A new analysis argues that existing health privacy laws no longer reflect how health data is collected and used.
The Electronic Privacy Information Center released a report titled Beyond HIPAA: Reimagining How Privacy Laws Apply to Health Data to Maximize Equity in the Digital Age, warning that current health privacy protections fail to cover large volumes of health-related data generated outside traditional healthcare settings. The January 2026 report argues that unregulated digital technologies, widespread online tracking, and limited statutory coverage have allowed sensitive health data to be collected, shared, and monetized in ways that discourage people from seeking care.
The report outlines how health data flows through mobile apps, advertising platforms, insurers, data brokers, and algorithmic systems that fall outside HIPAA’s scope. According to EPIC, these practices contribute to profiling, behavioral targeting, differential pricing, and surveillance that disproportionately affect marginalized communities. The analysis indicates how fear of stigma, criminalization, or misuse of data leads individuals to delay or avoid care. It also raises concerns about the growing use of automated systems and artificial intelligence in insurance and health-related decisions without clear regulatory standards or meaningful oversight.
In its January 2026 report, EPIC stated that “health privacy abuses and breaches put vulnerable communities at risk and discourage them from seeking care,” noting that without stronger privacy protections, people retreat from care because of fear, stigma, criminalization, and mistrust. The report says that privacy protections can improve health equity and outcomes and that privacy should not be treated as a luxury good. It calls for stricter data minimization standards to limit the collection, processing, sharing, and retention of health data to only what is necessary to provide health services, and argues that harmful practices like the sale of sensitive health data should be banned.
Privacy experts have been warning that HIPAA alone no longer reflects how health data moves through modern digital systems. At a recent IAPP Global Summit session titled “HIPAA Is Not Enough,” speakers pointed to state laws such as Washington’s My Health My Data Act and New York’s Health Information Privacy Act as evidence that lawmakers are already filling gaps left by federal rules. The discussion focused on how health-related data now flows through apps, platforms, advertisers, and vendors that sit outside HIPAA’s reach, often without clear consent or limits on reuse. Panelists stressed that privacy programs built only around HIPAA are more exposed, as regulators and courts expect broader governance, stronger data minimization, and clearer accountability once health data leaves traditional care settings.
Wired reporting describes how health privacy risks are no longer confined to hospitals and clinics. Exposure now often comes from advertising technology, data brokers, and immigration enforcement systems that use health-related data. The reporting also points to AI tools that handle large volumes of sensitive information outside clear oversight. Similar issues show up in Paubox’s top attacks report, which found that many healthcare breaches involved third-party and business associate email access, where organizations lacked visibility into how their data was handled. Together, the reporting shows that health data moves through far more systems than current privacy rules were built to cover.
HIPAA applies mainly to healthcare providers, insurers, and their business associates, leaving many apps, platforms, advertisers, and data brokers outside its scope.
It includes information inferred from online behavior, location data, reproductive health searches, mental health app usage, and other signals that reveal health status or care-seeking activity.
When people fear surveillance, stigma, or misuse of their data, they may delay care, avoid providers, or withhold information needed for treatment.
Groups facing discrimination, immigration enforcement, or criminalized healthcare are more likely to experience harm when health data is shared or exploited without safeguards.
The report supports stronger data minimization rules, limits on data sales, clearer oversight of automated systems, and broader enforcement authority beyond HIPAA.