Digital Data-Sharing Plan Tests Limits of Health Privacy Rules

A new partnership between industry and government to share patient data more freely is stoking concerns over protecting health privacy within a developing network of companies currently facing different federal and state legal requirements.

The White House announced a data-sharing initiative on July 30 with at least 60 companies, including Apple Inc., Amazon.com Inc., and UnitedHealth Group, to build a “digital health ecosystem” where patient data could flow more seemlessly between patients and providers.

Companies outside the traditional health industry, including tech giants and new types of applications that can track activity levels, don’t always adhere to the federal health privacy law, the Health Insurance Portability and Accountability Act (HIPAA). Instead, they fall under a mosaic of state and federal statutes on an ad-hoc basis, raising questions about how aggressively regulators will press non-health entities to safeguard information such as reproductive health details, gender-affirming care information, or inferences made from non-health data.

For these newer tech companies, “understanding that you may not be subject to HIPAA” isn’t “the end of the conversation,” said Adam Greene, partner at Davis Wright Tremaine LLP and former Health and Human Services official. “You may be subject to, in some respects, even more stringent state laws, both general consumer privacy laws and consumer health-specific privacy laws, and understanding those are very important.”

HHS’ Office for Civil Rights, which enforces HIPAA, said it supported the initiative to provide patients greater access to their electronic protected health information “without sacrificing” privacy and security. OCR’s director, Paula M. Stannard, said the office will prioritize HIPAA enforcement on timely notifications following breaches.

Robert F. Kennedy Jr., who heads HHS, said the initiative seeks to tear down “digital walls” and return “buried health data” to patients. Companies have committed to deliver results by the first quarter of 2026, including by building new consumer-facing tools—like artificial intelligence chatbots—and eliminating traditional clipboards and paper medical records.

Comparing Apples to Oranges?

HHS’ Centers for Medicare and Medicaid Services, which is spearheading the voluntary partnership between the public and private sectors, said it received pledges from a range of companies and organizations.

Traditional health providers like Aetna Inc., Elevance Health Inc., and UnitedHealth Group joined alongside some of the biggest data holders such as OpenAI Inc., Anthropic, and Google. In the middle, a group of newer consumer-facing tools like Oura that track things like physical activity or sleep also volunteered to participate.

Though these companies may be making similar promises, they’ll actually be subject to unique legal requirements and oversight.

“Navigating this framework is really challenging,” Greene said. He added, “Different players will be subject to different, overlapping laws in these frameworks. Some will be subject to HIPAA. Some won’t. Some will be subject to Section Five of the FTC Act. Some won’t. Some will be subject to things like My Health, My Data Act. Others will be exempt from that.”

The Federal Trade Commission’s 2024 finalized amendments to its Health Breach Notification Rule, which requires companies to notify customers and the agency of breaches of health data, brought a growing class of health apps into its scope. The FTC at the time estimated the rule would cover an additional 170,000 entities.

“I would expect the FTC to be heavily involved here,” said Aaron T. Maguregui, who advises health tech companies and startups as a partner at Foley & Lardner LLP.

States have also made strides to expand protections for health data by either passing new laws, like Washington’s My Health, My Data Act, or updating comprehensive privacy statutes. These new laws and regulations have fueled a wave of enforcement likely to loom over the government’s data-sharing plans.

“You’re seeing even the Texas attorney general has been ramping up enforcement for Texas’ medical information privacy law,” said Apurva Dharia, associate at Davis Wright Tremaine, where he focuses on health information privacy. “So you may see state attorneys general and state regulators that have authority trying to fill in some of the gaps—if there are perceived gaps—and that’s an increased risk.”

Privacy Promises

On July 31, the Trump administration added an email to the CMS website to invite more businesses to join the effort, encouraging them to pledge to a specific category of the initiative.

Those voluntary commitments have varied. Oracle Health and Particle Health said they’ll become a “CMS Aligned Network” by meeting a list of government-issued criteria and protecting patient privacy. Samsung and CVS Health committed to “seamless, secure data exchange.”

For businesses that aren’t covered entities under HIPAA, the pledges may put them in scope for other legal requirements.

“Think of the FTC Act, which, under Section Five, has the authority to regulate unfair and deceptive practices,” Dharia said. “That can have a lot to do with the types of promises they make with respect to privacy, security, for example.”

Businesses joining the initiative will not only have to determine their compliance obligations, but also ensure they can deliver on promises made to consumers.

“It’s always important that whatever you promise with respect to privacy and security, you are truly able to deliver,” Greene said. “A lot of privacy and security enforcement in the US is based on, essentially, promises.”

States like California have scrutinized discrepancies between privacy promises and statements made by companies and their practices. The patchwork of applicable requirements could also leave consumers confused about how their health data may be used, putting the impetus on businesses to keep them informed.

Consumers often don’t “appreciate that that kind of secondary use and sharing of data is happening, including sometimes with their health data,” said Andrew Crawford, senior counsel at the Center for Democracy and Technology, a nonprofit that advocates for digital rights.

“It’s still too early to know if there’s going to be accompanying privacy principles and practices” from participating companies, he added. “I hope there will be, because the current system is definitely not optimal for consumers.”