Regulators and courts are expanding enforcement against digital health apps and online platforms that share sensitive health data without true consent, though these companies fall outside the scope of the Health Insurance Portability and Accountability Act (“HIPAA”). In order to reach non-covered entities, agencies and private claimants are now drawing on a patchwork of authorities to rein in misleading or undisclosed data practices:
- Section 5 of the Federal Trade Commission Act: The Federal Trade Commission (“FTC”) is invoking Section 5 of the FTC Act to target unfair or deceptive practices, especially where parties publicly promise to abide by certain privacy practices but fail to deliver. This is particularly common where a party makes representations in a privacy policy posted on its website which does not align with the party’s actual privacy and data usage practices.
- The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) Health Breach Notification Rule: Once dormant, the FTC is now actively enforcing the HITECH Act’s Health Breach Notification Rule for non-HIPAA vendors of personal health records. Under the Rule, such vendors and their service providers must notify affected individuals, the FTC (unless fewer than 500 users are impacted), and even the media, typically within 60 days of discovering unauthorized disclosures. Recent clarifications to the Rule clarified that health apps, Application Programming Interfaces, and connected devices, fall under the Rule’s scope.
- State Consumer-Protection & Privacy Statutes: At the state level, attorneys general (notably, in California and Washington) are wielding both general deceptive trade practices laws and newer, health-specific privacy statutes to investigate undisclosed data flows. These statutes treat health-adjacent data as particularly sensitive and allow enforcement even where federal law may not reach. In addition, such laws often afford private parties rights of action that can sustain class actions, dramatically expanding the scope of potential exposure.
- Wiretapping & Communications Laws: Courts are beginning to reinterpret wiretapping statutes more broadly—treating embedded Software Development Kits (“SDKs”), which automatically transmit user activity to the host platform, and tracking scripts that capture sensitive information (such as reproductive health data), as potential interceptors of private communications. For example, a recent class action brought under the federal wiretapping statute alleged that a healthcare provider’s use of AI-powered call recording services intercepted patient communications without appropriate notice or consent. Even when labeled “industry standard,” the undisclosed nature of these tools and their access to personal health behaviors is increasingly triggering civil liability.
Why Enforcement is Accelerating:
- Regulators are stretching old laws to new contexts, relying on the FTC Act, state deceptive trade practice laws, wiretapping statutes, and breach-notification rules to cover health data that falls outside HIPAA.
- Courts and juries are no longer hesitating to treat app tracking and SDK data flows as invasive, even when companies call them “industry standard.”
- Settlements and jury awards are climbing, increasing the financial stakes and the reputational risks for companies that mishandle data.
What this Means for Companies:
The lesson is straightforward. Promises in a privacy policy must be accurate. Tracking tools, SDKs, and analytics integrations cannot silently funnel health-related data to advertisers without clear, informed consent. And being outside the scope of HIPAA is no shield; consumer protection laws, wiretapping statutes, and class actions are filling the gap.
For any company operating in digital health, wellness, or even adjacent spaces, now is the time to audit how data flows through your products, what third parties receive it, and whether your disclosures match reality. Regulators and plaintiffs’ lawyers are watching closely, and the precedent has been set.