Health Data Monetization Laws Explained: HIPAA, GDPR, CCPA, and State Rules

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

Health Data Monetization Laws Explained: HIPAA, GDPR, CCPA, and State Rules

Kevin Henry

HIPAA

July 01, 2026

10 minutes read
Share this article
Health Data Monetization Laws Explained: HIPAA, GDPR, CCPA, and State Rules

HIPAA Privacy and Security Requirements

HIPAA is the baseline federal framework governing how Protected Health Information (PHI) can be used, disclosed, secured, and commercialized. If you are a health plan, health care provider, or clearinghouse—or you handle PHI on their behalf as a Business Associate—you are subject to HIPAA. Health Information Exchanges typically operate as Business Associates and must follow the same safeguards and contractual controls.

Scope: what counts as PHI and who is covered

PHI is individually identifiable health information created or received by a Covered Entity or its Business Associate and linked to a person’s past, present, or future physical or mental health, health care, or payment for care. Determining whether your dataset is PHI—and whether you are a Covered Entity, Business Associate, or outside HIPAA entirely—is the first gating decision before any monetization strategy.

Permitted uses, “minimum necessary,” and the sale of PHI

HIPAA permits use and disclosure for treatment, payment, and health care operations without individual authorization. Outside those purposes, you generally must obtain a valid HIPAA authorization. A separate rule restricts the “sale of PHI”: receiving remuneration in exchange for PHI typically requires explicit authorization unless a narrow exception applies (for example, certain public health activities or cost-based payments for research).

Security Rule safeguards and vendor management

The Security Rule requires administrative, physical, and technical safeguards scaled to your risk. Expect a documented risk analysis, role-based access, encryption in transit and at rest (where reasonable and appropriate), audit logging, workforce training, and incident response. If you rely on vendors, execute Business Associate Agreements that define permitted uses, safeguards, and breach obligations.

Breach Notification Rule essentials

An impermissible use or disclosure of unsecured PHI is presumed a breach unless a documented risk assessment shows a low probability of compromise. If a breach occurs, Data Breach Notification to affected individuals must be provided without unreasonable delay and no later than 60 days from discovery; additional notices to regulators and, for larger incidents, to the media may be required.

State Health Data Privacy Laws

States increasingly regulate consumer health data that falls outside HIPAA. These laws often reach health apps, wearable platforms, adtech stacks, data brokers, and analytics providers even when no Covered Entity is involved.

California CCPA/CPRA

CCPA (as amended by CPRA) generally excludes PHI processed under HIPAA but covers consumer health information collected outside HIPAA. You must provide notice, honor rights requests, and enable opt-outs of “sale” and “sharing” (including cross-context behavioral advertising). Sensitive personal information—such as health data—is subject to additional limitations, and certain security breaches can trigger a private right of action.

Dedicated consumer health data laws (e.g., Washington, Nevada)

Washington’s My Health My Data Act and Nevada’s consumer health data law impose heightened duties for collection, sharing, and sale of health-related data derived from inferences, purchases, or tracking. Many activities require a specific, documented Consumer Health Data Authorization that states data types, purposes, recipients, and retention, and both states restrict geofencing around health care locations.

Other comprehensive state privacy laws

States such as Colorado, Connecticut, Virginia, and Utah treat health information as “sensitive,” generally requiring opt-in consent, purpose limitation, data minimization, and strong processor contracts. These frameworks apply to a broad range of entities, bringing health-adjacent monetization models squarely within state oversight.

State breach notification statutes

All states have breach notification laws covering certain personal information, with deadlines and content requirements that vary. Even if HIPAA does not apply, you may owe timely notices to individuals and, in some cases, to state authorities and consumer reporting agencies.

Federal Trade Commission Authority

The FTC polices companies that fall outside HIPAA—or operate in mixed contexts—through two main levers: Section 5 of the FTC Act and the Health Breach Notification Rule.

Unfair or Deceptive Acts and Practices

Under Section 5, the FTC can challenge Unfair or Deceptive Acts and Practices. Monetization models that contradict your privacy promises, secretly transmit health data to advertising platforms or analytics vendors, or misuse tracking pixels can be deemed deceptive or unfair. “HIPAA-compliant” marketing claims are risky if your practices do not match the label.

Health Breach Notification Rule for health apps and PHRs

The Health Breach Notification Rule (HBNR) covers vendors of personal health records, related entities, and their service providers when they are not regulated by HIPAA. An unauthorized acquisition of unsecured personal health record information—including certain disclosures to third parties—can trigger notices to individuals and the FTC within specified time frames, with additional obligations for larger incidents.

Practical takeaways

Align your disclosures with actual data flows, minimize health signals used for advertising, vet adtech and analytics partners, and maintain a breach response plan that accounts for both state law and HBNR obligations.

De-Identification Standards for PHI

De-identification is central to compliant health data monetization. Under HIPAA, data that is de-identified is no longer PHI; however, other laws may still regulate its use, and contracts should prohibit re-identification.

Safe Harbor method

Remove the 18 enumerated identifiers (for example, names; street address and smaller geographies; most elements of dates; contact numbers; email; Social Security, medical record, and device identifiers; IP addresses; biometric identifiers; full-face photos; and comparable unique codes), and ensure you have no actual knowledge that remaining data could identify an individual.

Expert Determination method

Engage a qualified expert to apply statistical or scientific principles demonstrating a very small risk of re-identification. The expert must document methods, assumptions, and results. This pathway supports richer datasets where Safe Harbor would strip too much utility.

Limited Data Set and data use agreements

A Limited Data Set is not fully de-identified but excludes direct identifiers while permitting certain fields such as dates and broader geography. It requires a Data Use Agreement that limits purposes (e.g., research, public health), prohibits re-identification, and mandates safeguards.

Residual risk management

Beyond HIPAA, strengthen De-Identification Methods with technical and organizational controls: differential privacy or noise injection, tokenization, k-anonymity or l-diversity targets, cell-size suppression, access governance, and ongoing re-identification testing.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Consumer Rights under State Laws

State privacy regimes grant consumers direct control over their health-related information, particularly when monetization involves data outside HIPAA.

Core rights you must enable

  • Access and portability: provide copies of personal data in a usable format.
  • Deletion: erase data you collected from or about the consumer, subject to exceptions.
  • Correction: fix inaccurate personal data where feasible.
  • Transparency: give clear, prominent notices about categories, sources, purposes, and recipients.

Opt-outs and sensitive data opt-ins

Enable opt-outs of sale, sharing, and targeted advertising. For sensitive data, including health information and precise geolocation, many laws require opt-in consent. In states with dedicated consumer health statutes, certain processing and any sale may require a standalone Consumer Health Data Authorization.

Operationalizing rights requests

Offer at least two intake methods, verify identity, respond within statutory timelines, and track appeals. Apply data minimization and purpose limitation so your systems only retain what you can defend and fulfill.

Special cases and exceptions

Consider additional protections for minors, ensure contracts with processors reflect your duties, and remember that truly de-identified or aggregated data is generally outside the scope of consumer rights—but re-identification or sloppy aggregation can forfeit that status.

HITECH Act Research Exceptions

HITECH tightened HIPAA’s “sale of PHI” prohibition yet preserved research pathways when proper guardrails exist. You can monetize through research support or data services without selling PHI outright, provided you structure payments and permissions correctly.

Research pathways

  • Authorization: obtain an individual’s HIPAA research authorization, which may be broad for future research within stated parameters.
  • IRB/Privacy Board waiver: disclose PHI without authorization if regulatory waiver criteria are met (minimal risk, impracticability, and adequate safeguards).
  • Limited Data Set: share under a Data Use Agreement for research, public health, or health care operations.

Cost-based remuneration

Receiving payment for preparing or providing PHI for research is permitted if limited to a reasonable, cost-based fee rather than profit on the data itself. Document calculations, purposes, and restrictions to show compliance.

Data governance in collaborative environments

In Health Information Exchanges and multi-institutional projects, align BAAs, DUAs, and research protocols, maintain access controls and audit trails, and clearly separate research from marketing or advertising uses.

Compliance Strategies for Monetizing Health Data

A disciplined program reduces risk while unlocking legitimate value. Treat privacy and security as product features, not afterthoughts.

1) Map your data and your role

  • Inventory data elements, sources, destinations, and enrichment signals.
  • Classify datasets as PHI, consumer health data, personal data, de-identified, or aggregated.
  • Determine whether you are a Covered Entity, Business Associate, or a non-HIPAA entity subject to state privacy laws and the FTC.

2) Choose a lawful path to value

  • License de-identified datasets or deliver aggregated insights with contractual no re-identification clauses.
  • Use a Limited Data Set with a Data Use Agreement for research or operations.
  • Rely on HIPAA authorization when you need identifiable data for commercial uses not otherwise permitted.
  • Where applicable, obtain a Consumer Health Data Authorization for collection, sharing, or sale under state law.
  • If you touch the EU or UK, treat health data as special category data under GDPR, use explicit consent or another narrow exception, and apply an approved cross-border transfer mechanism when moving data internationally.

3) Build privacy by design

  • Minimize data, segment environments, apply strong encryption, and enforce least-privilege access.
  • Adopt robust De-Identification Methods (expert determination, noise injection, tokenization) and validate utility vs. risk.
  • Eliminate or strictly govern advertising pixels and SDKs in health-related contexts.
  • Stand up clear notices, choice flows, and preference centers that match actual data uses.

4) Contracting and accountability

  • Execute BAAs, DUAs, and processor agreements with precise purpose, retention, and security terms.
  • Set breach playbooks that satisfy HIPAA, HBNR, and state Data Breach Notification timelines.
  • Conduct DPIAs or risk assessments for sensitive processing and maintain auditable records.

5) Monetization models that travel well

  • On-premise or virtual clean rooms where customers run queries without removing raw data.
  • Syndication of de-identified cohorts and trend analytics with k-anonymity thresholds.
  • Outcome-based services (e.g., risk scoring delivered as an API) that keep identifiers in your environment.

Conclusion

Successful health data monetization starts with scoping: know whether you are dealing with PHI under HIPAA, consumer health data under state law, or GDPR special category data. Use de-identification, explicit permissions, and cost-based research pathways to stay compliant, and reinforce everything with strong security, truthful disclosures, and disciplined vendor controls. When in doubt, tighten purposes, reduce data, and document your justification.

FAQs

What are the key HIPAA rules impacting health data monetization?

Three pillars dominate: the Privacy Rule’s limits on use and disclosure (including the prohibition on selling PHI without authorization), the Security Rule’s safeguard requirements for electronic PHI, and the Breach Notification Rule’s duties after incidents. Add “minimum necessary,” Business Associate oversight, and HIPAA-compliant de-identification if you plan to commercialize insights rather than identifiable data.

How do state laws differ from HIPAA in regulating health data?

HIPAA focuses on PHI handled by Covered Entities and Business Associates. State laws reach far beyond, regulating consumer health data collected by apps, platforms, and data brokers, imposing opt-outs or opt-ins, requiring Consumer Health Data Authorization for certain activities, restricting geofencing, and granting access, deletion, and correction rights—even when no traditional health provider is involved.

What methods are approved for de-identifying health data?

HIPAA recognizes two routes: Safe Harbor (removal of 18 direct identifiers with no actual knowledge of identifiability) and Expert Determination (a qualified expert finds a very small re-identification risk using statistical or scientific methods). A Limited Data Set is a separate option for specific purposes under a Data Use Agreement but is not fully de-identified.

When must a breach notification be issued?

Under HIPAA, notify affected individuals without unreasonable delay and no later than 60 days after discovery; large breaches also require regulator and media notices. The FTC’s Health Breach Notification Rule imposes similar timelines on non-HIPAA health apps and personal health record vendors. State breach laws may set additional deadlines and content requirements, so plan for the most stringent rule that applies.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles