Key Takeaways
- HIPAA protects some health data but doesn't cover health apps, wearables, or de-identified data
- De-identified data can sometimes be re-identified, especially with AI
- AI companies may access your data through hospitals, research studies, or third parties
- You have rights to access, correct, and restrict your health data use
- Always check privacy policies before downloading health apps or sharing data
Your health data is among the most personal information about you—and it's the fuel that powers artificial intelligence in healthcare. But what happens to that data? Who has access? How is it protected?
Understanding health data privacy in the age of AI is essential for protecting yourself while still benefiting from medical advances.
What Is Health Data?
Health data includes any information related to your:
| Data Type | Examples | Sources |
|---|---|---|
| Clinical data | Diagnoses, medications, lab results, imaging | Electronic health records (EHR) |
| Genomic data | DNA sequences, genetic variants | Genetic testing, research studies |
| Wearable data | Steps, heart rate, sleep, blood oxygen | Smartwatches, fitness trackers |
| Patient-reported data | Symptoms, quality of life, health behaviors | Patient portals, apps |
| Insurance claims | Diagnoses, procedures, payments | Health insurers |
| Social determinants | Housing, income, education, neighborhood | EHR, public records |
| Digital footprint | Health searches, app usage, online purchases | Tech companies, data brokers |
All of this data can and is being used to train and improve AI systems.
What HIPAA Actually Protects (And What It Doesn't)
HIPAA Protected Health Information (PHI)
HIPAA covers:
- Healthcare providers (hospitals, clinics, doctors)
- Health plans (insurance companies)
- Healthcare clearinghouses
Protected information includes:
- Names, dates, addresses
- Diagnosis and treatment information
- Lab test results
- Prescription information
- Any information that identifies you + relates to your health
What HIPAA Does NOT Cover
This is the problem: HIPAA has significant gaps:
| Entity | HIPAA Coverage? | Examples |
|---|---|---|
| Hospitals and clinics | ✓ Yes | Your medical records |
| Health insurance | ✓ Yes | Claims, diagnoses |
| Health apps | ✗ No | Fitness trackers, symptom checkers |
| Wearable devices | ✗ No | Apple Watch, Fitbit |
| Direct-to-consumer testing | ✗ No | 23andMe, Everlywell |
| Social media | ✗ No | Facebook health groups |
| Search engines | ✗ No | Google health searches |
| Data brokers | ✗ No | Companies buying/selling data |
| De-identified data | ✗ No | "Anonymized" health data |
According to the World Health Organization, most people don't realize that HIPAA doesn't cover the vast ecosystem of health-related apps and services.
How Your Data Gets to AI Companies
Pathway 1: Healthcare Partnerships
Hospitals and health systems partner with AI companies:
Hospital + AI Company Agreement
↓
"Hospital provides de-identified patient data"
↓
AI Company trains/improves algorithms
↓
AI Company licenses improved tools back to hospital
Is this legal? Yes, if data is properly de-identified according to HIPAA Safe Harbor standards.
Pathway 2: Research Studies
Clinical research and AI training studies:
You consent to research study
↓
Your data collected (often identified)
↓
Data shared with researchers and AI companies
↓
Used to train AI systems
Oversight: Institutional Review Boards (IRBs) review studies, but data sharing agreements vary widely.
Pathway 3: Third-Party Data Sharing
Companies sell or share data through intermediaries:
Health App → Data Broker → AI Company
or
Wearable Company → Research Consortium → AI Company
or
Insurance Company → Data Analytics Firm → AI Company
This data sharing happens in ways patients never see or agree to.
Pathway 4: Public Datasets
Some health data is made publicly available:
- Government databases: Medicare claims, cancer registries
- Research repositories: Datasets from published studies
- Open source initiatives: Medical imaging datasets
- Competition datasets: Kaggle, AI challenges
While "de-identified", experts question whether true anonymization is possible with modern AI.
De-Identification: The Illusion of Anonymity
HIPAA Safe Harbor De-Identification
Data is considered "de-identified" if 18 identifiers are removed:
Names, geographic subdivisions smaller than state, all elements of dates (except year) directly related to individual, telephone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, Web URLs, IP addresses, biometric identifiers, full-face photos, any other unique identifying number, characteristic, or code
But here's the problem: Modern AI can re-identify this data.
Re-Identification Risks
Studies show "anonymous" health data can be re-identified by:
- Cross-referencing: Linking health data with public records (voter rolls, property records, social media)
- Pattern recognition: AI identifying unique patterns in longitudinal data
- Rare conditions: People with rare diseases are identifiable by diagnosis alone
- Genomic data: DNA sequences are inherently identifying
- Imaging data: Facial features visible in CT scans, retinal images
Research in Nature Communications demonstrated that 99.98% of Americans would be correctly re-identified in any de-identified health dataset using just 15 demographic attributes.
The reality: True anonymization of health data may be impossible in the age of AI.
What Rights Do You Have?
HIPAA Rights (For Covered Entities)
If your data is with a HIPAA-covered entity, you have the right to:
| Right | What It Means | How to Exercise |
|---|---|---|
| Right of access | Get copies of your medical records | Request in writing to provider |
| Right to correction | Fix errors in your records | Submit written correction request |
| Right to accounting | See who accessed your records | Request access reports |
| Right to restriction | Limit how your data is used/disclosed | Request specific restrictions |
| Right to confidential communications | Receive communications privately | Specify preferred contact method |
| Right to notice of privacy practices | Know how your data is used | Provided at first service delivery |
Beyond HIPAA: Additional Rights
State laws may provide additional protection:
- California: CCPA/CPRA gives consumers right to access, delete, opt-out of sale
- Europe: GDPR provides comprehensive data protection rights
- Other states: Growing patchwork of state privacy laws
App and device terms of service may provide additional rights—though often limited.
How to Protect Your Health Data Privacy
Before Sharing Data
Ask these questions:
-
What exact data will be collected?
- Specific data points (heart rate, sleep, location)
- Frequency of collection
- Duration of retention
-
Who will have access to this data?
- Primary company only?
- Third parties? Affiliates?
- Researchers? Government agencies?
-
How will data be used?
- Service improvement?
- AI training?
- Sold to other companies?
- Used for marketing/advertising?
-
What choices do I have?
- Opt-out of data sharing?
- Delete my data?
- Export my data?
- Restrict specific uses?
-
What security measures protect my data?
- Encryption?
- Access controls?
- Security audits?
- Breach notification?
Practical Steps You Can Take
For health apps and wearables:
- ✓ Review privacy policies before downloading
- ✓ Choose apps from reputable companies with clear privacy practices
- ✓ Limit data sharing to only what's necessary
- ✓ Regularly review and delete unused apps
- ✓ Use strong, unique passwords for health accounts
- ✓ Enable two-factor authentication when available
- ✓ Check app permissions and limit unnecessary access
For healthcare providers:
- ✓ Review your provider's notice of privacy practices
- ✓ Request restrictions on sensitive information
- ✓ Ask how your data is protected and who has access
- ✓ Report any privacy concerns or suspected breaches
General best practices:
- ✓ Don't share sensitive health information on social media
- ✓ Use secure messaging for health communications
- ✓ Be cautious about health surveys and research studies
- ✓ Regularly check your Explanation of Benefits (insurance statements)
- ✓ Consider using a healthcare proxy to manage privacy
Red Flags: When to Be Concerned
Be suspicious if:
- App requires excessive permissions (contacts, location, microphone) without clear reason
- Privacy policy is vague or missing
- Company reserves right to sell your data
- No way to delete your data or account
- No security information available
- Pressure to share data before seeing terms
- "Free" service with unclear business model (you may be the product)
Special Considerations
Genetic Privacy
Your DNA is uniquely identifying:
- Once shared, cannot be "changed" like a password
- Reveals information about relatives
- Could be used for discrimination (insurance, employment)
- Law enforcement access (Golden State Killer case)
Before genetic testing, ask:
- Who owns my genetic data?
- Will my data be shared or sold?
- Can my data be used for law enforcement?
- Can I delete my data later?
- What about my relatives' privacy?
Mental Health Data
Extra sensitivity required:
- Mental health diagnoses are highly stigmatized
- Data could be used for discrimination (employment, insurance)
- Therapy notes have special HIPAA protections (psychotherapy notes)
- Mental health apps often not HIPAA-covered
Reproductive Health Data
Particularly sensitive after Dobbs v. Jackson:
- Period tracking apps could reveal pregnancy/abortion
- Fertility treatment data is sensitive
- Some states restrict abortion access
- Data could potentially be used in legal proceedings
Consider: Use privacy-focused apps, avoid tracking in states with restrictions.
Frequently Asked Questions
Can hospitals sell my health data to AI companies?
They can share de-identified data under HIPAA. But "de-identified" may not be truly anonymous. Some hospitals also partner with AI companies for research with patient consent.
Do health apps have to follow HIPAA?
Most don't. HIPAA only applies to healthcare providers, health plans, and healthcare clearinghouses. If an app is not acting on behalf of a covered entity, HIPAA doesn't apply.
Can I stop my data from being used to train AI?
For HIPAA-covered entities, you can request restriction of certain uses. For health apps and devices, it depends on their privacy policy and terms of service. Read carefully before agreeing.
What if I suspect my health data was breached?
For HIPAA-covered entities, you must be notified. For apps and devices, check their breach notification policy. Report to:
- Your healthcare provider (if applicable)
- State Attorney General
- Federal Trade Commission (for non-HIPAA entities)
Is my health data safer on my phone or in the cloud?
Both have risks. Phone data can be accessed if device is lost, stolen, or hacked. Cloud data depends on company security. Best practice: minimize data collection, use strong security (encryption, passwords, 2FA), and share only with reputable providers.
The Bottom Line
Your health data is valuable—and vulnerable. HIPAA provides some protection for traditional healthcare, but enormous gaps exist in the world of health apps, wearables, and AI development.
The reality: Your data is likely already being used to train AI systems, whether you realize it or not. The best protection is:
- Understanding what data you're sharing
- Reading privacy policies carefully
- Choosing trustworthy services
- Exercising your rights where they exist
- Advocating for stronger privacy protections
The future of healthcare AI shouldn't require sacrificing privacy. Support companies and policies that prioritize both innovation AND privacy protection.
Sources:
- US Department of Health and Human Services - "HIPAA Privacy Rule"
- World Health Organization - "Health Data Governance Framework"
- Nature Communications - "Re-identification of 'anonymous' health data"
- NIST - "AI Risk Management Framework"
- Journal of Law and the Biosciences - "Genetic Privacy in the Age of AI"
- California Consumer Privacy Act - Health data provisions