR should be extended to explicitly cover all health and wellness apps collecting personal health data.[22] This would close the loophole that allows apps to claim they fall outside HIPAA or HBNR jurisdiction.[23] By eliminating this ambiguity, there would be more uniformity across the industry, thus preventing companies from exploiting technicalities.[24] This step would require little maneuvering by the FTC as it would only require an enlarged scope of the already existing HBNR. Second, baseline safeguards should be proactively imposed by prohibiting unauthorized data sharing, requiring informed consent, mandating privacy programs, and limiting retention of data. These preventative measures mirror remedies already imposed post-violation and could be implemented before consumer harm occurs. By placing these protective requirements on all health and wellness apps from the beginning, there would be less data sharing and information leaks. Moreover, these preventative safeguards would better protect consumers while simultaneously providing companies with clearer standards for compliance.[25]
Balancing Compliance and Innovation
Concerns surrounding increased regulatory requirements, compliance costs, and innovation merit consideration as they could be costly and stifle innovation.[26] Specifically, small startups could be overwhelmed by compliance costs and safeguard requirements.[27] To level the playing field for smaller apps, a tiered system modeled on factors such as financial capability, user-base, and sensitivity of data could be used for market entry companies. This approach, while more complex than a one-size fits all model, would lessen the impact on smaller organizations looking to enter this field. Moreover, it would mitigate the potential human resource risk of inconsistency created by spreading the FTC’s human resource oversight requirement too thin. A tiered system of oversight would allow the FTC to focus on high-risk entities with millions of users or companies handling extremely sensitive data, while easing the burden on smaller companies that present significantly less risk. To further reduce this burden, the government could require self-certification and compliance. A system incorporating self-certification and scaled obligations would strike a balance between consumer protection and innovation. Moreover, it would promote compliance without stifling market entry.
Despite these challenges, incorporating all health and wellness apps under the HBNR has its advantages.[28] First, it offers regulatory clarity for companies. Presumably, not all companies seek to operate in the gray zone between HIPAA, HBNR, and FTC enforcement. Instead, some companies may just be unsure of where they fall within the regulatory and rule structure. Therefore, the explicit incorporation of all health and wellness apps under the HBNR would considerably reduce any chance of uncertainty and reduce compliance guesswork. Another benefit is stronger deterrence. With more explicit guidance, companies are more likely to be deterred from non-compliance, and they will have less room to gamble with consumer data.
Furthermore, enacting preventative safeguards at the outset, before a breach occurs, provides additional advantages. First, consumers would be provided greater assurance that their personal data is protected. With increased public trust in digital health technologies, the industry would benefit from more widespread usage and adoption. Secondly, the amount of litigation would be reduced by enacting safeguards. With clear preventative standards, fewer consumer disputes would arise from consumer data leaks. Lastly, the greatest benefit would be the reduction of personal harm, because once personal health data is leaked, there is not much redress available in the age of instantaneous data sharing. By establishing proactive safeguards, data security would be enhanced, making it less likely that consumers’ data would be breached and cause irreparable harm.[29]
European Union’s Protection Program
The European Union’s General Data Protection Regulation (GDPR) provides a useful model. The GDPR establishes clear, tiered safeguards including requirements on transparency and communication, collection of personal data, rights of access, accuracy, right to erasure, right to restrict processing, right to object, and data portability.[30] Most of these safeguards mirror the proposed solutions above and offer a concrete example of these safeguards in practice. Additionally, the GDPR utilizes two tiers of fines similar to the proposed solution above.[31] Fines are categorized under tier one or tier two based on an evaluation of the following ten criteria: gravity and nature, intention, mitigation, precautionary measures, history, cooperation, data category, notification, certification, and aggravating/mitigating factors.[32] The GDPR demonstrates that robust, scalable data privacy frameworks are feasible without paralyzing innovation. They also provide a practical benchmark for reform in the U.S.[33]
IV. Conclusion
HIPPA leaves a vast number of consumer-related health applications outside the scope of its authority and the FTC’s authority. The HBNR operates only after violations occur. To better align regulatory protections with consumer expectations, health applications must be incorporated under the HBNR, and mandatory preventative safeguards must be required from the start. Proactive protection will enhance consumer trust, deter misuse, and mitigate irreparable harm prior to the occurance of privacy violations.
[1] See ClearDATA Survey Reveals Many Americans Don’t Realize Personal Data Shared with Digital Health Apps Could Be Sold Without their Consent, Clear Data (Jul. 11, 2023), https://www.cleardata.com/news/cleardata-survey [https://perma.cc/KH42-KRWG].
[2] Peter F. Edemekong et al., Health Insurance Portability & Accountability Act (HIPAA) Compliance, Nat’l Libr. of Med. (last updated Nov. 24, 2024), https://pubmed.ncbi.nlm.nih.gov/29763195/ [https://perma.cc/C96M-Y5XS].
[3] Mobile Health App Interactive Tool, Fed. Trade Comm’n (Nov. 2024), https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool [https://perma.cc/NK59-ZT27].
[4] Id.
[5] Does Your Health App Protect Your Sensitive Info?, Fed. Trade Comm’n (Jan. 13, 2021), https://consumer.ftc.gov/consumer-alerts/2021/01/does-your-health-app-protect-your-sensitive-info [https://perma.cc/3F4Z-WLHS].
[6] Mobile Health App, supra note 3.
[7] Fed. Trade Comm’n Act Section 5: Unfair or Deceptive Acts or Pracs., U.S. Fed. Resv. (June 2008), https://www.federalreserve.gov/boarddocs/supmanual/cch/200806/ftca.pdf [https://perma.cc/RR2S-T6A8].
[8] Complying with FTC’s Health Breach Notification Rule, Fed. Trade Comm’n (Jan. 2025), https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0 [https://perma.cc/5M77-JKX3].
[9] Id.
[10] Id.
[11] FTC Finalizes Changes to the Health Breach Notification Rule, Fed. Trade Comm’n (Apr. 16, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule [https://perma.cc/93LQ-7RP8].
[12] Id.
[13] Id.
[14] FTC Enforcement Action to Bar GoodRx from Sharing Consumer’s Sensitive Health Info from Advertising, Fed. Trade Comm’n (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising [https://perma.cc/FE2Y-9VXD].
[15] Id.
[16] FTC Gives Final Approval to Order Banning BetterHelp from Sharing Sensitive Health Data for Advertising Requiring It to Pay $7.8 Million, Fed. Trade Comm’n (Jul. 14, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-gives-final-approval-order-banning-betterhelp-sharing-sensitive-health-data-advertising [https://perma.cc/8TYF-6P4U].
[17] Id.
[18] Delphine McGraw & Kenneth D. Mandl, Privacy Protections to Encourage Use of Health-Relevant Digital Data in a Learning Health System, npj Digit. Med. 4, 2 (Jan. 4, 2021), https://www.nature.com/articles/s41746-020-00362-8#citeas [https://perma.cc/KB9B-KMWQ] (discussing narrow and fragmented U.S. protections for health relevant digital data and the need for comprehensive approaches).
[19] U.S. Gov’t Accountability Office, GAO-19-52, Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (2019).
[20] McGraw & Mandl, supra note 18 (arguing that the current U.S. regime treats many health relevant data flows outside of comprehensive, preventative rules).
[21] Health Breach Notification Rule, 89 F.R. 47028 (May 30, 2024) (to be codified as 16 CFR Part 318).
[22] McGraw & Mandl, supra note 18.
[23] Id.
[24] Id. (recommending a multi-prong approach for entities collecting health relevant data regardless of HIPAA status to reduce regulatory gaps).
[25] Id. (noting that upfront safeguards can provide predictable compliance pathways for companies).
[26] U.S. Gov’t Accountability Off., supra note 19 (discussing concerns about compliance costs and the effects on small businesses).
[27] Id. at 27-30 (observing that startups and small firms can experience disproportionate compliance burdens under expansive privacy regimes).
[28] McGraw & Mandl, supra note 18 (arguing that extending rules to cover healthcare apps would reduce regulatory uncertainty and enhance deterrence).
[29] See generally id. (discussing public trust and harms from data breaches).
[30] Ben Wolford, A Guide to GDPR Data Privacy Requirements, https://gdpr.eu/data-privacy [https://perma.cc/5ZLK-JZVH] (last visited Sept. 18, 2025).
[31] Ben Wolford, What are the GDPR Fines?, GDPR.EU, https://gdpr.eu/fines/ [https://perma.cc/HTY9-MB2S] (last visited Sept. 18, 2025).
[32] Id.
[33] McGraw & Mandl, supra note 18.
The University of Cincinnati Intellectual Property and Computer Law Journal 
Leave a comment