Regulating the Unregulated: The Challenge of Privacy in Consumer Health Apps

Written by Evie Diffloth April, 2025

A 2019 study published in JAMA Network Open found that 29 of 36 (81%) top-rated mobile health apps shared data with Google and Facebook, but only 12 of those apps properly (disclosed) this in their privacy policies. The issue of consumer health data not being protected by federal regulation, leaving it at risk of being breached or utilized for targeted advertising, has become a pressing issue in the industry of mobile health apps. The current regulatory framework, which primarily consists of the Health Insurance Portability and Accountability Act, fails to adequately protect sensitive health information in the digital age.

The Health Insurance Portability and Accountability Act (HIPAA), established in 1996, set federal standards for securing patient privacy and protecting health information from being disclosed without the consent of a patient. The U.S. Department of Health and Human Services enacted the HIPAA Privacy Rule to execute the requirements of this act, covering the use and disclosure of patients’ protected health information (PHI) by entities controlled by the rule, called covered entities. Covered entities include healthcare providers, health plans, such as health maintenance organizations, long-term care insurers, and medicare insurers, and business associates, which is defined as someone who does not work for a covered entity but uses health information to carry out functions for a covered entity, such as data analysis and billing. Along with the Privacy Rule, the HIPAA Security Rule secures all health information a covered entity creates, receives, maintains, or transmits electronically, called electronic protected health information (ePHI). Outside of the regulations of HIPAA, the Health Breach Notification Rule was issued by the Federal Trade Commission in 2009, and mandates that vendors of PHI and patient health records to inform users if a data breach of protected information were to occur.

According to current legislation, mobile health apps created by commercial developers for individual use are not covered by HIPAA, as these developers are not covered entities. Although, the requirements of HIPAA do pertain if a covered entity obtains information from a patient’s mobile health app, as the HIPAA Privacy and Security Rules mandate that covered entities and business associates safeguard PHI through suitable security measures. If the health app developer works with a healthcare provider to assist in caring for patients, the developer could potentially become a business associate, and would therefore be subject to the standards of HIPAA. However, other than this exception, regulation of mobile health apps lies outside the jurisdiction of HIPAA, which has contributed to a number of (pressing) privacy issues within health apps.

Ensuring the security and privacy of patients’ data has become a vital component of mobile health app developers and healthcare providers as use of health apps has increased. Data breaches and leakage are the main issues connected to these apps, as the ePHI contained in these apps includes data such as account numbers and social security numbers. Health apps poses a significant threat to patients’ privacy if this information were to reach the wrong individuals, who could then use this data to steal a patient’s identity, perform fraudulent tax returns, or receive medical services fraudulently. Another challenge concerning data privacy in health apps is the security of the patient’s phone itself, as if the phone is lost or stolen, efforts need to be made to ensure that the data contained in the health apps is secure. The absence of definitive legislation governing this nuanced problem has caused health app users’ PHI to be at risk of being sold or distributed, which influences consumer profiling of users and targeted advertising, and could also affect pricing of health plans for patients, in the event that their sensitive data is breached.

The issue of patient privacy relating to mobile health apps has become increasingly relevant as use of these apps increases and multiple health apps have faced legal consequences for their shortcomings in user privacy. In the 2021 case of FTC v. Flo Health Inc., a lawsuit was filed against Flo Health, Inc. after it was discovered that the company’s app, Flo, had been sharing information about users to advertising agencies and large tech companies, such as Meta and Google. Flo’s privacy policies stated that users’ health information, which included menstrual cycles and pregnancies, would stay private, however the company continuously communicated this data to third parties. The corporation also did not place any constraints on how the data could be used by the third-party companies, allowing the companies to utilize the data for anything from research to targeted advertising. After a complaint and settlement between Flo Health and the Federal Trade Commission, the lawsuit mandated that Flo obtain consent from users of its app prior to transmitting PHI to advertising agencies.

A similar instance of a lack of consumer protection occurred in the FTC v. GoodRx Holdings Inc. case in 2023, in which the Federal Trade Commission took enforcement action based on the Health Breach Notification Rule targeting the perspective drug discount and telehealth company GoodRx, for not informing users of its unauthorized sharing of users’ PHI with Google, Facebook, and other corporations. This was the first order of its kind, filed by the U.S. Department of Justice for the Federal Trade Commission. Under this order, GoodRx was prohibited from distributing consumer health data to third party companies to be used for targeted advertising, and was required to pay a $1.5 million civil penalty for failing to comply with this law. Previously, the FTC had filed a complaint stating that GoodRx had disobeyed the Health Breach Notification Rule by communicating personal PHI with advertising agencies for years. Going against its privacy promises, GoodRx also did not report these unauthorized releases, as mandated by the rule. Along with the civil penalty, the court order barred GoodRx from participating in the delusive practices discussed in the complaint, including forbidding the release of PHI to third parties for use in advertising, needing consent by users prior to disclosing PHI to third party companies for other reasons, and instructing third parties to delete health information about users that was communicated to them. 

In recent years, there has continuously been attempted solutions to problems surrounding consumer privacy in health apps, including various legislative proposals. One of these proposals is the American Data Privacy and Protection Act (ADPPA), which was a bill introduced to the House of Representatives in June of 2022 with the purpose of setting specifications for how companies control personal data, which is defined as data that relates to an individual’s identity. The bill mandated that companies to constrain the collection, processing, and transmission of sensitive data to only actions that are necessary to provide the needed services to consumers. ADPPA also required companies to enact security measures to protect user data from being accessed without authorization, as well as give users a way to opt out of targeted advertising before utilizing this type of advertising. This act moved through the House Energy and Commerce Committee, but was never brought to a full vote in the House and is now considered to be inactive. However, without federal legislation individual states have enacted their own data privacy laws, with Lowa, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland having implemented privacy regulations by 2025. To address the issue of complex and varied legal guidelines across the country, lawmakers have introduced new federal privacy laws, including the American Privacy Rights Act, introduced in April of 2024, which expands on the ADPPA and aims at setting a national standard for data privacy.

In conclusion, the lack of adequate protection for consumer health data in mobile health apps has become a major privacy concern in today's world. The current regulatory framework fails to cover most health apps developed by commercial entities, creating significant gaps in data protection. Although there have been attempts to address these issues through legislative proposals, federal regulatory reform is urgently needed to establish consistent nationwide standards for health app privacy. As users continue to utilize health apps at increasing rates, the protection of sensitive health information will become even more important. Without meaningful changes to how health app data is regulated, consumers will remain vulnerable to privacy breaches and unauthorized data sharing that could potentially impact their lives in significant ways.

Sources:

https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2730782

https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html#:~:text=The%20Health%20Insurance%20Portability%20and,Rule%20to%20implement%20HIPAA%20requirements.

https://thehipaaetool.com/mobile-health-apps-and-hipaa/

https://neklo.com/blog/hipaa-compliant-apps#what-is-hipaa-compliance

https://www.ispartnersllc.com/blog/data-privacy-health-apps/#:~:text=While%20these%20apps%20offer%20support,data%20brokers%20and%20third%20parties.

https://sites.suffolk.edu/jhtl/2024/10/28/tracking-trouble-the-flo-health-privacy-scandal-and-what-it-means-for-your-data/

https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising

https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule

https://www.congress.gov/bill/117th-congress/house-bill/8152

https://www.hunton.com/privacy-and-information-security-law/new-bipartisan-federal-privacy-proposal-unveiled-american-privacy-rights-act