By Hunter H. Moss and Scott. C Hall
This year marks a pivotal shift from the era of rapid, unregulated health-tech innovation to one of stringent governance. The proliferation of wearable devices, health applications and remote monitoring tools has led to an unprecedented expansion in legal oversight. New HIPAA regulations, state-level “sensitive health data” laws, and the FTC-broadened breach notification rules collectively underscore a unified message from regulators: safeguard health metrics across all platforms. Organizations handling any health-related data must now navigate an increasingly complex web of overlapping federal and state regulations to avoid significant legal repercussions.
In April 2024, the Department of Health and Human Services (HHS) issued a Final Rule under HIPAA aimed at strengthening privacy protections for reproductive health information. The rule, effective June 25, 2024, and with a compliance deadline of December 23, 2024, would have required covered entities to obtain a signed attestation before disclosing protected health information (PHI) related to lawful reproductive healthcare. It also mandated updates to Notices of Privacy Practices (NPPs) by February 16, 2026.
However, in a recent development, a federal district court in Texas vacated the rule on July 3, 2025, holding that HHS exceeded its statutory authority and violated the Administrative Procedure Act. The court’s ruling halts enforcement of the reproductive health privacy rule nationwide unless overturned on appeal. As of now, the rule is not enforceable, and covered entities are not obligated to implement its provisions, although legal appeals may follow and some organizations may still voluntarily adopt its safeguards as a best practice.
For now, entities should monitor ongoing litigation and consider documenting their approach to reproductive-health disclosures in the event the rule is revived or replaced.
On December 27, 2024, the Office for Civil Rights (OCR) at HHS issued an Notice of Proposed Rulemaking (NPRM) proposing significant amendments to the HIPAA Security Rule to bolster cybersecurity protections for electronic protected health information (ePHI). Key proposed changes include mandatory multi-factor authentication (MFA), encryption of ePHI both at rest and in transit, annual technical and non-technical evaluations, and a 24-hour breach notification requirement for business associates. No Final Rule on the matter has been issued.
The FTC’s amended Health Breach Notification Rule (HBNR), effective July 29, 2024, expands the scope of entities required to notify consumers and the FTC of breaches involving health information to apps and platforms not covered by HIPAA.
Several states have enacted laws that treat biometric, wellness, geolocation, and inferred health data as sensitive, even when not covered by HIPAA:
The convergence of federal and state regulations creates complex compliance challenges, particularly for entities operating across multiple jurisdictions. For example, a wearable device used in a healthcare setting may be subject to HIPAA, while the same device used by a consumer falls under state laws like MHMDA or the CPRA. Employers providing wellness programs must navigate HIPAA, the Americans with Disabilities Act (ADA), and state privacy laws, depending on the nature of the data collected and its use.
To navigate the evolving regulatory landscape, businesses should:
While HIPAA remains a foundational framework for health data privacy, the expanding landscape of state laws and FTC regulations necessitates a more comprehensive approach to compliance. Organizations must proactively assess their data practices, update security measures, and ensure transparency with consumers to navigate the complexities of health data privacy in 2025 and beyond.
If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.