79% of health and wellness apps share user data with third parties without informed consent, yet fall outside HIPAA protections because they are not affiliated with healthcare providers

The vast majority of consumer health applications -- including fitness trackers, period trackers, mental health apps, and diet apps -- are not subject to HIPAA because they have no affiliation with hospitals, clinics, or covered entities. A study found that 79% of health apps routinely sold or shared user data without being transparent to users. The period-tracking app Flo leaked sensitive reproductive cycle data to Facebook and Google for ad targeting. Why it matters: hundreds of millions of users entrust intimate health data to apps they believe are private, so that data flows to advertising networks and data brokers without user knowledge, so sensitive conditions like mental health diagnoses, fertility status, and medication use become inputs for targeted advertising, so in a post-Dobbs legal landscape reproductive health data can be subpoenaed by prosecutors in states that criminalize abortion, so women face potential criminal prosecution based on data they shared with an app they trusted to be confidential. The structural root cause is that HIPAA was written in 1996 for healthcare providers and insurers, creating a massive regulatory gap where consumer health apps collecting identical categories of sensitive data face no federal health privacy obligations whatsoever.