Assessing privacy risks in the White House’s private health tracking system

On July 30, the White House announced a public-private partnership to build a digital health ecosystem that weaves together clinical data, insurance claims, and wearable-device streams into a unified, patient-centered network. The system will be led by the Centers for Medicare & Medicaid Services (CMS) and is backed by more than 60 companies, including Amazon, Apple, Google, OpenAI, and UnitedHealth Group. Proponents praise the initiative for allowing clinicians to seamlessly share information and coordinate care delivery. Industry lobbyists go a step further, suggesting the influx of interoperable data as the bedrock of “personalized, precision medicine” at scale. Despite these assurances, the initiative’s core design could erode established privacy protections in health care as it funnels sensitive medical records into unregulated corporate pipelines and embeds a public-private surveillance network that could potentially outweigh its clinical gains. 

Privacy concerns 

Many scholars, civil liberties advocates, and health information technology professionals argue these efforts could strip away or erode individuals’ reasonable expectations of privacy by exposing, repurposing, or commercializing data far beyond the purposes for which it was originally provided. Medical files contain patients’ sensitive information, including references to existing medical conditions, substance use disorders, mental health notes, sexual and reproductive health care services, pharmaceutical prescriptions, and even social or family stressors that clinicians record to guide care delivery. Under current U.S. law, the Health Insurance Portability and Accountability Act (HIPAA) applies to “covered entities” (health care providers, health plans, and clearinghouses) and their business associates (BAs). A BA is a vendor handling protected health information (PHI) to perform a function for a covered entity, such as billing companies, claims processing services, and data storage companies. HIPAA compliance requires covered entities and their business associates to implement safeguards that protect the privacy and security of protected health information. They must also grant individuals certain rights over their data (e.g., the right to access or amend their records).  

Yet, most third-party health apps don’t qualify as BAs because they contract with users, not with providers or insurers. As a result, although they collect medically sensitive information, they are not bound by HIPAA’s privacy restrictions. Once medical information leaves a HIPAA-protected environment, the data can be used or sold under a much looser set of rules. Under the Trump administration’s plan, user health data would flow directly into an unregulated ecosystem of third-party apps where sensitive health details could be mined for behavioral advertising, packaged into risk scores, or even cross-referenced with phone-collected location data. In practice, we have already seen this play out: The Federal Trade Commission’s (FTC) recent enforcement actions against a telehealth firm and a prescription discount company have shown how companies can attempt to monetize “de-identified” or supposedly limited health information by piping it to Facebook and Google ads. 

Compounding the problem is the voluntary and non-binding nature of the industry pledge. None of the signatories are contractually obligated to meet any cybersecurity standard, submit to audits, or refrain from secondary uses of the data. In effect, the initiative centralizes some of the nation’s most sensitive records, while simultaneously lowering or ignoring guardrails that have long protected them. Public health law scholar Lawrence Gostin said this arrangement is cause for “enormous ethical and legal concerns,” warning that patients “should be very worried that their medical records are going to be used in ways that harm them and their families.” Beyond his concerns, this model also risks eroding the longstanding norm of doctor-patient confidentiality in pursuit of convenience. 

The deepening of health surveillance 

Digital portability of medical records has enabled a baseline level of health surveillance. For decades, patients have consented under HIPAA to the collection, use, and exchange of their information for treatment, payment, and health care operations across electronic health records and health information exchanges. During the COVID-19 pandemic, emergency measures temporarily expanded data flows for public health purposes (e.g., case investigation and contact tracing). This history matters because the CMS proposal expands the scope of surveillance through a broader range of data and the participation of many new actors outside the traditional health care system, factors that together enable greater health surveillance. 

Health surveillance is the systematic collection, monitoring, and analysis of individuals’ health data by institutions for purposes unrelated to direct clinical care. Because CMS will manage the government side of the exchange, every data stream that passes through, whether uploaded by a private hospital or generated by a smart watch, could eventually populate federal databases already rich with information on more than 140 million Medicare and Medicaid beneficiaries. Linking continuous sensor data, app-generated diet logs, or conversational-artificial intelligence (AI) transcripts to those same identifiers would give agencies and their corporate partners unprecedented visibility into the daily behaviors and health choices of millions of Americans. The proposed visibility that the administration envisions for a more coordinated health information network could be harmful for some patients. Some possible scenarios for patients could include insurers inferring non-compliance with medication regimens and increasing premiums, or employers using aggregated fertility indicators to make hiring or promotion decisions. State prosecutors in jurisdictions restricting abortion might also leverage location-tagged health app logs to accuse someone of traveling out-of-state for abortion care. 

This type of granular and targeted health surveillance on care-seeking behavior presents a barrier to fair and ethical access and use of the national health system. Communities that already distrust medical institutions, such as immigrants and racial minorities, may avoid seeking care if they believe the resulting records could be weaponized against them. For example, earlier in 2025, CMS agreed to share portions of their data, including patient addresses, with immigration enforcement officials. While broader data sharing is often justified as a way to enable earlier disease detection or more personalized interventions, these promises remain unrealized if patients cannot trust the system. That trust will depend on policymakers enacting stronger legal, privacy, and security safeguards around the CMS-led initiative. 

There need to be more policy interventions 

Policymakers may still have time to avert both the intended and unintended outcomes of a centralized health care network. First, they can engage in what most perceive to be a grueling update of HIPAA and close the statutory gap through updates that treat any entity handling identifiable health data as a covered entity. While most health stakeholders have avoided such tasks, it may be worthwhile if patient data will be loosely available to private sector providers without definable guardrails. Lawmakers should also make sure that no covered entity, business associate, or other participant in the CMS-led initiative may share any individually identifiable health data, or inferences derived from it, with any law enforcement, immigration, or other government agency unless that agency first obtains a full judicial warrant supported by probable cause. This could sit alongside HIPAA’s existing disclosure rules, guaranteeing that patient information shared in this initiative can never be repurposed for any government investigatory use without advance judicial approval.

Congress can also use this moment to finally enact a national consumer privacy statute like the American Privacy Rights Act (APRA) that defines covered data broadly to include health information and gives consumers rights to access, correct, delete, and export their covered data. It also allows individuals to pursue legal action against companies for violations and empowers the FTC to impose penalties and enforce compliance. Moreover, APRA would establish purpose limitation, requiring data to be collected and used only for clearly disclosed purposes, and data minimization, mandating that companies retain only the minimum information necessary to fulfill those purposes and delete it once it’s no longer needed. Together, purpose limitation and data minimization ensure that information collected for treatment or research is used only as intended and that any unnecessary data are promptly deleted preventing repurposing for advertising or other secondary uses. Additionally, lawmakers should expand the FTC’s Health Breach Notification Rule to reach every participant in the CMS-led ecosystem so that any entity that collects, stores, or processes consumer health data must notify affected individuals, the FTC, and, for large-scale incidents, the media whenever unsecured health information is exposed. This, along with prominent disclosures, will protect consumers subjected to a more nationalized data collection and compilation ecosystem. 

Security must be central to this initiative 

Policymakers should also ensure all participants in the data sharing ecosystem meet National Institute of Standards Technology (NIST)-aligned security baselines. Specifically, the adoption of end-to-end encryption in transit and at rest could be useful in averting data vulnerabilities. In addition, every participant in the ecosystem should implement a full suite of security and privacy controls and undergo independent, third-party audits at least annually using the NIST defined assessment procedures to verify that these safeguards are enforced. 

Finally, while Section 1557 of the Affordable Care Act already binds many insurers and providers, it does not uniformly cover unaffiliated apps, data brokers, or platform vendors that lack HHS funding. An extension of Section 1557 would result in all private actors in the data-sharing ecosystem being subject to the same anti-discrimination requirements that currently apply to covered entities, whether through direct extension or through equivalent obligations established by CMS for participants in CMS-led initiatives. Under that framework, any use of network data, or inferences drawn from it, by hospitals, insurers, data brokers, analytics firms, or consumer-app developers to set prices, deny coverage, determine eligibility, or otherwise discriminate would be prohibited. 

For certain, the use of digital technology can make our fragmented health care system more patient-centered and accessible to precision medicine. However, convenience should not come at the cost of converting PHI into a data stream ripe for exploitation. Laws and statutes must be reviewed and updated to allow for the intended goals of the CMS-led initiative, while ensuring guardrails that protect both patients and providers. A truly modern health record infrastructure must also hardwire privacy and equity from the outset to enable clinicians to improve care delivery and empower patients to better manage their health, especially in established programs where the possibility of deepening the barriers to eligibility may occur.