Non-HIPAA Apps Accessing Clinical Records
Brendan Keeler, Senior PM at Zus Health, on building infrastructure for digital health
The key point is that a growing slice of consumer health now sits outside HIPAA but still has real access to clinical data. That creates a new lane between medical providers and pure fitness apps. A Peloton style app may just track workouts, while a personal health record or biomarker app can now pull records through patient authorized APIs and turn that data into recurring consumer software, without becoming a hospital system or insurer.
-
HIPAA mainly governs covered entities like providers and insurers, plus their business associates. Once a patient directs a provider to send data to an app that is neither, that app is generally outside HIPAA. It may instead fall under FTC rules for consumer health apps and personal health records.
-
That regulatory shift matters because it changes what these apps can actually do. Instead of asking users to type in medications or upload PDFs, they can connect to provider records through FHIR based APIs and assemble labs, diagnoses, medications, and visit history into a consumer product.
-
The hard part is monetization. Utility driven wellness products like Function Health sell a clear repeat purchase, $499 per year for recurring testing and upsells, while standalone record lockers have historically struggled because storing data is less valuable than helping users act on it.
This category is heading toward action oriented consumer health products that use clinical data as an input, not the product itself. The winners are likely to pair record access with a concrete job, like testing, glucose tracking, coaching, or navigation, and turn newly portable health data into a habit instead of a file cabinet.