Excerpt from Medscape article, Published on November 18, 2025
More States are moving quickly to strengthen consumer data privacy laws as digital health tools expand beyond the reach of HIPAA. This trend reflects growing concern over how non – HIPAA – protected data — from app activity to website clicks — is collected, shared, and monetized across the healthcare ecosystem. As More States adopt comprehensive privacy laws, healthcare organizations face new expectations and higher standards for transparency and data security.
The surge in telehealth visits, AI tools, fitness trackers, and direct – to – consumer health platforms has created a growing gap in federal protections. HIPAA still covers traditional patient records, but it does not apply to common digital behaviors such as symptom searches, reproductive health app data, or information collected through website tracking pixels. This creates a regulatory gray zone that state – level laws now aim to close.
California set the precedent in 2018, and since then, nearly half the country has followed suit. States like Indiana, Kentucky, Rhode Island, and Maryland have recently enacted laws that redefine what counts as personal health data. Many of these rules require clear disclosures, ban or limit data sales, and give consumers access and deletion rights.
For healthcare organizations, the operational impact is significant. Leaders must now examine vendor contracts, digital tools, and any product that collects user information. Washington’s My Health My Data Act is among the strictest, applying to almost any entity that handles health – related data, regardless of size. Experts note that compliance is far less costly than litigation or regulatory penalties.
Clinicians will see minimal workflow disruption, but awareness is rising. Many providers now discuss app – based privacy risks with patients, especially those seeking sensitive reproductive or LGBTQ – related care.
While national groups push for a unified federal framework, the reality is that More States will continue advancing their own laws. Until federal action arrives, healthcare organizations must track evolving state requirements and strengthen their digital privacy practices.
To delve deeper into this topic, Visit Medscape article
