Is my health information from telehealth apps protected by HIPAA?

It depends on whether the platform is a HIPAA-covered entity. Licensed telehealth platforms that employ prescribers and render clinical care are covered entities and must protect your health data. Wellness apps, fitness trackers (MyFitnessPal, Fitbit, Oura), and symptom checkers without licensed providers are not covered entities and operate outside HIPAA.

Can telehealth companies sell my health data?

HIPAA-covered telehealth providers (those with licensed prescribers) cannot sell your PHI or share it with marketers without your explicit written authorization. Non-HIPAA platforms (health apps, direct-to-consumer genetic testing like 23andMe) can share data per their own terms of service, which are often more permissive.

What are my rights under HIPAA with a telehealth provider?

You have the right to access your own health records, request corrections to them, and receive an accounting of disclosures. PHI can only be used for treatment, payment, and healthcare operations without your authorization. Uses for marketing or sale to third parties require your explicit written consent.

HIPAA and Telehealth: What Privacy Protections Apply to Your Health Data

Q: Is my genetic test data from 23andMe protected by HIPAA?

No. Direct-to-consumer genetic testing companies like 23andMe are not HIPAA-covered entities. Their privacy policies govern what happens to your genetic data, and those policies have historically been more permissive than HIPAA would require.

HIPAA, the Health Insurance Portability and Accountability Act, establishes baseline privacy and security standards for protected health information (PHI) held by covered entities: healthcare providers, health plans, and healthcare clearinghouses, along with their business associates. What surprises many patients is what HIPAA does not cover: health apps, wellness platforms, direct-to-consumer genetic testing services, and many digital health tools are not covered entities and therefore operate outside HIPAA’s requirements.

What HIPAA Requires

HIPAA’s Privacy Rule restricts how covered entities can use and disclose PHI without patient authorization. Core requirements:

Use and disclosure limitations: PHI can be used for treatment, payment, and healthcare operations without patient authorization. Other uses, marketing to third parties, sharing with employers, selling data, require explicit written authorization.

Patient rights: Patients have the right to access their own health records, request corrections, and receive an accounting of disclosures.

Minimum necessary standard: Covered entities must limit use and disclosure of PHI to the minimum necessary for the intended purpose.

Security safeguards: Electronic PHI (ePHI) must be protected through technical, administrative, and physical safeguards.

Breach notification: If PHI is breached, covered entities must notify affected individuals within 60 days.

What Is a Covered Telehealth Entity

Licensed telehealth platforms that provide clinical services, prescribing medications, rendering diagnoses, conducting medical evaluations, are covered entities under HIPAA. Hims, Roman, Keeps, dedicated TRT platforms, and weight management telehealth providers that employ licensed prescribers are covered entities.

Their affiliated pharmacies are also covered entities. Third-party lab services used by these platforms are covered entities. Software vendors that handle ePHI on behalf of these platforms are business associates and must sign business associate agreements (BAAs).

What Falls Outside HIPAA’s Scope

Wellness apps and fitness trackers: MyFitnessPal, Apple Health, Fitbit, Oura Ring, and similar platforms collect health-related data but are not covered entities. Their privacy practices are governed by their own terms of service, not HIPAA. Data from these apps can be sold to third parties, shared with advertisers, or disclosed in legal proceedings in ways that HIPAA-covered health records cannot be.

Direct-to-consumer genetic testing: 23andMe, AncestryDNA, and similar services are not covered entities. Their privacy policies govern what happens to your genetic data, and those policies have been more permissive than HIPAA would require.

Digital therapeutics and mental health apps: Many mental health apps (Calm, Headspace) are not covered entities unless they have a clinical component involving licensed providers rendering care.

Telehealth platforms without clinical services: Health information websites, symptom checkers without a licensed provider rendering care, and AI health assistants are not covered entities.

Practical Implications

When sharing health information through a telehealth platform:

Verify whether the platform is a covered entity (do they have licensed prescribers and render clinical care?)
Read the privacy policy for any non-HIPAA platform, look specifically for what data may be shared with third parties
Be aware that health data shared through wellness apps and fitness trackers does not carry HIPAA protections

When authorizing a telehealth platform to access data from non-HIPAA sources (pulling your Apple Health data, for example), understand that you are bringing non-protected data into a potentially HIPAA-covered system, and the HIPAA protections will apply to how the covered entity handles it, but the original source (Apple Health) operated outside HIPAA.

For more on evaluating telehealth platforms overall, see How to Evaluate Any Online Men’s Health Clinic Before Signing Up.

HIPAA and Telehealth: What Privacy Protections Apply to Your Health Data

What HIPAA Requires

What Is a Covered Telehealth Entity

What Falls Outside HIPAA’s Scope

Practical Implications

Frequently Asked Questions

Related Articles

Navigating Healthcare Costs: How to Reduce What You Pay for Medications and Care

Online Pharmacy Red Flags: How to Identify Rogue Operations Before You Order

Telehealth and Insurance: What Your Plan Covers and How to Check