Consumer Health Data Privacy: What It Is, Key Laws, and How to Protect Your Data

Definition of Consumer Health Data

Consumer health data is any information that identifies you or can reasonably be linked to you and that reveals, describes, or can infer your physical or mental health. Unlike traditional medical records, it also includes data created outside clinics—often through everyday devices and services.

Examples include:

• Vitals from wearables, fitness trackers, and smart scales (heart rate, sleep, steps).
• Cycle-tracking logs, fertility insights, and reproductive health entries.
• Genetic testing data and biometric templates used for health features.
• Symptom searches, telehealth chats, medication reminders, and wellness questionnaires.
• Geolocation indicating visits to clinics or pharmacies, and purchase history of health-related goods.

The label “consumer health data” is context-driven. The same blood-pressure reading can be protected one way when held by a hospital and another way when stored in a consumer app. That context determines which laws apply and what remedies you have.

Overview of HIPAA Coverage

HIPAA protects “protected health information” (PHI) when handled by specific organizations called Covered Entities—health plans, most health care providers that transmit electronic health information, and health care clearinghouses—and their Business Associates that perform services involving PHI. HIPAA’s Privacy, Security, and Breach Notification Rules set standards for use, disclosure, safeguards, and incident response.

PHI is identifiable health information tied to common identifiers (like name, address, or device IDs) when created or received by a Covered Entity or Business Associate. If data is properly de-identified under HIPAA’s methods, it falls outside PHI rules, though other laws may still govern it.

Many consumer tools—such as wellness apps, fitness platforms, and some direct-to-consumer genetic testing services—may not be covered by HIPAA unless they act on behalf of a Covered Entity under a Business Associate Agreement. HIPAA also has its own breach notification rule for unsecured PHI, which is distinct from the FTC’s Health Breach Notification Rule that applies to certain non-HIPAA services.

FTC's Role and Enforcement

The Federal Trade Commission (FTC) polices unfair or deceptive practices involving health data. When companies make privacy promises—or fail to disclose how they track, share, or sell health-related information—the FTC can bring Data Privacy Enforcement actions under Section 5 of the FTC Act.

The FTC’s Health Breach Notification Rule requires vendors of personal health records and related entities to notify consumers and the FTC when there is an unauthorized acquisition of unsecured, individually identifiable health information. The FTC has clarified that many health and wellness apps may fall within the rule if they aggregate data from multiple sources—even when HIPAA does not apply—bolstering Wellness App Regulations outside the traditional medical system.

FTC remedies often include bans on sharing health data with advertisers, mandatory deletion of unlawfully collected data (and sometimes algorithms trained on it), transparency requirements, security programs, and consumer redress. These outcomes set expectations that companies align practices with their public claims.

State Privacy Laws Impact

States increasingly treat health data as “sensitive,” imposing stricter rules for collection, use, and disclosure. Comprehensive state privacy laws commonly require opt-in consent for processing or “selling” sensitive health data, enhanced transparency, and impact assessments for high-risk processing. Many also provide mechanisms to opt out of targeted advertising built on cross-context tracking.

Some states have enacted standalone consumer health privacy laws that reach beyond HIPAA. These laws may cover any entity handling consumer health data, restrict geofencing around health care locations, demand data minimization and purpose limits, and require clear disclosures about how data is used and shared—including Genetic Testing Data and reproductive health information.

Enforcement typically rests with state attorneys general, sometimes carrying per-violation penalties and injunctive relief. Because requirements vary, organizations face a patchwork of Privacy Compliance Obligations that depend on where consumers reside and how data is processed.

Consumer Rights and Controls

Depending on the law that applies, you may have rights to access, correct, delete, and export your health data; to opt out of targeted advertising or “sales” of personal information; and to withdraw consent. Under HIPAA, you can obtain your designated record set from a Covered Entity; under state laws, you may exercise similar or broader rights with consumer apps.

To use these rights, look for in-app privacy dashboards and “download your data” features, turn off cross-context behavioral advertising, limit location and Bluetooth permissions, and reset mobile advertising IDs. You can also submit requests to a company’s privacy contact, verify your identity, and ask for the categories of data shared with third parties and service providers.

Before sharing sensitive details, check whether the service operates under HIPAA (e.g., via a Business Associate relationship) and review stated Privacy Compliance Obligations. For highly sensitive uses—such as Genetic Testing Data—confirm retention periods, data deletion options, and whether results are used for advertising or research.

Data Collection and Sharing Practices

Companies collect health data you provide directly (entries, messages), passively via sensors and SDKs (location, device IDs), and from partners (data brokers, ad platforms). They also create inferences—predictions about conditions or behaviors—based on your interactions and purchases.

Sharing typically occurs with service providers (who must act under contractual limits) or with third parties for analytics, advertising, or research. Some state laws define “sale” broadly to include exchanges of data for value, not just cash. Pixels and mobile SDKs embedded in apps can transmit sensitive events unless strictly configured or disabled.

Data Security Measures and Regulatory Gaps

Strong security reduces risk even when privacy promises fall short. For individuals: enable device passcodes and biometric locks, turn on multi-factor authentication, keep software updated, encrypt device backups, and use unique passwords in a reputable password manager. For organizations: apply least-privilege access, encrypt data in transit and at rest, maintain audit logs, run secure SDLC practices, conduct risk assessments, and test incident response plans.

Know your notification landscape. HIPAA’s breach notification duties apply to Covered Entities and Business Associates handling PHI, while the FTC’s Health Breach Notification Rule can apply to non-HIPAA health services (like certain wellness or PHR apps). Many states also impose timelines and content requirements for notifying affected consumers, adding to overall Privacy Compliance Obligations.

Regulatory gaps persist because HIPAA does not cover much of the consumer tech ecosystem, de-identified data can sometimes be re-identified, and data broker markets enable broad downstream use. The mix of federal and state rules creates complexity for businesses and confusion for consumers, underscoring the need for clear disclosures, strict minimization, and responsible Wellness App Regulations across the industry.

Conclusion

Consumer Health Data Privacy hinges on context: who holds your data, what it reveals, and why it’s used. Understand whether HIPAA applies, rely on FTC and state rights when it does not, limit sharing, and favor services that minimize collection and strengthen security. These habits—paired with evolving enforcement—help you protect your most sensitive information.

FAQs.

What types of consumer health data are protected?

Protections can cover information that identifies you and reveals health status, conditions, or care—such as wearable metrics, cycle logs, telehealth notes, Genetic Testing Data, and geolocation near clinics. Exact safeguards depend on whether HIPAA, the FTC’s Health Breach Notification Rule, or state laws apply to the holder of the data.

How does HIPAA differ from state health privacy laws?

HIPAA applies to PHI handled by Covered Entities and their Business Associates, setting federal standards for medical settings. State laws may extend protections to consumer apps and other services outside HIPAA, often labeling health information as “sensitive,” requiring consent, limiting “sales,” and granting broader rights to access, delete, or opt out.

What rights do consumers have regarding their health data?

Common rights include access, correction, deletion, and portability, plus choices around targeted advertising and the sale of personal data. Under HIPAA, you can access your records from a Covered Entity; under state laws, you may exercise similar rights with non-HIPAA services, subject to verification and certain exceptions.

How does the FTC enforce health data privacy rules?

The FTC brings Data Privacy Enforcement actions against unfair or deceptive practices and enforces the Health Breach Notification Rule for certain non-HIPAA services. Remedies can include bans on advertising uses, deletion of unlawfully obtained data, mandated security programs, increased transparency, and consumer redress.