HIPAA and Wellness Apps: What Users Should Know

When you log your mood, track your anxiety levels, or journal about a therapy session in a wellness app, you might assume your data is protected by the same strict privacy laws that guard your medical records. For most apps, that assumption is wrong. Understanding the gap between what users expect and what the law actually requires is critical for anyone using digital mental health tools.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. Its Privacy Rule, finalized in 2003, establishes national standards for protecting individuals’ medical records and personal health information. The Security Rule specifies safeguards for electronic protected health information (ePHI).

HIPAA’s key protections include:

• Minimum necessary standard: Covered entities should only access and share the minimum health information needed for a specific purpose
• Patient rights: Individuals can access their records, request corrections, and receive an accounting of disclosures
• Breach notification: Entities must notify affected individuals, HHS, and in some cases the media when breaches occur
• Enforcement: The Office for Civil Rights (OCR) at the Department of Health and Human Services enforces HIPAA, with penalties ranging from fines to criminal prosecution

The Critical Distinction: Covered Entities

Here is the part most users miss: HIPAA only applies to “covered entities” and their “business associates.” Covered entities are:

1. Health care providers who transmit health information electronically (doctors, hospitals, pharmacies, therapists)
2. Health plans (insurance companies, HMOs, government programs like Medicare)
3. Health care clearinghouses (entities that process health information)

A business associate is any organization that handles protected health information on behalf of a covered entity — for example, a cloud hosting service storing a hospital’s patient records.

Where Wellness Apps Fall

Most consumer wellness apps, including mood trackers, meditation apps, and self-help mental health tools, are not covered entities under HIPAA. If you download a mood tracking app from the App Store and use it independently — not as part of a treatment prescribed by a healthcare provider — the app developer has no HIPAA obligations whatsoever.

This means: - The app can share your mood data with advertisers - There is no federal requirement for the app to encrypt your data - You have no HIPAA right to request deletion of your information - There is no mandatory breach notification if your data is exposed - The app can change its privacy practices with a simple terms-of-service update

The FTC confirmed this gap in its 2016 guidance on mobile health apps, noting that many health-related apps fall outside HIPAA’s scope.

When HIPAA Does Apply to Apps

There are scenarios where a wellness app would be covered by HIPAA:

• Prescribed by a provider: If a therapist prescribes a specific app as part of treatment and the app receives or transmits ePHI to or from the provider, it may be a business associate
• Integrated with an EHR: Apps that connect to electronic health records systems typically become business associates
• Developed by a covered entity: If a hospital system creates its own patient-facing mood tracking app, HIPAA applies

Some telehealth platforms and therapy apps (like those connecting users with licensed therapists) may be covered because the therapists using the platform are covered entities. But even here, the coverage applies to the therapeutic relationship, not necessarily to all data the app collects.

The FTC Act: The Backup Protection

In the absence of HIPAA coverage, the primary federal protection for wellness app users is Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices. If an app’s privacy policy says “we don’t share your data” but the app shares data with third parties, the FTC can take enforcement action for deceptive practices.

Notable FTC enforcement actions involving health apps include:

• Flo Health (2021): The period-tracking app settled with the FTC after allegations that it shared users’ health information with Facebook and Google for advertising, despite promising to keep such data private. The settlement required Flo to obtain user consent before sharing health data and to instruct third parties to delete previously shared data.
• BetterHelp (2023): The FTC ordered the online counseling platform to pay $7.8 million after finding it shared users’ health data — including information about mental health conditions — with advertising platforms including Facebook, Snapchat, Criteo, and Pinterest, contrary to its privacy promises.

These cases demonstrate that while HIPAA may not apply, apps are not entirely unregulated. However, FTC enforcement is reactive (responding to complaints) rather than proactive, and it requires demonstrating that the company violated its own stated practices.

The Health Breach Notification Rule

In 2023, the FTC finalized updates to its Health Breach Notification Rule, originally issued in 2009. This rule applies specifically to entities not covered by HIPAA that handle personal health records. Under the updated rule:

• Companies must notify consumers, the FTC, and in some cases the media of breaches involving personal health information
• The definition of “breach” was expanded to include unauthorized sharing of health data with third parties (not just security incidents)
• This means that if a mood tracking app shares your data with an advertiser without your authorization, it may now be considered a “breach” requiring notification

This rule significantly strengthened protections for wellness app users, though enforcement is still developing.

State-Level Protections

Several U.S. states have enacted stronger health data privacy laws:

Washington My Health My Data Act (2023)

Washington State passed the My Health My Data Act, which applies to all entities collecting, sharing, or selling health data from Washington residents — regardless of whether they are HIPAA-covered entities. Key provisions:

• Requires consumer consent before collecting, sharing, or selling health data
• Provides a private right of action (consumers can sue directly, not just rely on government enforcement)
• Broadly defines “health data” to include data related to mental health, mood, and emotional states

California Consumer Privacy Act (CCPA/CPRA)

California’s privacy law gives consumers the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. While not health-specific, it covers health data collected by apps used by California residents.

Illinois Biometric Information Privacy Act (BIPA)

If a wellness app collects biometric data (voice recordings, facial scans), Illinois’s BIPA requires informed consent and provides a private right of action with statutory damages.

International Protections: GDPR

For users in the European Union, the General Data Protection Regulation (GDPR) provides stronger protections than U.S. federal law:

• Health data is classified as “special category” data requiring explicit consent for processing
• Users have the right to data portability, erasure (“right to be forgotten”), and access
• Data protection impact assessments are required for high-risk processing
• Fines can reach 4% of global annual revenue or 20 million euros, whichever is greater
• A Data Protection Officer may be required for organizations processing health data at scale

The GDPR’s classification of mood and mental health data as “special category” data means that EU-based or EU-serving wellness apps face significantly stricter obligations than their U.S.-only counterparts.

What to Look For in a Wellness App

Given the regulatory landscape, users should evaluate wellness apps on several privacy dimensions:

Data Collection

• What data does the app collect beyond what you actively enter?
• Does it access location, contacts, or other device data?
• Does it collect metadata (timestamps, usage patterns, device information)?

Data Sharing

• Does the app share data with third parties? Which ones?
• Is data shared for advertising purposes?
• Can you opt out of data sharing?

Data Storage and Security

• Is data encrypted in transit (HTTPS) and at rest?
• Where are servers located?
• How long is data retained?

User Rights

• Can you export your data?
• Can you request deletion?
• What happens to your data if you delete the app?

Privacy Policy

• Is the privacy policy written in clear language?
• When was it last updated?
• Does the company commit to notifying users of policy changes?

Practical Recommendations

1. Read the privacy policy — specifically the sections on data sharing and third-party access
2. Prefer apps that offer end-to-end encryption or local-only data storage
3. Check for HIPAA compliance claims — but verify whether they actually apply to your use case
4. Use apps that allow data export and deletion
5. Be cautious with free apps — if you are not paying, your data may be the product
6. Review app permissions — deny access to location, contacts, and other unnecessary data
7. Consider jurisdiction — apps subject to GDPR or state laws like Washington’s My Health My Data Act offer stronger protections

Key Takeaways

• Most consumer wellness and mood tracking apps are not covered by HIPAA because they are not “covered entities” or business associates.
• The FTC Act, the Health Breach Notification Rule, and state laws provide some protection, but coverage is inconsistent.
• Recent enforcement actions against Flo Health and BetterHelp demonstrate real consequences for deceptive health data practices.
• Users should actively evaluate privacy policies, data sharing practices, and security features when choosing mental health apps.
• The regulatory landscape is evolving, with new state laws and FTC rules gradually closing the gap between medical record protections and consumer wellness app practices.