Health Data Enforcement Extends Beyond HIPAA: How Digital Health Companies Can Adapt

For digital health innovators, the regulatory landscape is shifting. Historically, HIPAA applied only to “covered entities” (health plans, certain providers, and clearinghouses) and their business associates. That boundary still exists in law, but enforcement pressure is increasingly extending into areas once considered outside HIPAA’s reach, particularly for consumer-facing health technologies and data ecosystems that handle sensitive information.

This shift matters because regulators are no longer relying on HIPAA alone to protect health-related data. Instead, they’re using multiple authorities in parallel, and enforcement activity is accelerating as we enter 2026.

HIPAA’s Legal Scope Hasn’t Changed, But Regulatory Enforcement Has

In strict statutory terms, HIPAA still applies only to covered entities and business associates as defined by federal law. The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) enforces HIPAA’s Privacy, Security, and Breach Notification Rules against those entities.

But enforcement pressure isn’t just confined there:

• Recent years have seen regulators across OCR, the Federal Trade Commission (FTC), the Department of Justice (DOJ), and state attorneys increasingly coordinate and use overlapping tools, expanding the range of entities they scrutinize.
• Parallel enforcement is increasingly common. OCR may pursue a covered entity for weak controls, while the FTC or a state AG targets a related digital service provider for unfair or deceptive practices involving health data.

These developments mean companies handling health-related data, even if they aren’t formally “covered” by HIPAA, face more robust oversight across multiple regimes.

How the FTC and State Regulators Are Policing Health Data Outside HIPAA

A key element of this shift is the FTC’s Health Breach Notification Rule (HBNR), which extends breach reporting obligations to digital health apps and platforms that may not be covered by HIPAA.

• The HBNR requires entities that qualify as “vendors of personal health records” under the Rule’s definition to notify individuals, the FTC, and, in certain cases, the media following breaches of unsecured health data.
• Amendments finalized in 2024 clarify that health apps, wellness platforms, and other technologies handling individually identifiable health data can fall within the HBNR’s scope even if they’re outside HIPAA’s statutory reach.

This means breach reporting expectations similar to HIPAA’s now apply through a separate federal regime to many digital health products.

At the same time, FTC enforcement under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, has increasingly targeted undisclosed or misleading data practices by digital health apps and platforms. Courts and regulators have treated improper or opaque sharing of sensitive data (through channels like tracking tools or SDKs) as unfair when privacy policies do not reflect actual practices.

State consumer protection laws and emerging state privacy statutes, such as those recognizing sensitive data classifications, are also being used to address health data misuse outside HIPAA.

In practice, this creates a layered enforcement environment where HIPAA is part of the picture, but not the entire one.

Regulatory Overlap: HIPAA vs. FTC vs. State Health Privacy Laws

‍Why Digital Health Apps and Platforms Are Facing Increased Scrutiny

1. New Realities Around Health Data

Digital products now routinely generate and process health-related data, from symptom trackers and connected devices to AI systems that infer health attributes. Health information isn’t confined to traditional medical records, and regulators are responding accordingly.

2. Tracking Technologies and Data Flows

Pixels, SDKs, and analytics integrations that collect or transmit identifiable health attributes are increasingly enforcement targets when those flows are not transparent or adequately protected. Agencies have taken action where undisclosed data sharing occurs through these mechanisms.

3. Misalignment Between Practice and Disclosure

Broad statements about privacy protections without corresponding controls or clear disclosures have become a recurring enforcement trigger under FTC authority. Courts have generally recognized the FTC’s authority to police deceptive data practices under Section 5.

Emerging Compliance Expectations for Digital Health and Health-Adjacent AI

Even though HIPAA itself doesn’t automatically apply, its expectations are influencing enforcement outcomes across regimes:

• Breach preparedness: Companies should anticipate timelines and obligations similar to HIPAA under the FTC rule.
• Transparency and consent: Accurate privacy disclosures are essential to mitigate FTC or state enforcement risk.
• Security hygiene: HHS has proposed updates to the HIPAA Security Rule to target covered entities, and broader expectations of “reasonable security” increasingly shape scrutiny of digital products.

Relevant Insurance Coverages for Digital Health Companies

As enforcement expands across OCR, the FTC, and state regulators, digital health companies should evaluate how their insurance program responds to regulatory, contractual, and litigation exposure tied to health data.

Cyber Liability Insurance

Cyber Insurance typically responds to:

• Data breaches involving personally identifiable information (PII) or health-related data
• Incident response costs (forensics, notification, credit monitoring)
• Regulatory investigations and, where insurable by law, certain fines and penalties
• Class action defense arising from privacy incidents

Given the FTC Health Breach Notification Rule’s expanded scope, companies that aren’t HIPAA covered entities may still face federal breach reporting obligations. A cyber policy should be reviewed to confirm it contemplates regulatory proceedings outside HIPAA and covers incidents involving consumer health data.

Technology Errors & Omissions (Tech E&O) Insurance

Tech E&O helps address claims that a company’s product or service failed to perform as intended, including:

• Allegations that security weaknesses caused client losses
• Contractual indemnification claims from enterprise customers
• Failure to meet data protection representations in MSAs or DPAs

For companies selling into providers, employers, or enterprise health systems, Tech E&O becomes critical if a privacy or security lapse triggers downstream liability.

Directors & Officers Insurance

Privacy incidents increasingly escalate beyond operational matters. Directors & Officers Insurance coverage may respond to:

• Shareholder or investor claims alleging failure of oversight
• Derivative actions following significant regulatory investigations
• Securities claims if a privacy issue materially affects valuation or disclosures

As regulatory scrutiny intensifies, board-level oversight of data governance is becoming a governance expectation rather than merely a best practice.

Media Liability Insurance

Media Liability Insurance is relevant where companies publish content, use AI outputs, or engage in marketing practices that could trigger claims related to misleading representations about data practices.

Coverage alone is insufficient. Underwriters are scrutinizing tracking technologies, vendor oversight, incident response maturity, and regulatory exposure under non-HIPAA regimes such as the FTC Health Breach Notification Rule. Companies with documented controls, clear data flow visibility, and formal governance structures typically secure stronger terms and pricing.

For digital health companies, insurance should be structured to reflect a layered enforcement environment, not solely traditional HIPAA exposure.

What Expanded Health Data Enforcement Means for Growing Companies

HIPAA’s statutory boundary has not expanded, but the enforcement ecosystem has. Digital health and wellness platforms should anticipate regulatory expectations that resemble HIPAA principles even when they fall outside HIPAA’s formal reach.

By understanding how multiple authorities overlap and interact, companies can better integrate compliance into product, security, and risk strategies, turning regulatory readiness into a strategic advantage.

Vouch Specialty Insurance Services, LLC (CA License #6004944) is a licensed insurance producer in states where it conducts business. A complete list of state licenses is available at vouch.us/legal/licenses. Insurance products are underwritten by various insurance carriers, not by Vouch. This material is for informational purposes only and does not create a binding contract or alter policy terms. Coverage availability, terms, and conditions vary by state and are subject to underwriting review and approval.