Rapid growth in the use of health and healthcare apps has revolutionized the individual users’ involvement with their personal health. For example, MyFitnessPal allows users to track their nutrition and exercise. Calm and Headspace offer meditation and relaxation tools to support users’ mental well-being. MySugr assists in monitoring diabetes and Medisafe assists with adhering to a medication regimen. Teladoc provides virtual medical consultations to make healthcare more accessible.

However, these apps exist in a regulatory gray area. Unlike hospitals and doctors which are covered entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), many health and wellness apps fall outside the regulatory purview of federal health privacy laws. This loophole has enabled a boom in the data brokerage industry, where personal health data is collected, sold and sometimes even used against consumers.

The following aims to explore the legal gaps that allow non-HIPAA-covered entities to monetize sensitive personal health information (PHI), the role of data brokers who take advantage of this regulatory oversight and potential legal solutions to overcome this regulatory gap.

Health Apps and the HIPAA Gap

Health apps are software applications that are designed for smartphones and mobile devices, offering a range of services from medical diagnosis and symptom tracking to medication management and fitness monitoring. By providing tools for telemedicine consultations and mental health support, health apps enhance accessibility and convenience for users. These apps use and assess health information, but they are not covered under HIPAA, which only applies to entities such as hospitals and doctors, health insurers, and business associates that handle data on behalf of covered entities. Since the majority of health apps do not directly provide healthcare services, they successfully evade HIPAA’s privacy and security requirements. Instead, many apps operate under minimal federal oversight, leaving room for unregulated data collection, weak security protocols and monetization of sensitive user information. Apps created by or for covered entities (CEs), such as healthcare providers or insurers, must comply with HIPAA as they handle PHI. However, apps designed for personal use without CE involvement typically fall outside HIPAA’s scope.

The determination ultimately will depend on its specific use case and the relationship between the app developer, the users, and any covered entities or business associates involved. Developers of health-related apps should carefully assess their obligations under HIPAA and ensure that their app is compliant if necessary.

The Data Broker Loophole

Data brokers collect and sell personal information about consumers from various sources, often without the consumers’ knowledge. In the United States, the lack of comprehensive federal privacy legislation allows these brokers to operate with minimal oversight. Health apps, which fall outside the purview of regulations like HIPAA can legally share or sell user data to third parties like advertisers, insurance companies and even law enforcement. This practice creates a significant privacy gap as users’ sensitive health information can be sold without their explicit consent or awareness. For example, a research team at Organization for the Review of Care and Health Apps (ORCHA) reported that “84% of period tracker apps share data with third parties”, but “only one single app demonstrated best practice by explicitly asking users for permission” to share data with data brokers. The ORCHA report exemplifies how entities can sell users’ location data, reproductive health details and mental health history without violating federal law.

The Federal Trade Commission (FTC) has taken steps to regulate data brokers and deceptive health data collection, though FTC enforcement has had limited effect. For example:

• The Federal Trade Commission (FTC) has taken action against data brokers like Gravy Analytics and Mobilewalla for collecting and selling sensitive location data such as visits to healthcare facilities. Such data sales can lead to unauthorized profiling and potential misuse of personal health information.
• A 2023 FTC investigation found that BetterHelp shared users’ sensitive mental health data with advertisers despite promising confidentiality. BetterHelp agreed to pay $7.8 million to settle charges brought by the FTC. This case highlighted the lack of enforceable federal regulations that would prevent such practices in the future.
• In FTC v. Kochava (2023), the FTC sued Kochava, Inc., alleging it sold precise geolocation data that could identify visits to clinics, mental health facilities and addiction treatment centers. As the Verge reported, “Precise location data from advertising IDs and mobile apps can be used for surveillance that, according to the FTC, puts millions of Americans at risk.”

 

At the state level, California has introduced California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100 et seq. However, there is no single comprehensive federal law closing this regulatory loophole for data collection and sharing.

Privacy and Security Risks

Health apps are vulnerable to privacy and security risks just like any other computer software. Apps collect data that can be used to violate an individual’s privacy. Health apps like mental health trackers and period trackers also pose serious risks to user privacy and security without effective regulation.

Mental Health Apps Sharing Data

A 2022 study found that many mental health apps lacked encryption and transmitted data to third parties without user consent. Another study analyzing mental health applications made similar findings of negligent encryption and data sharing, which not only breaches user trust but also exposes individuals to potential discrimination or exploitation based on their mental health data. As researcher Joanne Kim highlights, “Health insurance providers… could buy mental health data to discriminately charge individuals for care or discriminately target vulnerable populations with advertisements…Scammers could…exploit and steal from individuals living with mental health conditions.”

Period-Tracking Apps and Reproductive Health Data

Period-tracking apps help users monitor their menstrual cycles but also expose sensitive data (PHI) to third parties, including data brokers. Following Dobbs v. Jackson Women’s Health Org. (2022), concerns over reproductive health data escalated. While some states have shield laws to protect reproductive health data, law enforcement and prosecutors can bypass subpoenas and shield laws by simply purchasing user data like location history directly from brokers, creating a direct conflict between state-level privacy protections and permissible activity on the unregulated data market.

The Need for Regulatory Reform

The exploitation of health data through these loopholes has prompted demand for improved regulations. Advocates including Health and Human Rights (HHR) argue for comprehensive privacy laws, suggesting provisions that require apps to obtain informed consent before curating user data and to disclose how PHI will be used. Accordingly, entities that violate privacy standards would be subject to fines and/or sanctions to deter misuse.

Some states have begun to address these issues by following California’s example of the CCPA. For instance, New York’s proposed Health Information Privacy Act aims to limit tech companies’ control over consumer health data and protect individuals. The New York Act can be found here.

Legal Solutions to Protect Health Data Privacy

The unregulated sale of health data collected on health apps presents serious constitutional and consumer protection concerns. While HIPAA was designed for traditional healthcare entities, it fails to regulate the growing health app industry, leaving millions of users vulnerable.

One proposed solution is federal legislation such as the American Data Privacy Protection Act (ADPPA), which proposes restrictions on the sale of consumer health data at the federal level. This would prohibit data brokers from collecting and selling sensitive health information without explicit user consent.

Another approach to addressing this issue involves amending HIPAA to extend its reach to consumer health applications and digital health platforms. This reform would ensure that companies such as fitness trackers, mental health apps and telehealth services, which all collect health-related data, are subject to the same privacy and security requirements as traditional healthcare entities. Expanding HIPAA’s scope in this way would create uniform standards for data protection and require app developers and tech companies to obtain user consent before sharing health data with third parties. Additionally, it would hold these tech entities accountable for breaches and misuse of sensitive information.

At the state level, legislative efforts have attempted to fill the gaps left by federal inaction. [For instance, California’s CCPA and New York’s proposed Health Information Privacy Act aim to limit corporate data sales but without federal backing, enforcement remains inconsistent.] Laws like California’s CCPA and New York’s similar proposed act grant consumers greater control over how their information is collected and shared and provide consumers with the right to request data deletion and opt out of its sale. However, without robust federal backing, enforcement of state laws is inconsistent across state lines, leading to a fragmented national regulatory landscape. While some states have taken proactive measures to safeguard consumer health data, others lack comparable protections, leaving millions of Americans exposed to potential privacy violations.

Until these regulatory gaps are addressed, health tech companies have the right-of-way to continue operating in a legal gray area. While their data remains free to be taken advantage of, consumers remain at risk of harmful privacy breaches. A combination of federal legislation, state enforcement and corporate accountability is needed to bring health data privacy into the modern era.

What types of health care should be available to citizens? Can state or federal governments restrict access to health care based on gender identity? While these questions may seem relatively easy to answer in today’s legal framework, judicial scrutiny recently turned to whether states may restrict or deny access to gender-affirming care for American minors in the United States v. Skrmetti case. After oral arguments in December 2024, a SCOTUS decision is forthcoming and may alter the legal framework around youth access to gender-affirming care.

Gender Dysphoria & Gender-affirmative Care

The World Health Organization defines gender-affirmative care to “include any single or combination of a number of social, psychological, behavioral or medical (including hormonal treatment or surgery) interventions designed to support and affirm an individual’s gender identity.” This care may be deemed medically necessary for an adolescent depending on age and gender classification. According to the Mayo Clinic, a person whose gender identity differs from their sex assigned at birth can experience gender dysphoria, which may be accompanied by other detrimental physical or psychological complications like harassment, anxiety, depression, and even suicidality. A study conducted by Stanford University School of Medicine demonstrated the importance of gender-affirming care for youths who experience gender dysphoria. This 2015 study, exhibiting one of the largest sample sizes of U.S. transgender adults, indicated that “transgender people who began hormone treatment in adolescence had fewer thoughts of suicide, were less likely to experience major mental health disorders and had fewer problems with substance abuse than those who started hormones in adulthood.”

UCLA School of Law’s Williams Institute shed light on concerning statistics regarding this matter, stating “237,500 transgender youth (ages 13-17) live in states that have passed laws banning access to gender-affirming care or where such a law was introduced or pending in the 2024 legislative session.” More than 75% of the transgender youth in the U.S live in states seeking to restrict access to gender-affirming care, indicating the substantial impact the Supreme Court would have with a decision in U.S. v. Skrmetti.

Senate Bill 1 & United States v. Skrmetti

In 2023, the Tennessee legislature enacted Senate Bill 1 (“SB1”), which facially appears to be a blanket ban on gender-affirming care for transgender youth. The ban may encompass medical care, such as administering hormone therapy and puberty blockers to assist youths experiencing the physical and psychological complications mentioned above. Since the enactment of SB1, litigation commenced on US v. Skrmetti, which will have an impact across the nation. The parents of transgender teens initiated the suit against the Tennessee Attorney General on their child’s behalf. The United States later joined as a party, challenging the ban. On December 4, 2024, the Supreme Court heard oral argumentson the case. The arguments addressed the constitutionality of SB1’s ban, which would prevent those of the LGBTQ+ community from accessing care, as well as the requisite standard of review when determining such constitutional compliance.

The Equal Protection Clause and How it Works

Understanding the Supreme Court’s intermediate scrutiny standard of review and the Equal Protection Clause is necessary to grasp this discussion on the Skrmetti oral arguments. Natalie Wexler’s essay supplied by the Supreme Court Historical Society provides a comprehensive background on the Equal Protection Clause and sex discrimination to supplement this discussion.

Intermediate scrutiny, commonly associated with United States v. Virginia, is a more onerous standard of review that commonly applies to issues concerning gender, a “quasi-suspect class.” When legislation draws lines on the basis of sex, as SB1 allegedly does, intermediate scrutiny applies, and the legislation must have a substantial relation to the achievement of an important governmental objective. With this standard of review in mind, one can better understand the arguments discussed below.

An Understanding of Skrmetti’s Oral Arguments

Skrmetti oral arguments began with statements from Elizabeth Prelogar, the Solicitor General from Washington D.C.’s Department of Justice. Her main point: SB1 makes clear that medications and gender-affirmative care may not be prescribed in Tennessee for the purpose of aiding a transgender youth in living or identifying as a different sex than what they were assigned at birth. Prelogar contends this is a facial sex classification which, upon remand to the Sixth Circuit, deserves a heightened level of scrutiny beyond mere rational relation.

Prelogar was met with several questions from the Justices pertaining to evidence gathered abroad that the harms may outweigh the benefits to gender-affirmative care. Nevertheless, Prelogar remained firm that categorical evidence exists, demonstrating the need for this type of care for youths in individualized cases. Other Justices offered questions about the severe complications with gender dysphoria and addressing suicidality. Ultimately, this led to Prelogar’s strength in pointing out the Tennessee legislature’s failure to show the ban served a legitimate state interest when juxtaposed against the severe health consequences suffered by impacted youths.

Following Prelogar, statements were heard on behalf of the Plaintiffs by Chase B. Strangio. Strangio, a well-respected lawyer for the ACLU with special expertise in the LGBTQ+ rights field, is the first openly transgender person to present oral arguments before the Supreme Court of the United States, setting the stage and breaking barriers for future LGBTQ+ attorneys to follow.

Strangio’s argument emphasized that regardless of what level of scrutiny the Court applies to SB1, whether it be rational basis, intermediate, or strict, the legislation should fail after a court’s analysis because it is “discontinuous” with the alleged state interest of protecting children SB1 purports to advance.

In response to Strangio’s arguments, the Justices expressed similar concerns to the arguments presented by Prelogar. Justice Barrett noted that it is neither common nor the place for the judiciary to delve deep into medical evidence and research. To this, Strangio countered that when a sex-based classification and the Equal Protection Clause are at play, it may be exactly the place, based on precedent, for the courts to examine a state’s tailoring of legislation allegedly meant to further a legitimate state interest.

Further concern surrounded a topic that often arises when debating gender-affirming care, specifically when minors are involved—regret and reversal. However, the evidence on this matter is conflicting, and for these reasons, it will not be discussed here.

Arguing on behalf of Tennessee’s ban and Attorney General Jonathan Skrmetti was Solicitor General J. Matthew Rice. Rice argued that the Sixth Circuit’s decision to reverse the preliminary injunctions, preventing SB1’s enactment, should be affirmed. Rice contended that SB1’s application hinges on medical purpose and has little to do with sex and sex discrimination requiring intermediate scrutiny. He emphasized the uncertainty and harm associated with the gender-affirming interventions discussed in SB1. Finally, Rice put forth the policy argument that politically elected lawmakers are in the best position to address this issue. This long-debated position may gather support from the Justices who had trepidation that it may be beyond the judiciary’s purview to investigate and assess such medical issues.

Rice bolstered his argument that SB1 turns on medical purpose by using the example of puberty blockers. This led to a major point of contention between Rice and the Justices on the verbiage of SB1, which frames the purpose of the legislation as protecting the youth and encouraging them to appreciate their gender assigned at birth. Of course, this exact language may also further Prelogar and Strangio’s argument that a clear, facially sex-based classification is at hand, implicating intermediate scrutiny.

Final Thoughts and What to Expect

A Supreme Court decision on United States v. Skrmetti is expected around June of 2025. A major concern of the Justices is where the constitutional allocation of authority lies, which will play a large part in the Justices’ decision. Will the decision simply determine the level of scrutiny applicable to SB1, with an order vacating and remanding to the Sixth Circuit? Or will the Court go a step further and strike the ban altogether? Sarah Parshall Perry, a Senior Legal Fellow at the Edwin Meese III Center for Legal and Judicial Studies, titled her commentary, “Oral Arguments Indicate SCOTUS Justices Are Likely To Uphold Tennessee’s Ban on Gender Medicine for Minors.” Thus, indicating her belief that the Justices will be swayed by their suspicions regarding experimental care for minors.

SB1 being upheld would have broad impacts. The 75% of transgender youth living in states where bans have either been imposed or pending would likely lose the access that, in their minds and the minds of their parents and physicians, they desperately need.

Concern with the outcome of the decision spans the political spectrum. If this youth ban is found constitutional, it may lead to analogous decisions upholding similar bans for adults as well. Moreover, it may mean that nothing is stopping other branches of government from crafting similar sweeping declarations, executive orders, or bans on certain gender-related health care procedures, and using Equal Protection arguments to uphold them.

While the Nation waits for the Skrmetti opinion, all we can do is speculate and ponder the ripple effect this may have on the future of the Equal Protection Clause alongside the health care system.