Privacy is becoming a product differentiator

A health app can feel like a diary with a pulse sensor, but many of the apps people use for symptoms, fertility, sleep, or chatbot advice sit outside the federal medical privacy law called the Health Insurance Portability and Accountability Act, or HIPAA. A LymeDisease.org warning published on April 9 said many chatbots and consumer health apps can store, analyze, share, or even sell what users type in. (lymedisease.org) That gap matters because people are already using these tools like a first stop instead of a waiting room. The same LymeDisease.org piece cites a Kaiser Family Foundation survey finding that 1 in 6 people use artificial intelligence chatbots for health questions each month. (lymedisease.org) Once a lab result or diagnosis leaves a hospital portal and gets pasted into a chatbot box, the legal wrapper changes. LymeDisease.org warned that some platforms now invite users to upload medical records, but once that information leaves a HIPAA-protected setting, the old protections are gone. (lymedisease.org) The market pushing companies to collect that information is huge. LymeDisease.org cited Center for Democracy and Technology concerns and said the broader data market is worth $434 billion, with health data prized for advertising, resale, and training artificial intelligence systems. (lymedisease.org) Now the legal pressure is getting concrete. Google agreed to a $135 million settlement in a class action over claims that Android devices used customers’ paid cellular data for background transfers without proper consent, and news outlets reported this week that the settlement website is live for users checking eligibility or payment options. (classaction.org) (cnet.com) The proposed class covers more than 100 million United States Android users outside California who used cellular data between November 12, 2017 and final approval, according to ClassAction.org. A separate California case had already settled for $314.6 million for about 14 million California Android users. (classaction.org) At the same time, Washington is moving on the rulebook for the medical system itself. The United States Department of Health and Human Services said on December 27, 2024 that it was proposing the first major update to the HIPAA Security Rule since 2013 to push hospitals, insurers, clearinghouses, and business associates toward stronger cybersecurity. (hhs.gov) The government’s own numbers explain why the rewrite is happening now. The Department of Health and Human Services said reports of large health data breaches rose 102 percent from 2018 to 2023, while the number of affected people rose 1002 percent, and more than 167 million people were affected by large breaches in 2023 alone. (hhs.gov) The proposed rule, published in the Federal Register on January 6, 2025, would tighten protections for electronic protected health information, which is the digital version of your medical chart. The agency said the changes are aimed at confidentiality, integrity, and availability, meaning records should stay private, accurate, and reachable during an attack. (federalregister.gov) That leaves health startups in an awkward middle lane. If they market themselves like consumer apps, users now expect hospital-grade privacy anyway, and if they work with doctors, insurers, or hospitals, a tougher HIPAA regime is moving closer. (hhs.gov) (lymedisease.org) So privacy is starting to look less like boilerplate and more like a feature customers can compare. In a market where one company is sending settlement notices, federal regulators are rewriting security rules, and patients are being told not to paste medical records into chatbots, “trust us” is turning into a product claim that has to survive court filings and audits. (classaction.org) (hhs.gov) (lymedisease.org)