The TLDR

HIPAA protects the data your doctor collects. It does not protect the data your fitness app collects, your wearable tracks, your period tracker logs, or your mental health app records. That data is commercial product — sold to data brokers, bought by insurance companies, accessed by employers, and in some cases handed to law enforcement. Your Oura Ring knows your sleep patterns, resting heart rate, and stress levels. Your fitness app knows where you run and when. Your period tracker knows your cycle. None of it has the legal protection you probably assume it does.

The Reality

Here’s what happens to your health data once it leaves your body:

Your Oura Ring tracks sleep stages, heart rate variability, body temperature, blood oxygen, and activity. Oura’s privacy policy allows sharing “de-identified” data with third parties. De-identification is weaker than anonymization — researchers have repeatedly demonstrated that de-identified health data can be re-identified using additional data points.

Your Strava/Garmin/Fitbit tracks GPS routes, pace, heart rate zones, recovery metrics, and training load. Strava’s heatmap incident proved that “anonymized” aggregate data can reveal individual patterns. Your running route to and from your home is a location fingerprint.

Your period tracker knows your cycle length, symptoms, sexual activity, and fertility window. After the Dobbs v. Jackson decision overturned Roe v. Wade, this data became legally consequential in states that criminalized abortion.

Your Apple Health/Google Fit aggregates data from all your health-adjacent apps and devices into a single profile — steps, heart rate, sleep, nutrition, medications, and medical records (if you’ve connected a healthcare provider).

The HIPAA Gap

What HIPAA Covers

HIPAA (Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI) held by covered entities — which means:

What HIPAA Does NOT Cover

This gap is enormous. The most intimate health data most people generate — their sleep, exercise, reproductive cycles, and mental health patterns — falls entirely outside HIPAA’s protection.

The Data Ecosystem

How Health Data Gets Sold

Health app data flows through the same data broker ecosystem as everything else:

  1. The app collects your health metrics
  2. Advertising SDKs in the app transmit data to ad networks
  3. Ad networks sell behavioral segments (“Health-Conscious,” “Fitness Enthusiast,” “Expecting Parent”)
  4. Data brokers aggregate health-adjacent data from multiple sources
  5. Buyers include insurance companies, employers, marketers, and researchers

LexisNexis operates a health data division that creates risk scores based on consumer health data. These scores factor in fitness tracker data, pharmacy purchases, social media health-related posts, and consumer behavior patterns that correlate with health conditions.

The Insurance Pipeline

John Hancock’s Vitality Program made headlines by offering life insurance discounts to policyholders who share fitness tracker data. Sounds benign — exercise more, pay less. But the inverse is the concern: what happens when insurers use fitness data to increase premiums?

Health insurers and life insurers are increasingly using commercial data — including data from fitness apps and wearables — to assess risk. The data doesn’t have to come directly from the insurer’s own program. It can be purchased from data brokers who aggregated it from app SDKs.

Fertility and Menstrual Data

The Post-Dobbs Landscape

After Dobbs v. Jackson (2022), period tracking data became a legal liability in states that criminalized abortion. Law enforcement can:

Documented cases:

Flo’s settlement: Period tracker Flo settled with the FTC in 2021 for sharing people’s health data — including pregnancy status and menstrual cycle information — with Facebook and Google’s advertising platforms, despite promising the data was private.

What Changed

Some apps responded to Dobbs by implementing stronger privacy measures:

But many apps made no changes, and the underlying data broker ecosystem continues to operate.

Mental Health App Data

Therapy Apps

BetterHelp settled with the FTC for $7.8 million in 2023 for sharing people’s health data with advertising platforms — including information about mental health conditions, intake questionnaires, and whether the user had been in therapy before — with Facebook, Snapchat, Criteo, and Pinterest for advertising purposes.

Crisis Text Line, a nonprofit providing mental health support via text, shared anonymized conversation data with a for-profit data analytics company, Loris.ai. The “anonymized” data included crisis conversations.

Mood Trackers and Meditation Apps

Even apps that seem benign — Calm, Headspace, mood journals — collect behavioral data through advertising SDKs. Your meditation schedule, mood logs, and sleep data are behavioral signals that feed the ad targeting ecosystem.

How It Gets Exploited

Insurance Discrimination

The legal framework for using health data in insurance varies by state. But the data flows regardless of regulation. An insurer that can’t legally use your fitness data directly can use data broker scores that incorporate fitness data as one of many inputs.

Employer Monitoring

Corporate wellness programs often incentivize employees to share health data — step challenges, sleep tracking, health assessments. The data typically goes to a third-party vendor, which aggregates it and reports to the employer. While individual data is theoretically anonymized, in small teams, de-anonymization is trivial.

Law Enforcement Access Without Warrants

Health data stored on company servers (not on-device) is accessible to law enforcement through standard legal process — subpoenas, court orders, or search warrants. For data stored with third-party analytics companies (where the app SDK sent it), the app company may not even know the data has been accessed.

What You Can Do

App Selection

Data Minimization

For Period Tracking Specifically

Sources & Further Reading