The digital-health and wellness sector is expanding rapidly. Today’s companies — from mobile wellness apps and fitness wearables to mental-health platforms and other consumer-facing health tools — frequently collect, process, and store sensitive health-related data. Even if your business is not a traditional healthcare provider covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), U.S. federal law still may apply. In many instances, the FTC and its authority under the Federal Trade Commission Act (FTC Act), together with the Health Breach Notification Rule (HBNR), represent the primary legal frameworks governing how companies handle consumer health data. (Federal Trade Commission)

For decision-makers in health-adjacent or wellness businesses, understanding these obligations — and building compliance measures — is essential to reduce risk, maintain consumer trust, and avoid regulatory enforcement actions.

---

HIPAA vs Non-HIPAA: Why Many Digital-Health Companies Are Under FTC Oversight

HIPAA’s Privacy, Security, and Breach Notification Rules apply only to specific “covered entities” (such as health-care providers, health plans, or health-care clearinghouses) and their business associates. (HHS)

But many modern health-tech companies — such as wellness apps, connected devices, and consumer-facing health platforms — are not HIPAA-covered. Instead, they collect data directly via apps, wearables, websites, or devices, often together with analytics or advertising vendors. In those cases, the FTC Act, and potentially the HBNR, govern data practices.

Under the FTC Act, companies are prohibited from engaging in “unfair or deceptive acts or practices.” For health-data businesses, this means they must be truthful and transparent about data collection, use, storage, and sharing; avoid misleading consumers (for example, by claiming “HIPAA compliance” when HIPAA does not apply); and implement reasonable privacy and security protections commensurate with the sensitivity of the data.

---

What Qualifies as “Health Information” — FTC’s Broad Definition

Under FTC guidance, “health information” is defined broadly. It includes not only clinical diagnoses or treatment records, but also any data that “conveys information or enables an inference about a consumer’s physical or mental health condition, medical history, or care.”

This definition covers:

• Direct data collected via devices or apps — e.g., heart rate readings, sleep patterns, glucose levels, blood pressure, fertility or menstrual-cycle tracking, medication adherence logs.
  
• Indirect or inferred indicators — e.g., browsing history showing visits to medical clinics, purchase data such as home-medical tests, or location data indicating attendance at health-care facilities.
  

Because of this breadth, companies should treat all such data — whether obvious or subtle — as potentially sensitive health information, and apply robust privacy, security, and transparency measures accordingly.

---

The Health Breach Notification Rule: What It Requires

For companies that maintain or store electronic personal health records (PHR) and are not covered by HIPAA, the FTC’s HBNR imposes mandatory breach-notification obligations.

Under the Rule:

• If there is a “breach of security” — an unauthorized acquisition or disclosure of unsecured, individually identifiable health information — the company must notify each affected U.S. resident without “unreasonable delay,” and in any case no later than 60 calendar days after discovery.
  
• If 500 or more individuals are affected, the company must also notify the FTC at the same time notifications are sent to individuals. For fewer than 500, the FTC must be notified within 60 calendar days after the end of the calendar year.
  
• In some cases — when a large number of residents in a single jurisdiction are affected — the company must also notify prominent media outlets serving that locale.
  
• The Rule applies only to “unsecured” health information — i.e., not encrypted or otherwise protected per standards specified by the U.S. Department of Health and Human Services.
  

Of note: the FTC finalized amendments to the HBNR in 2024 to modernize and clarify its application to health apps and similar technologies not covered by HIPAA — including revisions to breach definitions and notification requirements. (Federal Trade Commission)

---

Regulatory Enforcement Is Real — What Recent Cases Show

The FTC takes enforcement seriously. In a landmark action in 2023, the FTC (through the U.S. Department of Justice) filed a proposed order against a major digital health company, GoodRx Holdings, Inc., for unauthorized sharing of users’ personal health information with advertising and analytics partners. The company agreed to pay a $1.5 million civil penalty, and to stop sharing user health data for advertising purposes. (Federal Trade Commission)

According to the FTC’s complaint, GoodRx had repeatedly promised users it would not share health information with third parties — yet had shared identifiable information, including prescription and health-condition data, with major advertising companies without appropriate consent or notification.

This enforcement action highlights the regulatory risk for consumer-health businesses — even those that believe themselves to be “non-clinical” or “consumer-facing.”

In addition, the FTC issued a public policy statement in September 2021 explicitly warning health-app developers and connected-device companies that they must comply with the HBNR, especially if their products allow for personal health record creation, storage, or exchange — and avoid misleading privacy or security claims.

Following growing stakeholder input and evolving technologies, the FTC updated the HBNR in 2024 to reflect broader applicability to health apps, wearable devices, and similar digital health platforms.

---

What Business Executives Should Do Now — A Compliance Checklist

If your company develops, markets, or operates health apps, wearables, wellness platforms, or other consumer-facing health tools — even when you are outside traditional medical regulation — consider the following compliance roadmap:

1. Conduct a comprehensive data inventory and mapping
   
   • Identify all sources of data collection: mobile applications, wearable sensors, web interfaces, third-party integrations, purchase history, location tracking.
     
   • Map data flows: how data moves through your system — from device to cloud, to databases, to third-party vendors.
     
   • Classify the data by sensitivity: determine which items qualify as “health information” under FTC’s broad definition.
     
2. Review and update privacy policies and public disclosures
   
   • Ensure that your privacy notices and user agreements clearly describe what data is collected, how it is used, stored, and shared.
     
   • Avoid vague or marketing-style claims. For example, do not claim “HIPAA compliance,” “HIPAA certification,” or “HIPAA-secure” unless you truly operate under HIPAA. Such claims, when misleading, may constitute a violation of the FTC Act.
     
   • Be transparent about third-party data sharing — especially with analytics or advertising vendors.
     
3. Implement privacy-by-design and security-by-design measures
   
   • Use appropriate technical safeguards: encryption, secure storage, access controls, authenticated access, secure data transmission.
     
   • Develop internal governance: data minimization (collect only what is necessary), retention limits, purpose limitation, and regular data-use reviews.
     
   • Vet and monitor third-party vendors and partners (analytics, ad networks, cloud providers) to ensure they comply with privacy and security standards.
     
4. Prepare for breach-notification obligations under the HBNR
   
   • Build internal procedures for detecting, responding to, and reporting data breaches.
     
   • Ensure breach-notification processes comply with the timing and content requirements of the HBNR (notify individuals, the FTC, and possibly media when required).
     
   • Maintain documentation of incident response, notifications, and corrective actions.
     
5. Foster a culture of transparency and accountability
   
   • Involve legal, product, engineering, and executive leadership in privacy and security decisions.
     
   • Reconsider business models that rely heavily on advertising or data monetization — especially where sensitive health data is involved. Given recent FTC enforcement, such models face heightened risk.
     
   • Communicate clearly and unambiguously with users — transparency builds trust and reduces the risk of regulatory or reputational fallout.
     

By embedding privacy and security practices into business operations, companies not only mitigate compliance risk — they also build stronger long-term user trust and brand reputation.

---

Why Partnering with a U.S. Federal Privacy Expert Matters

Navigating the intersection of health data, consumer expectations, and evolving federal regulation is challenging — especially when your company operates outside traditional healthcare frameworks. As enforcement increases, having a knowledgeable and experienced privacy partner can make all the difference.

At The Data Privacy Lawyer PLLC, we specialize exclusively in U.S. federal privacy law compliance for non-government, non-covered-entity businesses. Our services include:

• Data-flow audits and mapping of all points where health-related data is collected, stored, or shared
  
• Drafting or revising privacy policies, terms of service, and user consent flows — ensuring clarity, transparency, and legal compliance
  
• Designing and implementing a privacy-by-design and security-by-design framework tailored to your operations
  
• Preparing breach-notification programs and incident-response playbooks to comply with the HBNR and FTC expectations
  
• Evaluating third-party vendor risk (analytics, marketing, cloud infrastructure) and crafting vendor agreements to support compliance
  

If your business touches consumer health data — through apps, wearables, therapy platforms, or wellness services — we encourage you to contact us for a comprehensive compliance review.

Contact us to learn how we can help you build a robust data-privacy foundation.

The Data Privacy Lawyer PLLC
🌐 www.thedataprivacylawyer.com
📧 info@thedataprivacylawyer.com
📞 +1 (202) 946-5970
📚 Resources

Protecting students today protects their future tomorrow.