Healthcare Privacy — Privacy Policies Beyond HIPAA

Effective overview last updated: January 2026

Two Different Documents, Two Different Laws

Healthcare organizations often conflate two distinct documents: the HIPAA Notice of Privacy Practices (NPP) and the website privacy policy. These serve different purposes, are governed by different laws, and cover different categories of data.

The Notice of Privacy Practices is required by the HIPAA Privacy Rule (45 CFR 164.520). It must describe how a covered entity uses and discloses Protected Health Information (PHI), outline patient rights, and include specific mandatory language. It applies only to HIPAA-covered entities and their handling of PHI.

A website privacy policy describes how a website or application collects, uses, and shares data from its visitors and users. It's governed by laws like the CCPA/CPRA, GDPR, state privacy laws, and FTC regulations. It covers all personal data collected through that digital property — not just health information.

These documents can overlap, but they are not interchangeable. A hospital's NPP does not satisfy its obligation to disclose website tracking practices. A startup's website privacy policy does not satisfy HIPAA's NPP requirements.

When Healthcare Organizations Need Both

Most healthcare organizations with a web presence need both documents. Here's why:

• A hospital website uses analytics tools (Google Analytics, marketing pixels) that collect visitor IP addresses, browsing behavior, and device information. This data isn't PHI — it's general personal data subject to the CCPA, state privacy laws, and FTC oversight.
• A patient portal collects login credentials, session data, and potentially device identifiers before the user even authenticates. The data collected at the pre-authentication layer is often outside HIPAA's scope.
• Online appointment scheduling forms may collect data from people who are not yet patients. Whether that data qualifies as PHI depends on the specific circumstances, but the website itself still needs a privacy policy covering its general data collection.
• Marketing activities — email campaigns, retargeting ads, newsletter signups — generate personal data that falls outside HIPAA.

The practical result: a covered entity's website privacy policy needs to accurately describe all the non-PHI data collection happening on its digital properties. The NPP handles the PHI side. Both documents need to exist and be accurate.

Digital Health Companies Outside HIPAA

Not every company handling health-related data is a HIPAA-covered entity or business associate. A large and growing category of companies falls outside HIPAA entirely:

• Consumer fitness and wellness apps (step trackers, calorie counters, sleep monitors)
• Mental health and meditation apps that don't involve licensed providers
• Period and fertility tracking apps
• Wellness platforms offering coaching, nutrition plans, or general health content
• Wearable device manufacturers collecting biometric data
• Direct-to-consumer health testing companies (DNA kits, at-home lab tests sold directly to consumers)

These companies handle sensitive health data, but because they aren't covered entities or business associates, HIPAA doesn't apply. Instead, they face a different set of obligations:

FTC Health Breach Notification Rule

The FTC's Health Breach Notification Rule applies to vendors of personal health records and related entities not covered by HIPAA. If these companies experience a breach of identifiable health information, they must notify affected individuals, the FTC, and in some cases the media. The FTC has actively enforced this rule — in recent years issuing fines against companies that shared health data with advertisers without adequate disclosure.

State Health Privacy Laws

Several states have enacted health-specific privacy laws that go beyond general consumer privacy statutes:

• Washington My Health My Data Act — Broadly defines "consumer health data" and requires consent before collection, sharing, or sale. Includes a private right of action. Applies to any entity collecting health data of Washington residents, regardless of HIPAA status.
• California CCPA/CPRA — Classifies health data as "sensitive personal information" with heightened protections, including the right to limit its use.
• Connecticut, Nevada, and others — Multiple states have added health data provisions to their privacy frameworks.

For digital health companies, the website privacy policy is often the primary privacy document. It must accurately describe how health data is collected, used, shared, and protected — because there's no NPP to fall back on.

Telehealth Privacy Considerations

Telehealth introduces privacy complexity because it sits at the intersection of healthcare delivery and consumer technology:

• Video platforms used for telehealth may collect metadata, device information, and usage analytics independent of the clinical encounter. If the platform provider isn't a business associate, this data may not be covered by HIPAA.
• Pre-visit intake forms on a telehealth website collect data before a provider-patient relationship is established. The privacy policy governing the website needs to cover this data.
• Chat and messaging features may store conversation data in ways that differ from the EHR. The privacy policy should address how these communications are handled.
• Cross-state practice means telehealth providers may be subject to privacy laws in every state where their patients reside, not just where the provider is located.

Telehealth companies that are HIPAA-covered entities still need a website privacy policy for their non-PHI data. Telehealth platforms that aren't covered entities need a particularly thorough privacy policy because it's the primary document governing user health data.

Common Mistakes

Treating the NPP as a Website Privacy Policy

Publishing only an NPP on a healthcare website and assuming it covers all data collection is one of the most frequent errors. The NPP doesn't address cookies, analytics, marketing data, or visitor tracking — and it doesn't satisfy the CCPA, GDPR, or other consumer privacy laws.

Ignoring Non-HIPAA Data

Healthcare organizations often focus so heavily on HIPAA compliance that they overlook the personal data they collect outside of PHI. Website analytics, marketing tools, job application portals, vendor contact forms — all generate personal data that needs to be addressed in a privacy policy.

Overlooking State Health Privacy Laws

Companies handling health data that fall outside HIPAA sometimes assume they have no specific health-related privacy obligations. The Washington My Health My Data Act and similar state laws have closed this gap significantly. A fitness app collecting health data from Washington residents has specific consent and disclosure obligations regardless of HIPAA.

Vague Descriptions of Health Data Sharing

Privacy policies for digital health products frequently use broad language like "we may share data with partners to improve our services." When the data in question is health-related, this kind of vagueness creates risk under the FTC Health Breach Notification Rule and state health privacy laws. Specificity matters.

Not Updating After Adding Tracking Tools

Healthcare websites add marketing pixels, chatbots, or analytics tools without updating their privacy policy. The 2022-2024 wave of FTC and OCR enforcement actions around healthcare tracking technologies made this a high-priority issue. If your website collects data through these tools, your privacy policy needs to say so.

How Privacy Policy Review Helps

To be direct about scope: Privacy Policy Review reviews website privacy policies, not HIPAA Notices of Privacy Practices. The NPP is a specialized regulatory document with its own compliance process — typically handled by HIPAA compliance counsel or a dedicated compliance program.

What we do cover is the other half of the equation — the website privacy policy that healthcare organizations and digital health companies need alongside (or instead of) an NPP. Specifically:

• For healthcare organizations with websites, we review the privacy policy covering non-PHI data collection — analytics, marketing, visitor tracking, contact forms — to identify gaps against CCPA, state privacy laws, and FTC requirements.
• For digital health companies outside HIPAA, we review the privacy policy that serves as the primary privacy document for user health data, checking against applicable frameworks including state health privacy laws and FTC guidelines.
• For telehealth platforms, we review website privacy policies covering pre-authentication data, marketing data, and platform-level data collection.

Each review is AI-powered and verified by an attorney, delivered as a signed Record of Review for $199. If your organization also needs an NPP review, that's a separate engagement you'll want to handle with HIPAA-specific counsel — but don't let that be a reason to skip reviewing your website privacy policy. They're different documents with different requirements, and both need to be right.