As a health-related technology company, you are not registered as a “healthcare provider”; therefore you are not HIPAA-covered. But under the Health Information Privacy Reform Act (HIPRA), your health app, wearable, or connected device may soon be held to the same privacy and security expectations as one.
Introduced on November 4, 2025, by Senator Bill Cassidy, M.D., HIPRA is Congress’s most ambitious attempt to bring HIPAA-style protections to the rapidly expanding world of consumer health data. It is still a bill, but the direction is unmistakable: any digital product that collects, infers, or processes health-related information – whether through an app, a wearable, or a connected device – should prepare for a stricter regulatory reality.
What you need to know about HIPRA in its early stages
HIPRA does not change HIPAA. Instead, it fills the gap that HIPAA was never designed to cover.
- HIPRA applies to consumer health apps, connected devices, wearables, and digital wellness tools – systems that collect health-related information outside of traditional medical environments.
- It introduces new regulated categories: “regulated entities” (owners of health apps/devices) and “service providers” (vendors that process health-related data on their behalf).
- HIPRA instructs HHS and the FTC to create privacy, security, and breach-notification rules modeled after HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act) but applied to the broader digital health ecosystem.
- Health-related data is defined expansively to include metrics, symptoms, conditions, behaviors, and any identifiers tied to Protected Health Information (PHI).
- While HIPRA does not explicitly regulate websites, many app and device companies expose health-related data through web-based interactions, authentication flows, trackers, scripts, SDKs, and third-party services. These are often their biggest operational blind spots.
HIPRA is early, but the trajectory is clear: consumer health companies will be expected to implement the same rigor and accountability that health systems follow today.
HIPRA: Closing the “we’re not HIPAA” loophole
HIPAA was written for healthcare providers and their business associates. It was never meant to govern the data exhaust of a modern digital health ecosystem – steps, heart rate, fertility cycles, symptom logs, mood tracking, glucose readings, and behavioral signals.
That gap has created enormous ambiguity for millions of consumers who expect their health information to be handled with care, regardless of where it’s collected.
HIPRA responds by creating a federal baseline for “applicable health information”, covering:
- Metrics generated by wearables
- Sensor data from connected devices
- Information entered into health or wellness apps
- Behavioral and contextual signals tied to health conditions
- Any personal data that can reasonably reveal a person’s health status
For product teams, this means the rules of engagement are changing. You’ll need a clear legal basis for what you collect, a purpose-limited approach to how you use it, strong technical safeguards, and deeper accountability for the vendors and SDKs inside your stack.
HIPRA vs HIPAA: What’s the difference?
| HIPAA | HIPRA |
| Applies to covered entities (healthcare providers, health plans) and business associates | Applies to any organization handling health-related data |
| Regulates medical/clinical PHI | Regulates health-adjacent data, behavioral data, biometric data, app data |
| Privacy & Security Rules | Privacy, Security, Consumer Rights, Oversight |
| Enforcement led by HHS OCR | Regulations developed with HHS + FTC |
In short:
HIPAA protects medical records; HIPRA aims to protect the entire digital health footprint.
Your biggest HIPRA risk lies in pixels and scripts you don’t fully see
Even though HIPRA is directed at apps and devices, many companies’ biggest risks live in the web layers that surround the app experience – the login pages, onboarding flows, support portals, and marketing sites where trackers, scripts, and SDKs often run unchecked.
A seemingly harmless flow, a user visiting a “sugar level tracker,” booking a “therapy intake session,” or syncing data from a wearable, can trigger dozens of third-party interactions across analytics platforms, identity services, cloud tools, and embedded scripts. These tools can pick up:
- URLs and page titles
- Device identifiers
- Behavioral health signals
- Location data
- Account metadata
- Inferred conditions
Most product and security teams don’t see this activity clearly, and HIPRA expects companies to take responsibility for how consumer health data flows, not just where it is stored.
This is where AI-powered visibility into your app and its interactions becomes essential.
HIPRA-aligned solution for your digital health app
HIPRA sets the expectations for privacy, security, transparency, consumer rights, and breach controls. But organizations need a way to operationalize those expectations across complex digital ecosystems.
A compliance solution, such as Feroot’s AI-powered security and compliance platform provides the continuous visibility and protection needed to understand how health-related data flows across web and mobile surfaces. It automatically discovers scripts, SDKs, embedded tools, and third- or fourth-party services that interact with sensitive user journeys. It identifies where health-related signals originate, where they travel, and which vendors are involved.
From there, you can define your rules, identify what is acceptable, what must be limited, and what must be blocked entirely, while the platform enforces these policies in real time. When leadership or auditors need proof, you can produce compliance-grade documentation showing what exists, what changed, what was blocked, and why.
Getting HIPRA-ready ahead of its enforcement
A HIPRA-readiness plan doesn’t need to be overwhelming. It needs clarity and control:
- Understand your HIPRA-scope data
Identify where your app, device, or connected service processes health-related information, whether directly entered by users or inferred through behavior. - Map every digital system touching that data
This includes mobile SDKs, third-party APIs, cloud providers, identity services, analytics, and embedded scripts. Feroot AI agents automatically surfaces these dependencies. - Define and enforce HIPRA-aligned rules
Partner with your legal and privacy teams to set boundaries on what third parties can access, how data moves, and what must be limited or prohibited. - Monitor continuously
HIPRA will expect ongoing oversight of your data. AI monitoring ensures you see changes as soon as they occur. - Build your early evidence package
Document your data flows, vendor relationships, enforcement actions, and risk reduction. This becomes the basis of your future compliance posture.
With the right automation, your team can lay the groundwork well before HIPRA becomes enforceable.
FAQs
Many organizations assume privacy laws limit innovation. HIPRA does the opposite: it encourages trustworthy innovation by demanding clarity and discipline.
“We rely on pixels for acquisition and retargeting. Will HIPRA kill that?”
Answer: No, but it will demand transparent, limited, consent-based use of health data. Feroot AI platform lets you safely keep the tools that can be configured in a compliant way and block the ones that can’t.
“We already have a CMP / cookie banner, isn’t that enough for HIPRA compliance?”
Answer: Banners don’t inspect what scripts actually do. Regulators (HIPAA and likely HIPRA) care about real data flows, not only pop-ups. You need technical enforcement on top of the UI consent.
“Can’t my tag manager ensure HIPRA compliance?”
Answer: Tag managers fire tags; they don’t monitor what downstream code does, or produce compliance-grade inventory and audit trails. A solution that sits alongside your app, continuously validating behavior, can help you monitor compliance.
Final takeaway: It’s never too early to be HIPRA-ready
HIPRA is not yet law, but it represents the clearest signal about the future of health-data privacy. Companies that begin preparing today will be better positioned when federal rulemaking begins, and they’ll earn user trust long before this is enforced as a law.
If your product collects health-related signals – whether through an app, wearable, or any connected experience – now is the time to map your data flows, strengthen your controls, and build the documentation that will become tomorrow’s compliance foundation.
