The assumption that health privacy begins and ends with HIPAA is dangerously out of date. Here’s why the most sensitive data about your patients may be sitting in a marketing platform.
There is a moment — familiar to anyone who has ever typed symptoms into a search bar at midnight — where the line between curiosity and medical concern blurs completely. You’re not in a doctor’s office. You’re not filling out a form. You haven’t consented to anything clinical. You’re just searching. Maybe you click through to an article about a condition you’re worried about. Maybe you book an appointment through a third-party scheduling tool. Maybe you chat with a virtual assistant on a hospital’s website.
None of that, strictly speaking, is a medical record. None of it is covered by HIPAA. And yet, every single interaction has told someone something deeply personal about your health.
This is the central problem facing health privacy today — and it’s one that the regulatory frameworks most organizations rely on were never built to solve.
The File Cabinet Is Gone
For decades, health privacy operated on a deceptively simple model. Medical records lived in a records room, later in an electronic health record system. HIPAA told you who could access them, how long to keep them, and what to do if something went wrong. The scope was manageable. The rules were known. The locks were visible.
That world no longer exists — if it ever truly did in the way we imagined.
Today, a patient’s health journey rarely starts in a clinical setting. It starts with a search. It continues through a symptom checker, a condition-specific support forum, a scheduling app that asks you to select the reason for your visit from a dropdown menu. It passes through a call center, where a representative asks about your medication and the conversation is recorded for “quality and training purposes.” It ends, maybe, in an appointment — but the data generated along the way has already traveled far beyond any EHR.
The old analogy of health data as a locked file cabinet no longer works. What we’re actually dealing with is more like a city’s traffic system — constant movement, constant intersections, data merging and rerouting through platforms that were built for commerce and convenience, not clinical care.
Privacy teams are not guarding a cabinet anymore. They are trying to manage a network that was never designed to be managed.
What “Health Data” Actually Means Now
Here’s where many organizations make their first mistake: assuming that if something doesn’t qualify as protected health information under HIPAA, it doesn’t carry the same weight or risk.
Consider what a digital health journey actually looks like in practice.
A person visits a hospital’s website and reads several articles about depression and antidepressant options. They click through to a mental health services page, use a symptom checker, and eventually select “behavioral health” when booking an appointment online through a third-party scheduling platform. Later, they call a support line and mention they’ve been struggling to get a prior authorization approved for a psychiatric medication.
At no point in this scenario has a doctor diagnosed them. At no point has a HIPAA-covered entity created a medical record capturing any of this. And yet, what has been captured — across website analytics platforms, scheduling software, and call center recordings — paints an extraordinarily detailed picture of that person’s mental health status.
This is not a hypothetical edge case. It is the routine reality of how people seek health information and care in 2026.
Regulators have begun to notice. In 2025, California Attorney General Rob Bonta reached a $1.55 million settlement with Healthline — a health information website, not a medical provider — under the California Consumer Privacy Act. The allegation was straightforward: the site had shared data about users’ article views, including content tied to specific medical conditions, with advertising partners without properly honoring opt-out requests. There were no medical records involved. No clinical relationships. Just browsing behavior. And it cost $1.55 million.
The message was unmistakable: health-related data does not have to come from a doctor’s office to be treated as sensitive. What matters is what it reveals about the person, not where it was collected.
The Patchwork Is Getting More Complex
State legislatures have been moving faster than federal regulators on this front, and the resulting landscape is increasingly demanding.
California’s Consumer Privacy Rights Act treats health-related browsing behavior and inferred medical conditions as sensitive personal information — full stop. It doesn’t matter whether the data originated in a clinical system or a website analytics tool. If it reveals something about someone’s health, it gets heightened treatment.
Washington state went further still with the My Health My Data Act, which covers “consumer health data” defined by what it reveals rather than who collected it. Scheduling choices, search queries, symptom descriptions, location data near medical facilities — all of it can fall within scope. The law doesn’t ask whether you’re a hospital or a startup. It asks whether your data tells a story about someone’s health.
This sensitivity-based approach is a significant departure from HIPAA’s architecture, which is built around the identity of the entity holding the data rather than the nature of the data itself. A covered entity holding clinical records faces HIPAA’s full weight. A marketing vendor holding behavioral data that reveals the same health information faces… what, exactly? Under the federal framework, potentially very little.
That gap is where the real risk lives.
The Problem with Operational Systems
Most of the tools that now capture health-related data weren’t built with health information in mind. Marketing platforms, CRM systems, website analytics tools, call recording software, appointment scheduling apps — these were designed for business efficiency. They’re good at what they were built for. What they’re not good at is managing sensitive personal information with the care that health context demands.
The consequences play out in predictable ways.
Retention is one of the biggest issues. Clinical records follow defined retention schedules — state laws and HIPAA create real structure around how long data is kept and when it must be disposed of. Marketing data, website logs, chat transcripts, and call recordings are frequently stored automatically and indefinitely. There’s no equivalent discipline. Organizations often don’t even know how long the data sits, or where it goes when a vendor contract ends.
Access controls are another gap. A hospital’s EHR system likely has role-based access, audit logging, and a documented minimum-necessary policy. The call center platform storing recordings of patients discussing medication denials? Possibly not. The marketing automation tool tracking which health service pages a user visited? Probably not.
And then there is the aggregation problem — perhaps the most underappreciated risk of all. One appointment scheduling choice doesn’t tell you much. One website visit doesn’t either. But when you combine scheduling history, website engagement data, call transcripts, email open rates on condition-specific content, and search queries — all of which might live in separate systems that individually seem low-risk — you get something that is functionally a detailed health profile. Built not by a doctor, but by a digital ecosystem that never intended to build one.
Where the Legal Framework Falls Short
Privacy teams working in health-adjacent organizations are often stuck in a loop. When a new digital tool gets proposed, the legal analysis begins with the same checklist: Is this PHI? Is there a covered entity relationship? Is the vendor a business associate? Do minimum-necessary standards apply?
These are the right questions within their scope. But they’re not the right questions for the whole problem.
Because HIPAA’s framework is entity-driven, not data-driven, it creates a kind of blind spot. Organizations can spend enormous energy determining whether a particular data element technically qualifies as PHI — and ultimately conclude it doesn’t — while giving almost no attention to what that data actually reveals about real people, or how it’s accessed, retained, or combined with other data over time.
The legal determination that HIPAA doesn’t apply can function as a kind of permission to stop thinking carefully about the data. That instinct needs to change.
What a Better Approach Looks Like
The EU’s General Data Protection Regulation offers a useful reference point — not because U.S. organizations should wholesale adopt it, but because its underlying logic is instructive. Under GDPR, “data concerning health” is defined by what it reveals, not by who collected it or in what context. If a piece of data communicates something about a person’s physical or mental health — directly or by reasonable inference — it gets treated as a special category of personal data, with correspondingly strong protections.
That’s a fundamentally different orientation. It starts with the person and what can be known about them, rather than with the entity and what rules technically apply to it.
For U.S. health privacy programs, adopting a sensitivity-based internal framework — one that runs alongside HIPAA compliance rather than replacing it — is a practical and increasingly necessary step. The approach involves identifying categories of health-related data that warrant stronger protections regardless of their technical regulatory status: scheduling selections that imply conditions, call recordings that capture treatment discussions, website engagement patterns tied to specific diagnoses, inferred health status from behavioral signals.
Once those categories are named and agreed upon internally, governance decisions become substantially easier. Vendor access reviews have clearer criteria. Retention policies have a more defensible basis. Secondary use questions — can we use this data for marketing? — have a more principled answer.
Early involvement is critical to making this work. When privacy teams are brought in after a tool has already been deployed — after the marketing platform is live, after the call center vendor is onboarded — the fixes are expensive and disruptive. When they’re involved at the design stage, the same conversations take a fraction of the time and the outcomes are consistently better.
The Trust Issue Beneath the Compliance Issue
There is something worth saying plainly here that often gets lost in the regulatory analysis.
People sharing health-related information online — searching for diagnoses, booking appointments for sensitive conditions, calling to argue with insurers about medications — are doing so under a reasonable assumption that the information stays in the orbit of their care. They are not thinking about data brokers, analytics vendors, or marketing platforms. They are trying to get help.
When organizations collect that data and handle it carelessly — not through malice, but through inattention and the uncritical deployment of tools built for other purposes — they are violating something real. Not always a law. Sometimes just a reasonable expectation. But reasonable expectations are the foundation of trust, and in healthcare, trust is not a soft metric. It determines whether people seek care at all.
The organizations getting this right are not treating health data privacy as a compliance exercise. They’re treating it as a design principle — something that shapes how digital tools are built and deployed, not just audited after the fact.
Health data now lives everywhere. The programs built to protect it need to as well.
