Tooling

Health Data Privacy

HIPAA, GDPR, post-Roe risk — and the FOSS / on-device alternatives that sidestep most of it.

Health data is the most consequential personal data most people generate. Wearables, period trackers, mood journals, telehealth, and at-home labs all live in a regulatory gap — HIPAA covers providers, not consumer apps, and post-Dobbs (2022) US legal landscape changed risk calculus around reproductive data. This page is the curated list of what to watch, what's defensible, and the FOSS / on-device alternatives.

Sister sections: Period & Cycle Tracking, Pregnancy & Baby Tracking, Mental Health Therapy Platforms, Health Records & FHIR, Quantified Self DIY, Wearable Aggregation, Apple Watch, Diabetes & CGM Tools.

What HIPAA does and doesn't cover

  • HIPAA covers "covered entities": healthcare providers, health plans, healthcare clearinghouses + their business associates with signed BAAs.
  • HIPAA does NOT cover: most consumer apps (Strava, Fitbit, period trackers, mood journals, fitness apps), most wearables, smart-scale data, your Genetic Direct-to-Consumer test, sleep trackers.
  • The "wellness" loophole — apps that don't take medical-provider data live outside HIPAA.

What this means: the privacy of your Strava / Whoop / Flo / Fitbit data is governed by the company's terms of service, not federal medical-privacy law.

Real precedent breaches / settlements (2020-2025)

  • BetterHelp 2023 FTC settlement — $7.8M for sharing user health data with Facebook / Snapchat / Pinterest.
  • Flo 2021 FTC settlement — sharing pregnancy-tracking data with Google / Facebook ad networks; "Anonymous Mode" added 2022.
  • GoodRx 2023 FTC settlement — $1.5M for sharing health-search data with Facebook / Google / Criteo.
  • MyFitnessPal 2018 breach — 150M user emails / passwords.
  • 23andMe 2023 breach — 6.9M user genetic + ancestry profiles.
  • Easy Healthcare (Premom) 2023 FTC settlement — sharing fertility data.
  • Cerebral 2023 — controlled-substance prescription practices + data sharing investigations.

The pattern: consumer health apps share data freely until the FTC catches up, after which they fix it for the next year, then the cycle repeats.

Post-Dobbs (2022) US considerations

  • Period / pregnancy tracking can be subpoenaed; has been used as evidence in pregnancy-related investigations in some US states since 2022.
  • Texts, search history, location data — all potentially relevant; period apps are one piece.
  • Cross-border data sharing — even apps with EU GDPR jurisdiction can be subject to US legal process if they have US infrastructure.
  • Privacy-first picks: see Period & Cycle Tracking for Drip, Euki, Periodical.

GDPR / CCPA / state laws

  • GDPR (EU) — strong; right-to-delete; right-to-portability; explicit consent. Apps headquartered in the EU (Clue, Withings) are bound by GDPR for all users.
  • CCPA / CPRA (California) — analogous to GDPR; right to know / delete / opt-out of sale.
  • Washington My Health My Data Act (2023) — strongest US state-level health-app privacy law; explicit consent for collection, use, and sharing.
  • Connecticut, Virginia, Colorado, Utah — Comprehensive Privacy Acts in force 2023-25.
  • Result: many apps released "Anonymous Modes," delete-my-account flows, and explicit consent screens 2022-25.

Your portability rights (US)

  • HIPAA Right of Access — your provider must give you your medical records within 30 days, in the format you request, for a reasonable fee. Apple Health Records is partially how this is delivered in 2024-26 via FHIR.
  • GDPR Article 20 / 21st Century Cures Act — health systems must export records electronically.
  • See Health Records & FHIR for the practical pipeline.

Defensive defaults

  • Use Apple Health / Health Connect on-device aggregation rather than a vendor's cloud where you can.
  • Don't grant cycle / mood / fertility apps Health-write permission unless you trust them; otherwise they can mirror your data to their servers.
  • Disable third-party app sharing in Apple Health Sharing settings.
  • Use a passcode / biometric lock on sensitive apps.
  • Annual "delete unused apps" sweep — apps you haven't opened in 3 months are still selling your data if you didn't revoke permissions.
  • Read the privacy policy of any new health app, specifically the "Sharing" and "Sale" sections.
  • Delete your account (not just uninstall) when leaving an app.
  • Verify exports work before trusting a service — try exporting before you have 5 years of data locked in.

Apps with strong privacy track records

  • Apple Health / HealthKit — on-device + iCloud E2E.
  • Drip / Euki / Periodical — local-only.
  • OpenScale / GadgetBridge / xDrip+ / Loop / OpenMRS / OpenEMR — FOSS, local.
  • Clue — Berlin-based, GDPR-strict.
  • Garmin Connect — generally low-controversy, but data still on Garmin's servers.

Apps worth questioning

  • Flo, Glow, Stardust — mixed history.
  • MyFitnessPal — past breach.
  • 23andMe / Ancestry — DTC genetics with breach history; consider what data they share with research partners.
  • BetterHelp / Talkspace — FTC scrutiny.
  • GoodRx — health-search history shared with ad networks (settled).
  • Whoop / Fitbit — cloud-mandatory; verify their current TOS.

Data ownership patterns (best practices)

  • On-device first, cloud second — pick FOSS or on-device when reasonable.
  • Periodic CSV exports — set a quarterly calendar reminder.
  • Self-host where it's worth it — Wger, Nightscout, Memos. See Self-Hosted Personal Apps.
  • Tailscale-only access — don't expose your self-hosted tools publicly. See VPN Mesh.
  • Separate accounts for fitness vs. medical — avoid one account that sees everything.

Genetic / DTC data

  • 23andMe / Ancestry — opt out of research-partner sharing; consider downloading your raw data and deleting your account if no longer using.
  • Sequencing.com / Promethease — third-party FOSS / paid analysis on raw 23andMe data; cheaper than re-sequencing.
  • Nebula Genomics, Dante Labs — alternatives; check current ownership / privacy policies.

Pick this if…

  • Privacy-first cycle tracking: Drip / Euki / Periodical.
  • Privacy-first BG monitoring: xDrip+ + self-host Nightscout.
  • Privacy-first wearable aggregation: GadgetBridge + Apple Health on-device.
  • iOS user, want defensible defaults: Apple Health + Apple Watch + decline third-party-app Health writes.
  • Self-host everything you can: Wger / OpenScale / Memos / Trilium / Runalyze + Tailscale.
  • Your therapist / clinician: insurance-billed therapy → HIPAA-covered.
  • Concerned post-Roe in the US: assume hosted period tracker data is potentially discoverable; use Drip / Euki and avoid logging anything to a hosted service that you wouldn't want subpoenaed.