While tech companies looking to provide health solutions must figure out early on whether they are HIPAA-regulated, HIPAA is not the be-all and end-all of privacy law. Even entities not regulated under HIPAA must abide by other privacy rules, including a wide array of state privacy laws. On December 6, 2012, in the state’s first legal action under its online privacy law, California Attorney General Kamala Harris filed a lawsuit against a major airline for not including a privacy policy in its smartphone app. The complaint alleges violation of California’s Online Privacy Protection Act, which requires certain operators of commercial websites and online services that collect personally identifiable information to conspicuously post privacy policies. Such laws that cover personally identifiable information in general have a much broader focus than HIPAA, which only targets covered entities and business associates exchanging medical information. Even companies not regulated under HIPAA must therefore take such state laws into consideration, and given the potentially severe penalties, noncompliance could be devastating—for example, California seeks penalties of $2,500 per violation, which the complaint defines as each copy of the app downloaded by California consumers. Moreover, simply having a privacy policy will not be enough. While the lawsuit targets the airline for not posting a privacy policy, state legislation and enforcement will be augmenting their focus on the content of such policies to ensure the adequate protection of consumer information.

Mobile phoneAdditionally, companies need to be mindful of federal privacy laws. For example, the Federal Trade Commission has become increasingly concerned with the failure of children’s-app developers to explain to parents the kinds of personal information the apps collect from children. The problem is widespread, as the FTC reviewed 400 popular children’s apps and found that only 20 percent disclosed their data collection practices. This nondisclosure could violate the Children’s Online Privacy Protection Act, a federal law that requires web site operators to get parents’ consent before collecting or sharing certain information obtained from children under 13. The FTC is in the process of tightening these protections, but not without pushback from major tech companies, who claim that the FTC’s proposals could inhibit the development of apps and other services for children. However, children’s-app developers are not the only entities that should be mindful of these developments. The FTC is investigating a wide array of app and internet activity, including activities that more directly intersect with healthcare such as peer-to-peer file sharing and certain online advertising practices.

Figuring out whether your telehealth company is regulated under HIPAA is certainly of the utmost importance. But even if your telehealth company is not HIPAA-regulated, you are not out of the woods yet. As we venture further into the age of mobile computing, and the associated privacy concerns become more publicized, states and federal agencies will be increasingly vigorous in going after telehealth companies that collect personal information.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.