Data, Privacy & Operations for Employers: What HIPAA Covers—and What It Doesn’t

“Employees increasingly use wellness apps and consumer AI tools that live outside HIPAA. That means sensitive health signals—lab results, trackers, mental-health notes—can be mixed with browsing and location data, profiled, and resold. Clinics like ours are covered entities bound by HIPAA and business associate agreements; many wellness platforms are not. Employers don’t need to be privacy theorists—they need vendors who treat PHI as sacred and can prove it.” Dr. Andres Jimenez, Board-Certified in Public Health & Prevention, and Clinical Informatics. Founder & CEO of HealthPrevent360

Privacy is now an operational risk. Many popular wellness apps, trackers, and consumer platforms gather “health-adjacent” data that isn’t protected by HIPAA because the companies aren’t covered entities. That creates exposure for employees and, indirectly, for employers who promote those tools without clear safeguards.

What leaders should know (and ask)

• HIPAA has boundaries. It governs covered entities (clinics, plans) and their business associates—not most consumer apps or AI tools. Expect gaps. JAMA Network

• Data sharing is routine. A BMJ analysis found 79% of sampled medicine-related apps shared user data, often with multiple third parties and even “fourth parties.” PubMed

• Blending data increases risk. Health signals combined with marketing, geolocation, or social data can enable re-identification and profiling.

• Consent ≠ control. Long, shifting privacy policies make it hard for employees to understand where their data flows.

• Operationalize privacy. Ask vendors to evidence HIPAA alignment (where applicable), data-minimization, encryption, access controls, and audit logs.

Bottom line: Treat privacy like safety. Choose solutions where HIPAA applies, PHI stays inside protected systems, and models are deployed in environments where data does not leave covered infrastructure.

How HP360 supports secure, low-lift operations

We operate as a clinic: consent-driven, HIPAA-bound, and designed for minimal IT lift.

• PHI confined to HIPAA-compliant systems and BAAs

• Generative AI deployed in protected environments—no external training on your data

• Employee consent, least-necessary access, and auditability

• PCP-aligned summaries; no data brokering

• Clear employer dashboards without exposing individual PHI

Learn About our Employer Prevention Programs

About Dr. Jimenez

Board-certified physician, triple Ivy League–trained innovator leading the nation’s first prevention-only clinic. Dr. Jimenez has built physician-led technology adopted by 3,000+ hospitals and clinics, guided companies through acquisition and IPO, and serves as Assistant Clinical Professor (Environmental & Public Health) at Mount Sinai School of Medicine in NY. At HealthPrevent360, he applies clinical informatics and prevention science to help individuals anticipate risk, prevent and early-detect disease. The clinic’s prevention engine has analyzed hundreds of thousands of clinical pages and supports thousands of patients.