What are the compliance issues that health apps face?

Digital health has transformed how consumers manage their wellness and access healthcare services. From meditation apps processing millions of mindfulness sessions to telehealth platforms conducting virtual consultations, health applications have become integral to modern healthcare delivery. 

In 2024, there were approximately 320 million users of health apps globally, with about 388 million health app downloads recorded during the year, according to Business of Apps. The health and fitness app market generated revenues of over $3.7 billion, reflecting significant consumer engagement and market growth. Health and wellness apps cover a wide array of areas, including weight management, fitness tracking, mental wellness, and chronic disease support. Statista also reports steady growth in health and fitness app downloads worldwide, with over 3.6 billion downloads in 2024. These figures show the ongoing innovation and diversification in the digital health app market.

This growth brings unprecedented compliance challenges. As these applications handle sensitive health data that may qualify as protected health information (PHI), developers and healthcare organizations face a complex web of regulatory requirements. The stakes are high as recent enforcement actions by the Federal Trade Commission (FTC) have resulted in multi-million dollar penalties in the digital health sector. Notably, the FTC secured settlements totaling $145 million from companies accused of deceptive practices related to health insurance marketing and digital health services since 2020. Additionally, there have been numerous other individual settlements, including a $1.5 million penalty against GoodRx for privacy violations. This demonstrates the FTC's strong regulatory focus on protecting consumers in the health app and digital health space.

The central question facing the industry is clear: What are the key compliance challenges health apps must navigate to meet evolving regulatory standards like HIPAA, while maintaining the innovation and accessibility that users demand?

Defining health apps and their risk profile

Understanding compliance obligations begins with clearly defining what constitutes a "health app" and recognizing the diverse risk profiles across different categories. The healthcare app ecosystem encompasses three primary categories, each with distinct compliance implications.

Wellness apps like Calm, Noom, and Fitbit focus on general health improvement without direct clinical involvement. These platforms collect data on sleep patterns, exercise habits, and nutritional intake. While they may seem removed from traditional healthcare, their compliance obligations can shift when integrated into employer wellness programs or clinical workflows.

Clinical apps such as Teladoc, MyChart, and Epic's patient portals directly facilitate healthcare delivery. These applications handle diagnoses, treatment plans, and prescription information, placing them within HIPAA's regulatory framework. Their integration with electronic health records (EHRs) and direct physician involvement creates clear compliance obligations.

Hybrid platforms like Headspace Health and Zocdoc blur traditional boundaries by combining wellness features with clinical services. These apps present unique compliance challenges as different features may trigger different regulatory requirements.

The distinction between consumer-facing and clinically-integrated apps is important for compliance. As Dr. Nicole Martinez-Martin, Assistant Professor at Stanford School of Medicine, explains, "The moment a wellness app begins sharing data with healthcare providers or integrating into clinical decision-making, it crosses from the consumer space into the regulated healthcare environment."

Core regulatory frameworks

Health apps must navigate a complex landscape of federal, state, and international regulations, each with specific requirements and enforcement mechanisms.

HIPAA (Health Insurance Portability and Accountability Act) remains the cornerstone of U.S. health data protection. However, its application to health apps isn't always straightforward. HIPAA applies when apps act as business associates to covered entities (healthcare providers, health plans, and healthcare clearinghouses). According to HHS guidance, an app becomes a business associate when it creates, receives, maintains, or transmits PHI on behalf of a covered entity. Apps that consumers use independently without healthcare provider involvement usually fall outside HIPAA's scope.

GDPR (General Data Protection Regulation) affects any app processing health data of EU residents, regardless of where the company is based. With potential fines reaching 4% of global annual revenue, GDPR compliance is non-negotiable for apps with international users. The regulation's broad definition of "health data" encompasses information that reveals physical or mental health status, creating obligations beyond traditional PHI.

State-level laws add another layer of complexity. California's CCPA and CPRA grant consumers rights over their personal information, including health data. New York's SHIELD Act mandates specific data security requirements, while Illinois' Biometric Information Privacy Act affects apps using fingerprint or facial recognition for user authentication.

The FTC Act empowers the Federal Trade Commission to pursue enforcement against unfair or deceptive practices, including inadequate data security. Recent FTC actions against health apps demonstrate aggressive enforcement, particularly regarding unauthorized data sharing with advertisers.

The 21st Century Cures Act promotes interoperability and patient access to health information. Apps interfacing with EHRs must comply with information blocking provisions and support standardized data exchange formats like FHIR (Fast Healthcare Interoperability Resources).

Common compliance challenges

One of the most fundamental yet frequently misunderstood challenges involves determining whether an app qualifies as a HIPAA business associate. Many app developers mistakenly believe that merely handling health information triggers HIPAA obligations.

Consider a meditation app offering employer-sponsored mental health coaching. If the employer's health plan pays for premium subscriptions and receives aggregated wellness reports, the app likely functions as a business associate. However, the same app offering direct-to-consumer subscriptions without healthcare provider involvement remains outside HIPAA's scope.

"We see countless apps operating in a gray area, assuming they're not subject to HIPAA when their business model clearly establishes them as business associates," notes Kirk Nahra, Partner at WilmerHale and healthcare privacy expert. "The consequences of this misclassification can be severe, both legally and reputationally."

Lack of a Business Associate Agreement (BAA)

Business Associate Agreements represent more than mere paperwork; they're legally binding contracts that define how PHI will be protected, used, and disclosed. Yet many health apps operate without proper BAAs, creating compliance gaps.

BAAs must address specific elements, including permitted uses and disclosures of PHI, safeguards the business associate will implement, breach notification procedures, and provisions for returning or destroying PHI when the relationship ends. Generic terms of service or privacy policies cannot substitute for properly executed BAAs.

Go deeper: How to know if you’re a business associate

Improper data classification

The line between personal data and PHI often blurs in health apps, creating classification challenges with compliance implications. Genetic testing platforms exemplify this complexity; 23andMe's ancestry reports may constitute personal data, while the same genetic information used by a physician for clinical decision-making becomes PHI.

This classification challenge extends to seemingly harmless data. Heart rate measurements from a fitness tracker become PHI when synchronized with a cardiologist's monitoring system. Sleep data transitions from wellness metrics to clinical information when used to diagnose sleep apnea.

Insufficient security safeguards

HIPAA's Security Rule mandates administrative, physical, and technical safeguards for PHI protection. Many health apps struggle to implement these requirements comprehensively, particularly when using consumer-grade infrastructure.

Essential technical safeguards include encryption both at rest and in transit, role-based access controls with unique user identification, automatic logoff functionality, and audit logs tracking all PHI access. Administrative requirements encompass workforce training, risk assessments, and incident response procedures.

Rachel Rose, as a healthcare attorney and cybersecurity expert, warns that this shift means apps must prepare for stricter and less interpretable security requirements, leaving no room for flexible implementation.

Learn more: The latest HIPAA updates and what's coming in 2025

Third-party integrations

Modern health apps rarely operate in isolation. Integration with analytics platforms, cloud services, and marketing tools creates compliance vulnerabilities that many developers overlook. Each third-party service handling PHI must sign a BAA and implement appropriate safeguards.

Common pitfalls include using Google Analytics without proper de-identification, implementing customer support chatbots that access PHI without BAAs, and utilizing cloud storage providers lacking healthcare-specific security certifications. 

The recent OCR guidance explicitly warns that HIPAA-regulated entities should not use tracking technologies that result in the impermissible disclosure of protected health information (PHI) to third-party vendors who are unable or unwilling to sign business associate agreements (BAAs). The guidance emphasizes that any use of online tracking technologies must comply with HIPAA rules, and if PHI is collected and shared with tracking technology vendors, there must be a signed BAA or valid patient consent. Simply notifying users via website banners or cookie notices is insufficient. This is to prevent unauthorized PHI disclosures and ensure compliance with HIPAA privacy and security requirements.

Apps that got it right and wrong

• Setting the compliance standard: Teladoc Health demonstrates HIPAA compliance through systematic implementation of security controls and business processes. The platform maintains executed BAAs with all covered entity clients, implements encryption for video consultations, and conducts regular third-party security assessments.

Their privacy notice explicitly states, "When we provide services on behalf of a Covered Entity, we are a 'Business Associate' and must comply with HIPAA's requirements." This transparency, combined with HITRUST certification, positions Teladoc as a compliance leader in digital health.

• Conditional compliance based on use case: Calm illustrates the complexity of hybrid platforms. For individual subscribers, Calm operates outside HIPAA's scope. However, their Calm for Business offerings to self-insured employers may trigger business associate obligations.

The company's approach acknowledges this duality, Calm will enter into a Business Associate Agreement upon request when providing services to or on behalf of a Covered Entity. This conditional compliance model requires careful assessment of each client relationship to ensure appropriate protections.

• A breach of privacy: BetterHelp's $7.8 million FTC settlement in 2023 proves the consequences of inadequate data protection. Despite promising to keep user data private, the platform shared email addresses, IP addresses, and health questionnaire responses with Facebook, Snapchat, and other advertising platforms.

FTC Bureau of Consumer Protection Director Samuel Levine emphasized, "When a company promises not to share consumers' sensitive health information, it must honor that promise. BetterHelp's betrayal of trust undermined the confidentiality patients expect in mental health services."

See more: Is Teladoc Health HIPAA compliant? (2025 update)

Is Calm HIPAA compliant? (2025 update)

FAQs

What is protected health information (PHI)?

Protected Health Information (PHI) is any health information that can be linked to a specific individual and is created, received, maintained, or transmitted by a HIPAA-covered entity or business associate. This includes medical records, billing information, health insurance details, and any health data combined with personal identifiers like names, addresses, or Social Security numbers.

What are electronic health records? (EHRs)?

Electronic health records are digital versions of patients' medical charts that contain comprehensive health information, including medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory test results. EHRs are designed to be shared across different healthcare settings, enabling coordinated care among providers.

What is a business associate?

A business associate is a person or organization that performs functions or activities on behalf of a covered entity (like a hospital or health plan) that involves the use or disclosure of PHI. This includes services like claims processing, data analysis, quality assurance, billing, practice management, and legal services. Business associates must sign Business Associate Agreements (BAAs) and comply with HIPAA regulations.