HIPAA for digital health startups: when it actually applies

The key question: does HIPAA even apply to you?

HIPAA does not regulate health data in general. It regulates who holds the data: covered entities — healthcare providers, health plans, and clearinghouses — and their business associates, the vendors that create, receive, maintain, or transmit protected health information (PHI) on a covered entity's behalf. The same heart-rate reading can be PHI in one company's database and entirely outside HIPAA in another's. What matters is the relationship, not the data type.

The decision logic for a digital health startup:

Direct-to-consumer, no covered-entity relationship

A wellness, fitness, cycle-tracking, or symptom app that users download themselves, with no provider or payer in the loop: HIPAA does not apply. But you are not unregulated — the FTC Health Breach Notification Rule, the FTC Act, and a growing stack of state health-privacy laws do apply.

Selling to providers, payers, or their vendors

If a hospital, clinic, telehealth group, or health plan uses your product and any patient data touches your systems: you're a business associate and HIPAA applies — directly, with your own liability under the Security and Breach Notification Rules.

You employ or contract the clinicians

If your "app" actually delivers care — your platform bills insurance or your medical group treats patients — you may be (or be intertwined with) a covered entity yourself, the heaviest scope.

Hybrid models

Many digital health companies run a consumer app and an enterprise product on the same backend. The enterprise side drags HIPAA in; segment the data flows or accept that the whole platform operates to the HIPAA standard.

If you're unsure which bucket you're in, work through the HIPAA compliance guide or the HIPAA glossary entry — the covered-entity/business-associate distinction is the foundation everything else sits on.

The FTC trap for consumer health apps

The most expensive mistake in consumer digital health is hearing "HIPAA doesn't apply to us" as "health-data rules don't apply to us." The FTC closed that gap — loudly — in 2023.

The FTC Health Breach Notification Rule covers vendors of personal health records and related apps that hold identifiable health information but aren't covered by HIPAA — which describes most consumer health apps. It requires notifying affected consumers, the FTC, and in larger incidents the media when health data is breached. Critically, the FTC interprets "breach" to include unauthorized disclosure, not just hacking: sending user health data to an ad platform without permission counts.

Two 2023 enforcement actions made the rule concrete:

• GoodRx (February 2023) — the FTC's first-ever Health Breach Notification Rule action. The agency alleged GoodRx shared users' health information — including medication and condition data — with advertising platforms such as Facebook and Google without user authorization, despite privacy promises. GoodRx agreed to a $1.5 million civil penalty and a prohibition on sharing user health data for advertising.
• BetterHelp (March 2023) — the FTC charged the online therapy platform with sharing consumers' health information, including data collected in intake questionnaires, with Facebook, Snapchat, and other platforms for advertising purposes after promising to keep it private. The settlement required $7.8 million to be returned to consumers and banned sharing health data for ads.

Neither company was subject to HIPAA for the conduct at issue. The FTC reached them anyway — through the breach rule and through Section 5's prohibition on deceptive practices. The practical lessons for any consumer health app: your privacy policy is an enforceable promise; ad-tech SDKs and tracking pixels in a health app are a regulatory exposure, not a growth tactic; and "we're not a HIPAA entity" is the beginning of your compliance analysis, not the end.

The moment HIPAA attaches

For startups on the B2B path, HIPAA doesn't arrive gradually — it attaches at identifiable moments. Watch for these:

• The first BAA. The day you sign a business associate agreement, you take on direct regulatory liability. Signing one you can't honor is worse than declining the deal: the agreement is evidence of exactly what you promised and didn't do.
• The first provider or payer customer. Even before paper is signed, a pilot where a clinic's patient data flows into your system makes you a business associate in fact. The obligation follows the data, not the contract date — which is why the BAA must be in place before the pilot starts.
• The first claims or EHR data. Integrating with an EHR, ingesting claims files, or pulling from a health information exchange is unambiguous PHI handling, with no consumer-app gray zone left to argue.
• The acquisition or partnership that imports PHI. Acquiring a company with provider contracts, or white-labeling into a payer's member portal, brings their HIPAA scope into your stack on day one.

The corollary: if you know one of these moments is two quarters away, that's your compliance deadline — not the day it happens.

Health AI: training, PHI, and de-identification

If your roadmap includes training or fine-tuning models on health data, HIPAA has specific things to say.

Training is generally not a permitted use of PHI by default. HIPAA permits covered entities to use PHI for treatment, payment, and healthcare operations. Building a commercial model usually isn't any of those — and if you're a business associate, you're further constrained: you may only use PHI as your BAA allows. Almost no standard BAA permits using customer PHI to train your models. That leaves two lawful doors:

• Patient authorization — explicit, HIPAA-valid authorization for the specific use. Workable for research-style programs; rarely practical at product scale.
• De-identification — transform the data so it's no longer PHI at all, at which point HIPAA no longer governs it.

HIPAA recognizes exactly two de-identification standards (45 CFR §164.514):

• Safe harbor: remove all 18 enumerated identifier categories — names, geographic subdivisions smaller than a state, all date elements more specific than year, phone numbers, emails, SSNs, medical record numbers, account numbers, device identifiers, IPs, biometric identifiers, full-face photos, and any other unique identifying number or code — and have no actual knowledge the remaining data could identify someone. Mechanical, auditable, and lossy: removing dates and geography hurts many clinical ML use cases.
• Expert determination: a person with appropriate statistical or scientific expertise applies accepted methods and documents that the re-identification risk is very small. More flexible and preserves more signal, but you need the expert, the documentation, and periodic re-evaluation.

Two warnings worth internalizing. First, stripping names is not de-identification — free-text clinical notes are notorious for embedded identifiers, and "anonymized" datasets with dates and zip codes have been re-identified in well-known research. Second, even with de-identified training data, your inference path may still process live PHI — that part of the system stays fully in HIPAA scope, including any third-party model API, which needs its own BAA.

Prepare before your first enterprise health deal

Here's the pattern that plays out constantly in digital health sales: a startup lands a meeting with a health system, the clinical champion loves the product, and then procurement sends the security packet — risk analysis on file? Written policies? Encryption posture? Breach response plan? Subcontractor BAAs? A SOC 2 report? For an unprepared team, that questionnaire adds three to six months to the deal, if it doesn't end it. Compliance isn't a legal checkbox in this market; it's a sales blocker that gates revenue.

The asymmetry is what makes preparation worth it: built ahead of need, a HIPAA foundation costs a few months of part-time effort (see the cost guide for real numbers). Built mid-deal, the same work happens under time pressure, in front of a skeptical buyer, while the deal cools.

A pragmatic implementation path:

1. Find your gaps — run the free HIPAA SaaS readiness checker for an instant readout against the Security Rule.
2. Run a documented risk analysis — the single artifact OCR and enterprise buyers both ask for first.
3. Implement the technical safeguards — access control, audit logging, encryption at rest and in transit, integrity controls. Mostly engineering work you may largely have done.
4. Write the policies and train the team — administrative safeguards: security officer designation, workforce training, sanction policy, contingency planning.
5. Get BAA-ready on both sides — a reviewed BAA template you can sign with customers, and signed BAAs from every subcontractor touching PHI (cloud, email, analytics, AI APIs).
6. Build the evidence habit — buyers re-ask annually; collecting evidence continuously in a GRC platform beats reassembling it per deal.
7. Layer SOC 2 when sales demands proof — since no HIPAA certification exists, a SOC 2 report is the third-party attestation enterprise health buyers most often accept; the control overlap with the Security Rule means most of the work counts twice.

Related reading

• HIPAA for SaaS & digital health — the full resource hub
• HIPAA SaaS readiness checker — free instant gap readout
• HIPAA compliance guide — the complete walkthrough
• HIPAA compliance cost — what the program actually costs a SaaS company
• What is HIPAA? — the rules, entities, and penalties in glossary form

Common questions

Does HIPAA apply to fitness and wellness apps?

Usually not. HIPAA only applies if you're a covered entity (provider, health plan, clearinghouse) or you handle health information on behalf of one as a business associate. A direct-to-consumer fitness or wellness app with no covered-entity relationship is outside HIPAA — but it is covered by the FTC's Health Breach Notification Rule and the FTC Act, which the FTC has enforced aggressively against consumer health apps.

What is the FTC Health Breach Notification Rule?

A federal rule requiring vendors of personal health records and related apps not covered by HIPAA to notify consumers, the FTC, and in some cases media when identifiable health data is breached. The FTC treats unauthorized sharing — like sending user health data to advertisers without permission — as a breach, not just hacking. GoodRx was the first enforcement action under the rule in 2023, with a $1.5 million civil penalty.

Can I train AI on patient data?

Not freely. Training a model is generally not treatment, payment, or healthcare operations, so using PHI for it typically requires either patient authorization or proper de-identification under HIPAA's standards. If you're a business associate, your BAA almost certainly does not permit training on customer PHI unless it says so explicitly. De-identify first (safe harbor or expert determination), or get authorization.

What is de-identification under HIPAA?

HIPAA recognizes two methods. Safe harbor: remove all 18 specified identifier categories (names, geography smaller than state, dates more specific than year, contact info, IDs, biometrics, photos, etc.) and have no actual knowledge the data could identify someone. Expert determination: a qualified statistician documents that re-identification risk is very small. Properly de-identified data is no longer PHI and falls outside HIPAA.

When should a startup start on HIPAA compliance?

Before your first enterprise health deal enters security review — not after. Provider and payer customers will ask for your risk analysis, policies, safeguards, and BAA readiness during procurement, and building those from zero mid-deal adds months to the sales cycle. If selling to covered entities is on your roadmap, start the foundation one to two quarters ahead.

Is health data from a consumer app PHI?

Not by itself. Data only becomes PHI when it's created, received, maintained, or transmitted by a covered entity or its business associate. The same blood-pressure reading is PHI inside a hospital's system and not PHI in a direct-to-consumer app with no covered-entity relationship — but in the consumer context it's still regulated health data under FTC rules and state privacy laws.

What happened in the GoodRx and BetterHelp cases?

In February 2023 the FTC brought its first Health Breach Notification Rule action against GoodRx, alleging it shared users' health information with advertising platforms like Facebook and Google without authorization; GoodRx agreed to a $1.5 million civil penalty and a ban on sharing health data for ads. In March 2023 the FTC charged BetterHelp with sharing consumers' health data, including information from intake questionnaires, with platforms like Facebook and Snapchat for advertising; the settlement required $7.8 million in consumer refunds. Neither company was subject to HIPAA for the conduct at issue — the FTC reached them anyway.

Does a BAA make me HIPAA compliant?

No — it makes you HIPAA obligated. Signing a BAA is the moment you take on direct liability under the Security Rule and Breach Notification Rule. Compliance is the work that follows: risk analysis, written policies, administrative, physical, and technical safeguards, workforce training, and breach response capability.

Last updated: June 11, 2026 · Reviewed by the LukaGRC compliance team