When health data lives everywhere: Rethinking privacy outside the EHR

For years, health privacy programs operated on a simple assumption: health data lives in medical records, and the U.S. Health Insurance Portability and Accountability Act tells us how to protect it. That assumption no longer reflects how care works. 

Today, the patient journey often starts online. People book appointments through third-party platforms, browse condition-specific webpages, use symptom checkers, chat with support teams and even receive text reminders. Each interaction generates data; and while it may not qualify as protected health information under HIPAA, it can still reveal deeply personal information about someone's health.

As digital tools expand, more health-related data lives outside the electronic health record and beyond the controls privacy teams know best. HIPAA still matters. But HIPAA alone is no longer enough. The challenge is governing health-related data wherever it appears.

The old model of managing protected health information was like securing a locked file cabinet in a records room. You knew exactly where the information lived, who held the key and when the drawer was opened. 

Today, managing health data is more like overseeing traffic in a busy city. Information moves constantly through websites, vendors, analytics platforms and call centers. It intersects, merges and reroutes across systems never designed to function as clinical spaces. Privacy teams are no longer guarding a single cabinet. They are managing a network in motion.

How health data moves outside clinical systems

Health information now surfaces in tools designed for convenience and engagement.

Selecting mental health or fertility services while scheduling communicates sensitive context, even without a diagnosis. Symptom checkers capture concerns before a provider is involved. Call centers even record conversations about medications, treatment decisions and insurance barriers.

These recordings are often stored for quality and training. Unlike clinical records, they typically sit in operational systems with less mature access controls and retention discipline.

Marketing and engagement tools add further exposure. Appointment reminders, portal notifications, follow-up emails and website tracking technologies reveal patterns about a person's health journey. A single page view may seem minor. Over time, however, searches, clicks and form submissions tied to specific conditions can create a detailed health profile.

Regulators have made clear this activity is not low risk. In 2025, the California Attorney General Rob Bonta reached a USD1.55 million settlement with Healthline under the California Consumer Privacy Act, alleging the health information website shared data about users' article views — including content related to specific medical conditions — with advertising partners without properly honoring opt-out rights. 

The case did not involve medical records. It focused on website interactions that revealed health interests. The takeaway was straightforward: browsing behavior connected to health topics can qualify as sensitive personal information. Even in circumstances where HIPAA does not apply, health-related data can create meaningful regulatory exposure.

This shift is also reflected in state privacy laws. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, treats health-related browsing behavior and inferred conditions as sensitive personal information, even when HIPAA does not apply. Washington's My Health My Data Act goes further, regulating "consumer health data" based on what it reveals, including search activity, scheduling choices and other signals outside clinical systems. These frameworks reflect a broader trend: health data is increasingly regulated based on its sensitivity, not its location.

Why non-HIPAA health data still creates risk

Just because information does not fall under HIPAA does not mean it is harmless. In many cases, it is simply handled with fewer safeguards. 

Most digital tools were not built with health information in mind. Systems used for marketing, website analytics, call recordings, appointment scheduling or customer outreach are designed for general business purposes. But when people use them to book care, search for conditions or ask questions, those systems end up collecting details that can reveal sensitive health concerns.

The risk often comes from putting pieces together. One appointment selection might not seem significant. A single phone call transcript might not either. But when scheduling history, chat messages, website activity and call records are combined, they can clearly point to a specific condition or treatment.

How long the information is kept also matters. Medical records usually follow statutorily-defined retention rules. By contrast, marketing data, website logs, chat transcripts and call recordings are often stored automatically and sometimes indefinitely. Over time, that can mean years of sensitive health-related information sitting in systems that were never designed to manage it carefully.

These problems are not just about legal definitions. They are about how data is handled in practice.

The limits of traditional HIPAA framing

When these issues arise, privacy teams begin with the standard-issue HIPAA questions: Is this protected health information? Is the vendor a business associate? Do minimum necessary standards apply?

Those questions remain legally important. But they do not resolve the overall governance challenge.

HIPAA is structured around regulated entities and defined clinical relationships. Many modern data environments, including marketing platforms and analytics tools, sit outside that framework. As a result, organizations can spend substantial effort determining whether HIPAA technically attaches while giving less attention to how data is accessed, retained, combined or reused across systems.

The central governance question is not only whether HIPAA applies. It is what the data reveals about the individual, especially when viewed across platforms and over time.

Learning from sensitivity-based approaches

Many international privacy regimes take a more content-based approach. Under the EU General Data Protection Regulation, for example, "data concerning health" is treated as a special category of personal data based on what it reveals, not who collects it. If information communicates health status, directly or by reasonable inference, it is subject to heightened protection.

This stands in contrast to HIPAA's entity-driven structure. Instead of diagramming out the various roles — covered entity, business associate, holding corporation — the analysis asks what the data says about the person. That distinction matters in digital environments, where health context often emerges outside clinical systems.

For U.S.-based privacy teams, this doesn't mean importing the GDPR wholesale. It means recognizing the value of evaluating sensitivity based on substance. A scheduling choice, symptom description, search query or engagement pattern that signals health information may warrant heightened safeguards regardless of where it resides.

A more practical path forward

A sensitivity-based lens does not replace HIPAA; it expands internal expectations. Organizations can identify categories of health-related data that warrant stronger protections, even when HIPAA does not formally apply. Doing so reduces repetitive legal versus product data classification debates and helps provide clearer guidance to all. This methodology also supports consistent decisions around vendor access, retention limits and secondary use.

But early involvement is critical. When privacy teams engage early in the process, they can address inference risk, retention creep and vendor exposure before those risks scale. Clear standards do not slow innovation. They reduce friction and prevent late-stage corrections.

Expanding the frame

Health data no longer stays inside the medical record. It moves through marketing platforms, analytics tools, call centers and scheduling systems. Privacy programs must reflect that reality.

Modern health privacy requires more than checking regulatory boxes. It means asking what the data reveals, how long it is kept, who can access it and how it may be combined. Organizations that do this well are not just reducing risk, they are building the patient trust that digital health depends on.