Floriva: 81% wrongly trust HIPAA

FlorivaApp on May 17 pointed users to a privacy gap that U.S. regulators and health-data companies have been warning about for years: many consumer health apps are not covered by HIPAA. The company cited a ClearDATA survey conducted online by The Harris Poll that found 81% of U.S. adults assumed health data collected by digital health apps was protected under HIPAA. ClearDATA published the survey results on July 11, 2023, and said the poll covered more than 2,000 U.S. adults age 18 and older. Federal guidance from the Department of Health and Human Services and the Federal Trade Commission says HIPAA applies to covered entities and business associates, not automatically to every consumer app. ### Why do so many people get HIPAA wrong when they use health apps? The ClearDATA-Harris Poll found that 68% of Americans said they were very or somewhat familiar with HIPAA, even as 81% assumed all protected health data collected by digital health apps was covered by the law. ClearDATA said that misunderstanding can leave users unaware that app makers may handle data differently from hospitals, insurers or doctors’ offices. (cleardata.com) HHS says the HIPAA Privacy, Security and Breach Notification Rules apply to health plans, most healthcare providers, healthcare clearinghouses, and business associates working for those entities. The FTC’s mobile health app tool says developers should expect that more than one federal law may apply, depending on what an app does and who operates it. (cleardata.com) ### Which apps are outside HIPAA, even if they handle health information? The FTC says consumer health information in an app that is not offered by a HIPAA covered entity or its business associate likely would not be subject to the HIPAA Rules. Its guidance lists common examples of health apps, including tools that track fitness, diet, mood, sleep, menstruation, fertility, smoking, alcohol use and medications. (hhs.gov) HHS separately says app developers can use scenario-based guidance to assess when they may be acting as business associates under HIPAA. That distinction matters because the same type of data can face different legal treatment depending on who collects it and on whose behalf they act. ### If HIPAA does not apply, what federal rules still can? (ftc.gov) The FTC said in April 2024 that its updated Health Breach Notification Rule applies to health apps and similar technologies that are not covered by HIPAA. The agency said vendors of personal health records and related entities must notify individuals, the FTC and, in some cases, the media after a breach of unsecured personally identifiable health data. (hhs.gov) The FTC also said the rule’s definition of a breach includes unauthorized disclosures, not only classic hacking incidents. In that update, the agency pointed to prior settlements with GoodRx and Easy Healthcare as examples of enforcement tied to health-data sharing practices. (ftc.gov) ### What was FlorivaApp telling users and builders to do? FlorivaApp’s post could not be independently retrieved from X through public page text, but the underlying advice matches current federal guidance: developers should build privacy and security protections into products from the start, and users should not assume a health app is covered by HIPAA simply because it handles sensitive information. HHS says building privacy and security protections into technology products enhances their value by giving users assurance that information is secure and used only as approved or expected. (ftc.gov) FTC guidance says developers should examine what data an app collects, shares, uses or maintains before deciding which rules apply. That framework is especially relevant for apps handling menstruation, fertility and other sensitive trackers that the FTC lists among the categories covered by its mobile health app tool. (hhs.gov) ### Where can developers and users check the rules for themselves? HHS says its “Resources for Mobile Health Apps Developers” page was last reviewed on April 22, 2026. The page links to the FTC’s interactive tool, HHS guidance on health app use scenarios and cloud-computing guidance for HIPAA-regulated entities and business associates. (ftc.gov) The FTC’s mobile health app interactive tool remains publicly available, and the agency’s April 26, 2024 update on the Health Breach Notification Rule lays out how the revised rule applies to health apps and similar technologies outside HIPAA. Those two federal resources are the next stop for developers deciding how to design or market a consumer health app. (ftc.gov) (hhs.gov)