Health App Data Privacy: Your Rights in 2026
Photo via Pexels
Quick note: Finance24Me is an independent information site. We do not provide medical or legal advice. This article is educational only.
Most consumer health apps are NOT covered by HIPAA. They fall under FTC privacy rules, state laws, or no specific privacy law at all. Knowing exactly what protections you have — and don’t have — helps you decide which apps to trust with sensitive health data.
Who Regulates Health App Privacy?
| App Type | Primary Regulator |
|---|---|
| Used by healthcare providers | HHS (HIPAA) |
| Consumer health/wellness app | FTC + state laws |
| Children’s apps | FTC (COPPA) |
| Apps in EU users | GDPR |
| Apps in California | CCPA / CPRA |
| Apps in Washington | Washington Health Privacy Act (2024) |
What HIPAA Covers (And Doesn’t)
HIPAA covers:
- Healthcare providers
- Health insurance plans
- Healthcare clearinghouses
- Business associates of the above (often including the apps they use)
HIPAA does NOT cover:
- Most consumer health apps you download yourself
- Wearable manufacturers (mostly)
- Wellness companies
- Direct-to-consumer telemedicine (sometimes)
- Period trackers, fitness apps, calorie counters
This is a critical distinction. Your medical records at the hospital are HIPAA-protected. Your sleep data on a fitness app might not be.
What FTC Health Privacy Rules Cover
The FTC’s Health Breach Notification Rule applies to:
- Vendors of personal health records (PHR)
- Third-party service providers
- Apps that collect health data
Requirements:
- Notify users of breaches within 60 days
- Notify FTC for breaches affecting 500+ people
- Truthful privacy policies (deceptive policies are FTC violations)
State Laws That Matter
| State | Law | What It Adds |
|---|---|---|
| California | CCPA / CPRA | Right to access, delete, opt-out of sale |
| Washington | My Health My Data Act | Stricter consent for “consumer health data” |
| Texas | Texas Medical Records Privacy Act | Consumer health data protection |
| Connecticut, Colorado | Privacy laws | Health data among protected categories |
| EU users | GDPR | Strongest individual rights |
The patchwork of state laws creates inconsistent protection.
Your Privacy Rights
Depending on jurisdiction and app type, you may have:
| Right | Where Applicable |
|---|---|
| Right to access your data | HIPAA, GDPR, CCPA, many states |
| Right to delete data | GDPR, CCPA, CPRA |
| Right to correct data | HIPAA, GDPR |
| Right to opt out of sale | CCPA, CPRA |
| Right to opt out of profiling | GDPR, some state laws |
| Right to data portability | HIPAA, GDPR |
| Right to file complaints | All regulators |
Common Health App Data Practices
What apps may do with your data:
- Use it to provide services (expected)
- Share with affiliates / parent company
- Share with marketing partners
- Sell to data brokers
- Use for AI training
- Share with advertisers
- Share with research partners
- Comply with legal requests (subpoenas)
The privacy policy tells you which.
How to Read a Privacy Policy
Look for:
| Section | What to Check |
|---|---|
| What we collect | Should match app’s purpose |
| How we use it | Should be limited to functional use |
| Who we share with | Avoid “marketing partners,” “advertisers” |
| Your choices | What can you opt out of? |
| Security measures | Encryption mentioned? |
| Data retention | How long is data kept? |
| Changes to policy | How will you be notified? |
| Contact for privacy questions | Real contact info |
A 50-page policy in dense legalese with vague terms = warning sign.
Period-Tracking Privacy in 2026
After Dobbs v. Jackson (2022), period tracking data has new legal implications:
- Some states have restricted abortion
- Period data could potentially be subpoenaed
- Some apps have improved privacy in response (Flo’s “Anonymous Mode”)
- On-device storage (Apple Health) limits exposure
- Privacy-forward apps (Drip, Euki) store locally
See Period and Fertility Tracking Apps.
Mental Health App Privacy
Mental health data is particularly sensitive:
- Therapy session content
- Mood tracking
- Diagnoses entered or inferred
- Suicidal ideation flags
- Substance use information
Some mental health apps faced controversy in 2022–2023 for data sharing practices. Choose carefully.
What to Do If Your Privacy Is Violated
- Document the violation (screenshots, notifications)
- Contact the app developer in writing
- File complaint with FTC at reportfraud.ftc.gov
- File complaint with state AG if applicable
- File HIPAA complaint if covered entity violated rules (hhs.gov/ocr)
- Consider legal counsel for serious violations
Privacy Best Practices
| Practice | Why |
|---|---|
| Read privacy policies before installing | Know what you’re agreeing to |
| Use on-device storage when possible | Less data exposure |
| Use minimal permissions | Reduce data collection |
| Use unique passwords | Limit cross-app risk |
| Enable two-factor authentication | Account security |
| Periodically audit installed apps | Remove unused |
| Use built-in apps when possible (Apple Health, Google Fit) | Often better privacy |
| Avoid public Wi-Fi for sensitive activities | Encryption matters |
Helpful Resources
📖 FTC Health Privacy — privacy enforcement.
📖 HHS.gov Office for Civil Rights — HIPAA complaints.
📖 Electronic Frontier Foundation — privacy advocacy and resources.
📖 State Attorney General — state-level privacy enforcement.
Common Privacy Mistakes
- Not reading privacy policies
- Granting unnecessary permissions
- Using free apps for sensitive data
- Sharing data across many apps
- Not deleting old apps you no longer use
- Trusting “anonymous” data claims — re-identification possible
FAQ — Health App Data Privacy
Q: Are consumer health apps covered by HIPAA? A: Most are not. HIPAA covers healthcare providers, health plans, and their business associates. Most apps you download yourself fall under FTC and state law instead.
Q: Can my health app data be sold? A: Many apps do sell or share data. The privacy policy will tell you. CCPA-affected users can opt out of sale.
Q: Is Apple Health private? A: Apple Health stores on-device with end-to-end encryption in iCloud. Apple doesn’t see the content. Generally one of the better-privacy options.
Q: Can my insurance company see my fitness app data? A: Only if you opt in to share (some wellness programs offer incentives for sharing). Otherwise no.
Q: Can law enforcement subpoena my health app data? A: Yes, including period-tracking data in some jurisdictions. Privacy-forward apps may resist or limit data they have.
Related Reading on Finance24Me
- Top Health App Categories
- How to Choose a Health App
- Period and Fertility Tracking Apps
- Privacy and Security in Telemedicine
- Symptom Checker Apps Explained
Bottom Line
Most consumer health apps fall under FTC and state laws, not HIPAA. Read privacy policies carefully. Prefer apps with on-device storage, clear data practices, and minimal third-party sharing. Use built-in options (Apple Health, Google Fit) when possible. Be especially careful with period-tracking and mental health apps where data sensitivity is highest.
Disclaimer: This article is for informational and educational purposes only. It is not legal or medical advice, and Finance24Me does not provide medical care or legal services. Consult a privacy attorney for legal questions about specific situations.
By Finance24Me Editorial · Updated May 9, 2026
- privacy
- health apps
- HIPAA