The regulatory framework designed to protect patients’ health information is struggling to keep pace as patients increasingly share their health data with apps, wearables and AI tools — and the gap is widening.
The federal government has stepped back from enforcing the Health Insurance Portability and Accountability Act, a two-decade-old law that protects consumer health information, just as state legislatures have accelerated their own privacy efforts, making compliance more fragmented and unpredictable, experts say.
For healthcare leaders, the near-term outlook is straightforward: Managing consumer health data privacy will get more complicated before it gets simpler, and a comprehensive federal solution is not on the horizon.
“HIPAA always was a patchwork, and the gaps have grown with the proliferation of AI,” said Lisa Bari, vice president of policy and partnerships at Innovaccer, a health IT company. “Unfortunately, if people truly believe that their data is private, they’re wrong.”
Patchwork of state laws attempts to solve gaps in federal enforcement
HIPAA was designed to govern health data held by covered entities — providers, payers and their business associates. However, the amount of sensitive health-related information held by non-HIPAA covered entities has exploded alongside the proliferation of consumer-facing health apps, wearables and AI tools.
The Biden administration attempted to expand some oversight over health information by requiring vendors of personal health records and related entities to notify consumers of data breaches involving unsecured information. In 2023, GoodRx was the first company fined by the Federal Trade Commission for failing to notify users after sharing sensitive health data with platforms like Facebook and Google for advertising.
But the Trump administration has not enforced regulations governing consumer health data as aggressively, creating confusion for covered entities.
“It’s not necessarily clear what organizations are expected to do under the current FTC,” said Melissa Levine, a partner at the law firm Hogan Lovells who advises clients on privacy compliance.
The federal enforcement problem is not limited to the FTC. Bari, who previously worked on health IT issues at the CMS’ Innovation Center, said federal agencies often announce enforcement priorities, but fail to follow through.
Part of the problem is structural, she said. Regulatory responsibility for health data is distributed across multiple agencies that don’t consistently coordinate, making it easy for enforcement to fall through the cracks. The Trump administration’s deregulatory posture has not resolved that problem so much as made it easier to ignore, she added.
“The only way that this patchwork works is if there’s actual enforcement and a change in behavior,” Bari said. “If the penalties are just a cost of doing business, nothing’s going to change.”
States try to fill the gap in federal standards
Connecticut, Maryland, Nevada and Washington have enacted consumer health data privacy laws, with additional laws pending in other states. The laws require covered entities like health apps to develop more robust data privacy policies and require additional consent before disclosing some health data, according to law firm Hunton Andrews Kurth.
Those laws exist alongside broader state data privacy statutes, AI laws and others — all of which apply differently, depending on the organization, the data type and the jurisdiction, Levine said.
“You have a number of challenging laws that entities have to navigate,” Levine said.
Making matters worse, patient behavior is moving faster than regulation.
Bari said there’s been a significant shift in how consumers relate to their own health data. In addition to gaining new access to their electronic health records thanks to greater interoperability, patients also voluntarily enter sensitive health information into consumer AI tools, such as ChatGPT, often without fully understanding the data privacy risks, including data shared with advertisers and other brokers for sale.
“People are increasingly voting with their feet and saying that access to information is more important,” Bari said.
In practice, this means sensitive health data is flowing into unregulated environments, regardless of what HIPAA or state consumer laws require of covered entities. The exposure, Bari said, is real and growing.
No federal solution coming soon
Multiple attempts at federal legislation that would address consumer health data privacy have stalled, and that’s unlikely to change anytime soon, experts say.
A federal bill would have to resolve whether it would preempt state laws or include a private right of action, which would allow individuals and organizations to sue over violations, even in the absence of regulatory enforcement, Levine said. Both issues have historically divided lawmakers and industry.
“It’s not easy to comply with differing restrictions or requirements on different data from different places,” Levine said.
Even expanding HIPAA, which would require statutory change, would not resolve the patchwork by itself, because HIPAA does not preempt more stringent state laws. With federal action unlikely, Levine said she expects states to keep moving: more consumer health data privacy laws, more state AI laws and increased activity from state attorneys general emboldened by the federal government’s weaker regulatory and enforcement efforts.
Providers and payers, meanwhile, occupy a somewhat more insulated position than other types of organizations. Because they are primarily subject to HIPAA, they are largely exempt from state consumer health data privacy laws. But that exemption does not extend to all state privacy laws, and state AI laws, in particular, represent a growing area of exposure that HIPAA-covered entities cannot ignore, Levine said
So, healthcare organizations should monitor state legislative developments closely and build processes capable of accommodating stricter standards before they become legally required, Levine said.
“Organizations should work to anticipate where laws may go and try to future-proof a bit,” Levine said, noting that it can help organizations avoid a constant “state of uncertainty or having to modify their existing processes.”
Bari, meanwhile, urged providers and payers to take an active role in educating patients about the risks of sharing health data through unsecured channels. No federal campaign is coming to fill that gap, Bari said.
“I really do think that providers and payers should help with education,” Bari said. “But do not condescend to patients because they absolutely want to use and access their data.”
Voluntary frameworks
With federal regulatory action stalled, the Trump administration is leaning on voluntary initiatives to shape data privacy practices for health technology.
The CMS launched its Health Tech Ecosystem initiative in July to improve data interoperability and expand patient access to health information through private-sector partnerships. The centerpiece of the initiative, dubbed “Kill the Clipboard,” aims to allow patients to share health information via mobile device rather than re-entering it at every provider visit. Innovaccer is among the early participants.
The Health Tech Ecosystem’s interoperability framework includes several provisions related to data privacy, including requirements that companies accept digital credentials for both patients and providers issued by a CMS-approved service and maintain certain security certifications.
The initiative is explicitly post-regulatory. Instead of waiting for new rules, the Trump administration wants companies to pledge, demonstrate results and earn recognition from the CMS voluntarily, Bari said.
Despite its limitations, that approach may be the most realistic, Bari said, given the current regulatory environment.
