Skip to content

GUIDE · UPDATED 2026-07

Health data and the limits of HIPAA

HIPAA protects records held by doctors and insurers — but not the health-adjacent data brokers buy and sell. Know the gap.

HIPAA protects your medical records held directly by doctors, hospitals, and insurers—but it has a significant blind spot. Health data brokers and wellness apps operate outside HIPAA's reach, collecting and selling inferences about your health based on shopping habits, web searches, and app activity. Understanding this gap helps you know where HIPAA protects you and where you need to act separately.

What HIPAA actually covers

HIPAA requires health providers, insurers, and their business partners to keep your medical records private and secure. You have the right to see those records and request corrections. This protection applies to information held by your doctor's office, hospital, clinic, health plan, and contractors they hire to process claims or store data. If HIPAA-covered entities mishandle your information, they face serious penalties.

The health data broker problem

Data brokers operate independently of the medical system. They legally buy and combine information like your pharmacy purchases, searches for symptoms online, visits near fertility clinics, or data from free wellness apps. HIPAA doesn't touch this activity because it isn't part of your clinical care. A broker's profile about your health—inferred from behavioral data—sits entirely outside HIPAA's protections.

Your actual levers

Since federal HIPAA law doesn't reach these brokers, you'll need to use other tools:

  • State privacy laws: Some states give you the right to know what data brokers hold about you and to request deletion.
  • Broker opt-outs: Many health data brokers allow you to remove yourself from their databases directly.
  • App settings: Review privacy policies for wellness and fitness apps you use; adjust permissions and data-sharing settings.
  • Direct requests: Contact brokers or data providers directly to ask about health-related profiles and opt out.

The combination of state law, broker opt-out programs, and your own choices is currently the main defense against health-inferred data sales. HIPAA is strong medicine for clinical settings—just not for the broader ecosystem.

Primary sources