Digital health privacy is no longer just a HIPAA issue. If I had to sum up the article in one line, it’s this: U.S. healthcare and health-tech teams now have to manage HIPAA, FTC rules, state health privacy laws, cross-border rules, and proof-based certification at the same time.
Here’s the short version:
- HIPAA has gaps. Many apps, wearables, AI tools, and consumer health platforms sit partly or fully outside it.
- The rules are getting tougher. Proposed HIPAA Security Rule changes would make controls like MFA, encryption, network mapping, vendor checks, and annual testing mandatory.
- Enforcement is getting stricter. Regulators want proof, not just written policies.
- State laws go past HIPAA. Washington’s My Health My Data Act and the pending New York Health Information Privacy Act cover consumer health data, inferred health data, and consent in ways HIPAA does not.
- Global rules matter too. The European Health Data Space and EU AI Act are shaping how U.S. vendors document data use and AI risk.
- Certification is becoming part of the picture. Programs from BBB and DirectTrust give companies a way to show how privacy controls work in day-to-day practice.
- The same controls keep coming up. Across laws and certification programs, I keep seeing the same themes: data minimization, consent, encryption, MFA, user rights, risk analysis, and third-party oversight.
- Third-party risk is still a weak spot. Vendor inventories, subcontractor tracking, and repeat reviews now matter much more.
A few numbers make the shift hard to ignore:
- The U.S. digital health market is projected to reach about $100 billion by 2026
- The Change Healthcare attack affected about 190 million people
- HIPAA willful neglect penalties can reach $2,190,294 per year
- Average healthcare breach cost hit $10.9 million in 2024
If you work in healthcare, health IT, digital health, or compliance, the message is simple: privacy now means constant control checks, clean data mapping, third-party risk management, and audit-ready records across many rule sets.
| Area | What changed |
|---|---|
| HIPAA | Proposed rule updates push stricter security controls |
| Consumer health apps | FTC and state laws cover data outside HIPAA |
| State privacy | More states now apply health-specific duties |
| International rules | EU health and AI rules affect U.S. groups with cross-border ties |
| Certifications | BBB and DirectTrust programs add outside review and monitoring |
| Day-to-day work | Teams need evidence, logs, inventories, and repeated testing |
That’s the core takeaway: digital health privacy is shifting from annual compliance work to all-year control and proof management.
Digital Health Privacy: Key Frameworks, Controls & Costs at a Glance
The Data Chronicles | The future of health privacy policy in the U.S.
sbb-itb-535baee
Regulatory Changes Driving New Privacy Expectations
Those gaps are no longer just theory. They're turning into stricter rules, tougher enforcement, and a much broader set of state and global duties.
HIPAA Updates, FTC Enforcement, and Breach Notification Rules
The proposed January 2025 HIPAA Security Rule overhaul would make one big change right away: it would remove the "addressable" standard. In plain English, safeguards that once allowed some flexibility would become firm requirements for every regulated entity, no matter its size. The proposal would require MFA, encryption, segmentation, malware protection, vulnerability scans, and annual penetration testing. It would also require a documented technology asset inventory and a network map showing ePHI flows, with both updated at least every 12 months. Covered entities would also need annual written verification from business associates and subcontractors confirming that technical safeguards and controls validation are in place. HHS estimates $9 billion in first-year costs, followed by about $6 billion per year [2].
"Addressable has never meant optional; it has meant implementation could be tailored to an organization's size and capabilities. The proposal would remove that tailoring." - Josh Cupit, Author, Compliancy Group [2]
Enforcement is tightening too, and the message is pretty clear: written policies alone won't cut it. Regulators now want proof that controls exist and work. The annual maximum penalty for willful neglect HIPAA violations increased to $2,190,294 on January 28, 2026 [2]. In February 2025, Warby Parker received a $1.5 million civil money penalty after a credential-stuffing attack exposed the ePHI of 197,986 people. OCR pointed to two issues in particular: failure to conduct a risk analysis and weak system activity log reviews [2].
The FTC is adding pressure from another direction. Its Health Breach Notification Rule applies to consumer health apps and personal health record vendors that sit outside HIPAA. In 2023, GoodRx became the first company fined under the rule after it shared sensitive health data with Facebook and Google for advertising without notifying users [1].
Federal pressure is expanding, but state laws are moving even faster.
State Consumer Health Privacy Laws Are Extending Protections Beyond HIPAA
Washington's My Health My Data Act (MHMDA) reaches health data that HIPAA does not cover, including data collected by apps, websites, and wearables. It requires explicit opt-in consent before collection or sharing [4]. It also bans geofencing around healthcare facilities to identify or track people seeking care. And it gives people a private right of action, which means they can sue directly [4].
As of 2025, 19 U.S. states have enacted broad privacy laws with health-specific provisions [5]. That creates a practical problem for organizations: the same person may have PHI protected under HIPAA and personal information governed by state law at the same time. Those data types do not always follow the same rules. So this isn't just a legal drafting issue anymore. Organizations need jurisdiction-aware data classification built into day-to-day operations.
"HIPAA always was a patchwork, and the gaps have grown with the proliferation of AI. Unfortunately, if people truly believe that their data is private, they're wrong." - Lisa Bari, Vice President of Policy and Partnerships, Innovaccer [1]
The pending New York Health Information Privacy Act (NY HIPA) goes even further. It would include inferred health data drawn from non-health information, and it has no revenue or processing threshold. That could make it the most extensive consumer health privacy law in the U.S. [5]
For digital health organizations that operate across borders, things get even more layered.
How International Frameworks Are Shaping U.S. Privacy Practices
U.S. organizations with cross-border operations, research partnerships, or international vendors are dealing with a more complex regulatory setup. The European Health Data Space (EHDS) entered into force on March 26, 2025. It creates a two-tier model for primary use, such as patient care, and secondary use, such as research and policy. It also requires accredited secure processing environments for data access [6] [3]. Full enforcement is expected by 2027, with broader cross-border exchange milestones stretching to 2029 and 2031 [3].
The EU AI Act adds another layer. It treats medical imaging AI, clinical decision support, and patient triage systems as high-risk, with core duties starting in August 2026 [3]. That is pushing U.S. vendors toward stronger documentation, tighter risk controls, and AI impact assessments before deployment. Put it all together, and the pattern is hard to miss: digital health privacy now depends on governance, documentation, and audit readiness across markets, not just compliance inside the U.S.
These overlapping rules are driving demand for stronger privacy controls and auditable accountability programs.
Emerging Privacy Certification and Accountability Programs
As privacy rules expand, voluntary certification programs now give companies a way to show auditable proof of how they handle privacy in practice. They turn newer privacy expectations into day-to-day checks. They don't replace HIPAA or state law, but they do give organizations a structured way to show they go beyond the legal floor.
The main idea is simple: continuous verification, not a one-and-done approval.
How Digital Health Privacy Seals and Certifications Are Structured
Most digital health privacy certification programs look at a familiar set of issues. They check whether an organization limits data collection to what it needs, keeps privacy notices clear, gets meaningful consent before collecting or sharing data, and manages advertising trackers on both the first-party and third-party side. Security controls and continued monitoring are usually part of the review too.
The BBB Digital Health Privacy Program (DHPP) is a good example. It pairs post-certification monitoring with real-time compliance alerts, which makes it harder for a company to pass a review and then slowly slip out of line [8]. These voluntary certifications can help build trust, but they do not change a company's legal duties.
The Digital Health Privacy Program and Similar Accountability Models
The BBB DHPP is the first independent standard built specifically for non-HIPAA-covered health data, such as data collected by consumer apps, wearables, and IoT devices [8]. DirectTrust oversees 28 accreditation programs and has built several that matter directly to digital health. The table below shows the scope, privacy areas reviewed, and how the main programs are checked [10].
| Program | Scope | Assessed Privacy Principles | Verification Approach | Renewal / Monitoring |
|---|---|---|---|---|
| BBB Digital Health Privacy Program (DHPP) | Non-HIPAA consumer health data (apps, wearables, IoT) | Data collection limits, advertising trackers (1st/3rd party), privacy notices, consent flows | Verification and readiness assessment; developer checklists | Ongoing monitoring and real-time compliance alerts [8] |
| DirectTrust CARIN-CFA Accreditation | Consumer-facing applications and FHIR-based APIs | Privacy policies, data use practices, security safeguards, consent protocols | Independent review by DirectTrust Assessors against CARIN Code of Conduct criteria | Annual criteria updates (v1.0 in 2025, v1.1 in 2026) [7][10] |
| DirectTrust Digital Therapeutic (DTx) Program | DTx applications and platforms | Efficacy, data privacy, and security tied to therapeutic outcomes | Independent Assessor review; criteria led by the Digital Therapeutics Alliance | Standard accreditation cycle [9] |
| DirectTrust AI Program (Beta) | AI developers and deployers in healthcare | Transparency, risk management, and responsible innovation | Assessment based on NIST AI Risk Management Framework (RMF) v1.0 | Foundational vs. comprehensive levels based on organizational maturity [10] |
There’s also a practical pattern here. All of these programs line up with NIST frameworks, whether that's the Cybersecurity Framework v2.0, NIST 800-171 Rev. 3, or the AI RMF [9][10]. So if an organization already builds its controls around NIST, the documentation and evidence requests will feel familiar.
In plain English, these programs keep pointing back to the same set of controls. And that's what matters most, because research shows those controls are the real measure of privacy maturity.
What Research Shows About the Controls Behind These Standards
Research points to a pretty clear pattern: the same privacy and security controls show up again and again across digital health standards. So the main issue isn't whether these controls matter. It's which ones keep showing up across frameworks.
Privacy by Design, Data Minimization, and User Rights Management
Privacy by design is no longer something teams can tack on at the end. It's now an day-to-day requirement for data sharing. That means organizations need to build consent management, data segmentation, and role-based access into their workflows from the start, not bolt them on later [12].
Data minimization works the same way. Even when data sharing is allowed by law, limiting disclosures to only what's needed helps strengthen patient trust [12]. On top of that, user rights workflows are getting broader. Newer frameworks go past basic access and amendment rights and now include one-time consent for future disclosures, along with added protections for sensitive records like substance use disorder (SUD) data [12].
There's also a date organizations can't ignore: February 16, 2026. That's the deadline for updating HIPAA Notices of Privacy Practices to reflect revised 42 CFR Part 2 rules [12].
One practical problem keeps coming up: consent gathered at intake often doesn't travel with the data across EHRs, HIEs, and third-party platforms [12]. That's a big deal. A consent choice that gets lost between systems can create gaps fast.
Those same issues show up in the control set below.
Security Controls and Governance That Recur Across Frameworks
Across HIPAA, FTC and information-blocking rules, state consumer health privacy laws, and newer certification programs, the same technical controls keep surfacing.
| Core Control Category | HIPAA (Security/Privacy) | FTC and information-blocking rules | State consumer health privacy laws | HITRUST CSF v11 |
|---|---|---|---|---|
| Encryption (Rest/Transit) | Required/Addressable | Expected for Breach Safe Harbor | Standard Requirement | Mandatory Prescriptive |
| Multi-Factor Auth (MFA) | Implied (Access Control) | High Expectation | Often Mandated | Mandatory for all EHI access |
| Data Minimization | "Minimum Necessary" Rule | Enforcement Focus | Core Principle (e.g., MHMDA) | Privacy Practice Controls |
| Third-Party Risk/BAAs | Mandatory BAAs | Focus on Analytics/Trackers | Required Oversight | Mandatory Vendor Inventory |
| User Access Rights | Access/Amendment | Prohibits Interference | Deletion/Opt-out Rights | Maturity-based rights management |
| Risk Analysis | Annual Requirement | Tailored Risk Assessment | Periodic Assessment | Continuous Risk Mgmt |
There's also a shift in how governance gets judged. Frameworks like HITRUST r2 have moved beyond simple pass/fail audits and now use a five-level maturity model: Policy, Procedure, Implemented, Measured, and Managed [11].
That change matters. If an organization wants to reach the upper levels, each security control has to produce logs or metrics that management reviews on a regular basis. Paperwork by itself won't cut it.
Third-Party Risk Is a Consistent Privacy Weakness in Digital Health
Third-party relationships keep showing up as a weak spot in digital health privacy. In many cases, the problem comes down to mismatched system boundaries and fourth-party subcontractors that no one is properly tracking [11].
Stronger privacy programs handle third-party review as a repeatable process, not a one-off task. In practice, that means:
- Keeping a current vendor inventory
- Collecting proof that controls are in place
- Reassessing vendors on a set schedule [11]
HITRUST CSF v11 also makes vendor inventory mandatory within its control set [11]. That's why continuous third-party monitoring should be part of certification readiness, not treated as extra work.
What These Developments Mean for U.S. Healthcare Organizations
Certification Readiness Requires Continuous Privacy and Cybersecurity Operations
These standards now show up in day-to-day work, not just annual reviews. In digital health, privacy now depends on continuous control testing, evidence collection, and documentation that’s ready for an audit at any time. The 2026 HIPAA Security Rule makes controls such as MFA, encryption, and segmentation mandatory [13]. By early 2026, OCR had already completed 11 enforcement actions under its Risk Analysis Initiative, with a clear focus on organizations that could not show documented, timely action on risks they had already identified [13].
"The policy binder is no longer sufficient. The risk analysis as a document is no longer sufficient. OCR is looking for evidence that your organization identified risks, acted on them in documented, timely fashion, and built technical controls that can be independently verified." - WCH Service Bureau [13]
For healthcare organizations running hybrid environments, the job gets tougher. Many now manage PHI alongside consumer app data, connected devices, and third-party systems. That mix can trigger different privacy expectations for different data types, and a weak spot in one area can spill into risk across the business.
The cost picture helps explain why many teams are paying closer attention. Mid-sized providers are facing initial compliance setup costs of $15,000 to $40,000, with annual maintenance of $5,000 to $15,000. That’s far below the average healthcare data breach cost of $10.9 million in 2024 [13].
How Censinet RiskOps™ Can Support Privacy Assurance at Scale
As this work grows, scattered processes start to break down. Teams need one place to manage risk workflows across vendors, devices, and clinical applications by conducting effective third-party risk assessments.
Censinet RiskOps™ centralizes third-party and enterprise risk assessments, cybersecurity benchmarking, and coordinated risk management across the same areas covered in this article: PHI, clinical apps, medical devices, supply chains, and AI workflows.
Conclusion: The Key Standards Shifts to Watch
The bottom line is a new baseline for privacy governance. Digital health privacy standards now reach past HIPAA into certification programs, state laws, and sensitive-data rules. DirectTrust accreditation programs are becoming meaningful benchmarks for privacy and security governance [10].
Organizations in the strongest position will treat privacy and cybersecurity as continuous work, not a once-a-year task. The next standards shift to watch is the expansion of protections for reproductive health data and SUD records, which are showing up more often in certification criteria and state privacy requirements [13][10].
FAQs
Does HIPAA still cover most digital health data?
Yes. HIPAA still covers most digital health data, especially Protected Health Information (PHI), which remains a core focus of current U.S. privacy and security rules.
Which privacy controls should teams prioritize first?
Start with privacy risk assessments. First, catalog all PII processing activities. Then identify high-severity threats, such as unauthorized access and data breaches.
This supports strict risk treatment and clear accountability.
How do state and EU rules affect U.S. health apps?
U.S. health apps that handle data from EU residents may need to follow GDPR. That matters because GDPR casts a wide net over personal data and sets strict rules around data protection, breach reporting, and cross-border data transfers.
In the U.S., the picture is more fragmented. Privacy rules often depend on HIPAA plus state laws, and those rules can vary a lot from one state to another. In most cases, they don't cover as much ground as GDPR.
