That $299 ‘Wellness’ Lab Kit Might Not Be Protected by HIPAA—Here’s the Paper Trail That Can Follow You Into Insurance and Employment
Direct-to-consumer lab testing can feel like private healthcare—until you realize HIPAA only covers specific actors. Outside that chain, your results may be governed by FTC enforcement, state laws, and whatever you clicked “agree” to.
By TheMurrow Editorial
April 17, 2026
Key Points
- 1Know the trigger: HIPAA protects data only when covered entities or their business associates are involved in the testing pathway.
- 2Assume a patchwork: outside HIPAA, protections come from FTC enforcement, state privacy statutes, and whatever the privacy policy permits.
- 3Read the fine print: privacy policies and consent screens can allow broad sharing, shaping downstream risks in ads, insurance, and employment.
A small box arrives on your doorstep. Inside: a lancet, a vial, a prepaid envelope, and a promise. For $299, a “wellness” lab kit will tell you what your body is doing—hormones, inflammation markers, nutrient levels—without the waiting rooms, the insurance paperwork, or the awkward conversations.
For many people, that convenience feels like progress. It also feels private, almost by default. Health data, after all, is “protected,” right?
Not necessarily. A large portion of direct-to-consumer wellness testing lives in a regulatory gap most customers never see. It’s a gap created not by negligence, but by a simple legal fact: HIPAA is not a universal health-privacy law. It’s a specific set of rules that applies to specific actors.
“HIPAA is not a force field around anything that looks like health data.”
— — TheMurrow Editorial
That distinction—who you bought the test from, and under what relationship—can determine whether your results are governed by HIPAA’s well-known privacy rule, or by something far looser: a patchwork of FTC enforcement, state privacy statutes, and whatever the company’s privacy policy says you agreed to.
HIPAA’s real boundary: who it covers (and who it doesn’t)
HIPAA’s privacy protections feel broad because they are culturally dominant. People hear “medical privacy” and think “HIPAA.” The law itself is narrower.
The Department of Health and Human Services (HHS) is explicit: HIPAA applies to “covered entities” and their “business associates.” Covered entities fall into three categories: health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with certain standardized transactions—often billing and claims-related transactions. HHS lays this out in its guidance on business associates and covered entities.
That definition matters because many direct-to-consumer wellness kits are built to avoid the insurance system entirely. Consumers pay out of pocket. The test may not run through a physician’s office that bills insurance. The company might operate more like a retailer and data platform than a traditional provider.
The Department of Health and Human Services (HHS) is explicit: HIPAA applies to “covered entities” and their “business associates.” Covered entities fall into three categories: health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with certain standardized transactions—often billing and claims-related transactions. HHS lays this out in its guidance on business associates and covered entities.
That definition matters because many direct-to-consumer wellness kits are built to avoid the insurance system entirely. Consumers pay out of pocket. The test may not run through a physician’s office that bills insurance. The company might operate more like a retailer and data platform than a traditional provider.
Covered entities vs. “wellness” companies
A company selling a test directly to consumers may not be a covered entity. It also may not be a business associate. HIPAA obligations don’t attach just because the product involves health.
HHS defines business associates as vendors or partners who handle protected health information (PHI) on behalf of a covered entity—think claims processing, billing, data analysis, or cloud storage of electronic PHI for a hospital system. That relationship generally requires a written business associate agreement (BAA), according to HHS.
If there is no covered entity on the other end—no insurer, no physician practice transmitting information for standardized transactions—there may be no HIPAA relationship at all.
HHS defines business associates as vendors or partners who handle protected health information (PHI) on behalf of a covered entity—think claims processing, billing, data analysis, or cloud storage of electronic PHI for a hospital system. That relationship generally requires a written business associate agreement (BAA), according to HHS.
If there is no covered entity on the other end—no insurer, no physician practice transmitting information for standardized transactions—there may be no HIPAA relationship at all.
“If no covered entity is in the loop, HIPAA may never enter the room.”
— — TheMurrow Editorial
The FTC’s plain-language warning
The Federal Trade Commission makes the same conceptual point in its guidance for mobile health apps: HIPAA “likely wouldn’t apply” to consumer health information in an app not offered by a HIPAA covered entity or its business associate, even if the information originally came from a covered entity. The principle translates cleanly to many consumer lab and wellness products.
None of this means the company is free to do anything. It means the protections are not the ones most consumers assume—and that difference shapes everything from data sharing to breach notifications.
None of this means the company is free to do anything. It means the protections are not the ones most consumers assume—and that difference shapes everything from data sharing to breach notifications.
Why the $299 kit can fall outside HIPAA
The modern “wellness lab” market is defined by its pitch: bypass the medical gatekeepers. That pitch can be empowering. It also can remove the transaction that triggers HIPAA coverage.
A common scenario looks like this:
- A consumer purchases a wellness kit directly, paying cash.
- No health plan is involved.
- No physician order flows through a covered provider that bills insurance.
- A consumer-facing company processes the results and offers dashboards, recommendations, and sometimes coaching.
In that model, the company may not be a covered entity. It may not be acting “on behalf of” a covered entity. Without that covered-entity chain, HIPAA’s privacy rule likely does not apply to the company’s handling of the data.
A common scenario looks like this:
- A consumer purchases a wellness kit directly, paying cash.
- No health plan is involved.
- No physician order flows through a covered provider that bills insurance.
- A consumer-facing company processes the results and offers dashboards, recommendations, and sometimes coaching.
In that model, the company may not be a covered entity. It may not be acting “on behalf of” a covered entity. Without that covered-entity chain, HIPAA’s privacy rule likely does not apply to the company’s handling of the data.
“Not protected by HIPAA” isn’t “no protection”
Readers deserve the nuance. Outside HIPAA does not mean a lawless zone. It means your protections likely come from:
- FTC enforcement (unfair or deceptive practices; certain breach notification obligations)
- State privacy laws (especially newer “consumer health data” statutes)
- Contract law (privacy policies, terms of service, consent screens)
- Sector-specific laws that can apply in narrower circumstances (for example, workplace-related rules; discrimination-related guardrails)
The practical consequence is unsettling in a specific way: instead of a uniform federal health privacy regime, consumers face a mosaic that varies by business model and state. Two people can take the same test, from the same brand, and face different protections depending on where they live and how the service is structured.
- FTC enforcement (unfair or deceptive practices; certain breach notification obligations)
- State privacy laws (especially newer “consumer health data” statutes)
- Contract law (privacy policies, terms of service, consent screens)
- Sector-specific laws that can apply in narrower circumstances (for example, workplace-related rules; discrimination-related guardrails)
The practical consequence is unsettling in a specific way: instead of a uniform federal health privacy regime, consumers face a mosaic that varies by business model and state. Two people can take the same test, from the same brand, and face different protections depending on where they live and how the service is structured.
“Your privacy rights may depend less on your blood sample than on your billing pathway.”
— — TheMurrow Editorial
The FTC: the backstop when HIPAA doesn’t apply
When consumers discover a wellness product isn’t covered by HIPAA, the next question is obvious: who’s watching the store?
For many non-HIPAA health products, the answer is the Federal Trade Commission. The FTC’s power is different from HIPAA’s. The agency generally focuses on whether a company’s conduct is unfair or deceptive, and whether it follows certain rules tied to health-data breaches.
For many non-HIPAA health products, the answer is the Federal Trade Commission. The FTC’s power is different from HIPAA’s. The agency generally focuses on whether a company’s conduct is unfair or deceptive, and whether it follows certain rules tied to health-data breaches.
The FTC’s Health Breach Notification Rule (and its 2024 update)
One of the clearest FTC tools for non-HIPAA health data is the Health Breach Notification Rule (HBNR). The Rule applies to certain entities not covered by HIPAA—vendors of personal health records and related entities—and requires breach notification to individuals, the FTC, and sometimes the media after a breach of unsecured identifiable health information, as described by the FTC.
In April 2024, the FTC highlighted amendments that, in the agency’s telling, underscore the Rule’s application to many health apps and similar technologies. The FTC emphasized expectations around breach-notice timing and content.
That matters because many wellness companies are not only test sellers. They are also app companies—dashboards, longitudinal trackers, “health scores,” and integrated recommendations. The more a product looks like a consumer health record, the more the HBNR becomes relevant.
In April 2024, the FTC highlighted amendments that, in the agency’s telling, underscore the Rule’s application to many health apps and similar technologies. The FTC emphasized expectations around breach-notice timing and content.
That matters because many wellness companies are not only test sellers. They are also app companies—dashboards, longitudinal trackers, “health scores,” and integrated recommendations. The more a product looks like a consumer health record, the more the HBNR becomes relevant.
GoodRx as a cautionary case
The FTC’s February 2023 enforcement action against GoodRx offers a narrative analog, even though it is not a lab-kit story. The FTC alleged GoodRx shared users’ sensitive health information with advertising platforms and also alleged misrepresentations about HIPAA compliance.
The larger lesson is not that every wellness brand behaves badly. The lesson is structural: a company can sit outside HIPAA and still be punished if it misleads consumers or engages in unfair practices. FTC enforcement can function as a backstop, but it is not a full replacement for HIPAA’s detailed healthcare privacy framework.
The larger lesson is not that every wellness brand behaves badly. The lesson is structural: a company can sit outside HIPAA and still be punished if it misleads consumers or engages in unfair practices. FTC enforcement can function as a backstop, but it is not a full replacement for HIPAA’s detailed healthcare privacy framework.
State laws are getting serious about “consumer health data”
Federal law often sets the tone, but states increasingly define the rules for health-adjacent consumer data. The trend line is clear: legislators are writing statutes that treat health data collected outside HIPAA as especially sensitive.
Washington’s My Health My Data Act: a new center of gravity
Washington state has emerged as a bellwether with the My Health My Data Act (MHMDA)—frequently described as one of the strongest state consumer health data laws.
The Washington Attorney General’s office notes key dates:
- The law was passed April 17, 2023 and signed April 27, 2023.
- Section 10 took effect July 23, 2023.
- Most obligations took effect for non-small businesses March 31, 2024.
- Small businesses followed June 30, 2024.
Enforcement is also notable. The AG explains violations are a per se violation of Washington’s Consumer Protection Act and can be enforced by the AG and through private action.
For consumers, the implication is direct: a wellness company that is not governed by HIPAA might still face meaningful constraints if it operates in Washington or collects data from Washington residents, depending on how the law applies to its conduct.
The Washington Attorney General’s office notes key dates:
- The law was passed April 17, 2023 and signed April 27, 2023.
- Section 10 took effect July 23, 2023.
- Most obligations took effect for non-small businesses March 31, 2024.
- Small businesses followed June 30, 2024.
Enforcement is also notable. The AG explains violations are a per se violation of Washington’s Consumer Protection Act and can be enforced by the AG and through private action.
For consumers, the implication is direct: a wellness company that is not governed by HIPAA might still face meaningful constraints if it operates in Washington or collects data from Washington residents, depending on how the law applies to its conduct.
$299
The out-of-pocket price point that often signals a direct-to-consumer pathway—one that may bypass the HIPAA-triggering insurance and billing ecosystem.
April 17, 2023
Washington AG notes MHMDA was passed on this date, marking a new state-level focus on consumer health data outside HIPAA.
March 31, 2024
Washington AG notes most MHMDA obligations took effect for many non-small businesses on this date.
June 30, 2024
Washington AG notes small-business compliance obligations followed on this date.
California’s complex privacy picture
California’s privacy regime—CCPA/CPRA—adds another layer. Summaries often emphasize that PHI handled by HIPAA covered entities and business associates is generally exempt. “Medical information” under California’s CMIA can also be treated differently. Yet health-related data outside HIPAA/CMIA can still fall under California’s consumer privacy rules, depending on the business and the data.
The takeaway is not a simple “California covers it.” The takeaway is that outside HIPAA does not mean outside law, especially in states that treat health-related consumer data as uniquely sensitive.
The takeaway is not a simple “California covers it.” The takeaway is that outside HIPAA does not mean outside law, especially in states that treat health-related consumer data as uniquely sensitive.
The privacy policy becomes the rulebook (whether you like it or not)
When a service sits outside HIPAA, your relationship with it starts to look less like “patient and provider” and more like “consumer and company.” In practice, that shifts power toward documents most people never read: privacy policies, terms of service, and consent screens.
A privacy policy can function as a set of promises about:
- what data is collected
- how it is used (analytics, personalization, research)
- whether it is shared with third parties (including advertising partners)
- how long it is retained
- what rights you have to access or delete it (if any)
Those promises matter because outside HIPAA, contract terms and consumer protection law often become the primary levers. If a company says it does not share identifiable health data and then does, that mismatch can trigger FTC scrutiny for deception. But if a company says it will share data in broad terms—and you click “agree”—the legal terrain changes.
A privacy policy can function as a set of promises about:
- what data is collected
- how it is used (analytics, personalization, research)
- whether it is shared with third parties (including advertising partners)
- how long it is retained
- what rights you have to access or delete it (if any)
Those promises matter because outside HIPAA, contract terms and consumer protection law often become the primary levers. If a company says it does not share identifiable health data and then does, that mismatch can trigger FTC scrutiny for deception. But if a company says it will share data in broad terms—and you click “agree”—the legal terrain changes.
The consent problem: “agree” isn’t understanding
The ethical tension is obvious. Health data feels different from shopping data. People may treat a wellness kit as a private medical act even when the company treats the transaction as consumer data collection.
That mismatch creates risk. Not only risk of breach, but risk of “perfectly legal” secondary uses that customers never expected.
A fair counterpoint exists: companies will argue that consent is consent, that policies are disclosed, and that data sharing can fund lower-cost services or product improvement. Some will also argue that consumer testing expands access and autonomy. Those claims can be true. The problem is the asymmetry: the average buyer cannot realistically evaluate the downstream consequences of sharing sensitive health data across ad-tech and analytics ecosystems.
That mismatch creates risk. Not only risk of breach, but risk of “perfectly legal” secondary uses that customers never expected.
A fair counterpoint exists: companies will argue that consent is consent, that policies are disclosed, and that data sharing can fund lower-cost services or product improvement. Some will also argue that consumer testing expands access and autonomy. Those claims can be true. The problem is the asymmetry: the average buyer cannot realistically evaluate the downstream consequences of sharing sensitive health data across ad-tech and analytics ecosystems.
Key Insight
Outside HIPAA, the practical “privacy law” is often a mix of (1) what the company promises in writing and (2) what regulators can enforce after the fact.
What consumers can do now: practical privacy triage
Consumers do not need to become privacy lawyers to make smarter choices. They do need to approach wellness labs with the right mental model: not “my doctor,” but “a company that may or may not be bound by HIPAA.”
A checklist before you buy
Look for clear answers to a few basic questions:
Before you buy, check for:
- ✓Is the service explicitly offered through a HIPAA covered entity, or is it direct-to-consumer?
- ✓Does the company claim HIPAA compliance? If yes, how—are they a covered entity, or are they working with one? (The FTC’s GoodRx case shows HIPAA claims can become an enforcement issue if misleading.)
- ✓Does the privacy policy describe sharing with advertisers or “marketing partners”?
- ✓Does the company discuss breach notification? If the FTC’s Health Breach Notification Rule applies, obligations can be significant.
- ✓What state laws might apply to you? Washington’s MHMDA is a prominent example of states treating consumer health data as a special category.
A reality check about “de-identified” data
Many companies emphasize de-identification. The research provided does not define de-identification standards in this context, so readers should resist assuming de-identified always means risk-free. The safer interpretation is modest: de-identification can reduce risk, but it does not magically erase sensitivity—especially when health data can be unique, longitudinal, and linkable.
The strongest consumer posture is to assume your health data may have a long life beyond your test results unless you see strict limits in writing.
The strongest consumer posture is to assume your health data may have a long life beyond your test results unless you see strict limits in writing.
Editor’s Note
The article’s point is structural, not accusatory: the same health-adjacent product can be governed by very different rules depending on who’s in the transaction chain.
The industry’s case: access, autonomy, and the limits of old rules
Any serious discussion should acknowledge why these kits exist and why people love them. The pitch is not inherently cynical.
Direct-to-consumer testing can offer:
- convenience and speed
- access for people without easy healthcare entry points
- longitudinal self-tracking that traditional care may not prioritize
- a sense of control over one’s body and choices
Companies will also argue that HIPAA was designed for a mid-1990s healthcare billing ecosystem, not a world of consumer apps and at-home diagnostics. They may say innovation would slow if every wellness tool were regulated like a hospital.
That perspective deserves respect. Yet the policy tension remains: consumer-grade health data can be as sensitive as clinical data, and the harms of misuse—stigma, embarrassment, discrimination fears—do not require a hospital setting.
Washington’s MHMDA and the FTC’s stepped-up attention to health apps suggest regulators see the same mismatch. The rules are starting to catch up, but unevenly.
Direct-to-consumer testing can offer:
- convenience and speed
- access for people without easy healthcare entry points
- longitudinal self-tracking that traditional care may not prioritize
- a sense of control over one’s body and choices
Companies will also argue that HIPAA was designed for a mid-1990s healthcare billing ecosystem, not a world of consumer apps and at-home diagnostics. They may say innovation would slow if every wellness tool were regulated like a hospital.
That perspective deserves respect. Yet the policy tension remains: consumer-grade health data can be as sensitive as clinical data, and the harms of misuse—stigma, embarrassment, discrimination fears—do not require a hospital setting.
Washington’s MHMDA and the FTC’s stepped-up attention to health apps suggest regulators see the same mismatch. The rules are starting to catch up, but unevenly.
What the “HIPAA gap” really means for your next test
The most practical way to think about the HIPAA gap is not as a scandal but as a sorting mechanism.
If your testing flows through a system that looks like healthcare—insurance, covered providers, standard transactions—HIPAA likely governs. If your testing flows through a system that looks like consumer tech—apps, subscriptions, cash-pay dashboards—HIPAA may not.
That distinction matters because HIPAA is a known quantity: it sets expectations about permitted uses and disclosures, patient rights, and compliance obligations. Outside HIPAA, protections tend to be:
- reactive rather than proactive (punishing deception after the fact)
- state-dependent (Washington today; other states evolving)
- contract-dependent (what you clicked “agree” to)
Wellness testing is not going away. If anything, the market will keep expanding. The better question for consumers is not whether to participate, but how to participate with open eyes—and how loudly to demand clearer protections that match the sensitivity of the data being collected.
If your testing flows through a system that looks like healthcare—insurance, covered providers, standard transactions—HIPAA likely governs. If your testing flows through a system that looks like consumer tech—apps, subscriptions, cash-pay dashboards—HIPAA may not.
That distinction matters because HIPAA is a known quantity: it sets expectations about permitted uses and disclosures, patient rights, and compliance obligations. Outside HIPAA, protections tend to be:
- reactive rather than proactive (punishing deception after the fact)
- state-dependent (Washington today; other states evolving)
- contract-dependent (what you clicked “agree” to)
Wellness testing is not going away. If anything, the market will keep expanding. The better question for consumers is not whether to participate, but how to participate with open eyes—and how loudly to demand clearer protections that match the sensitivity of the data being collected.
“The most intimate data many people will ever generate is increasingly collected under the rules of ordinary commerce.”
— — TheMurrow Editorial
T
About the Author
TheMurrow Editorial is a writer for TheMurrow covering lifestyle.
Frequently Asked Questions
Are at-home wellness lab kits protected by HIPAA?
Sometimes, but many are not. HIPAA applies to covered entities (health plans, clearinghouses, and certain healthcare providers) and their business associates. If you buy a kit directly from a consumer company with no insurer and no covered provider involved, HIPAA may not apply to that company’s handling of your results.
If HIPAA doesn’t apply, is my health data unprotected?
Not unprotected—just protected differently. Outside HIPAA, oversight can come from FTC enforcement (unfair or deceptive practices), the FTC Health Breach Notification Rule for certain entities, state privacy laws like Washington’s My Health My Data Act, and the company’s own privacy policy promises.
What is the FTC Health Breach Notification Rule?
The FTC’s Health Breach Notification Rule applies to certain non-HIPAA entities such as vendors of personal health records and related entities. It can require notification to individuals, the FTC, and sometimes the media after a breach of unsecured identifiable health information. The FTC highlighted updates to the Rule in April 2024.
Why does Washington’s My Health My Data Act matter?
Washington’s MHMDA is one of the most prominent state laws aimed at consumer health data. The Washington AG notes it was passed April 17, 2023, signed April 27, 2023, with major compliance obligations effective March 31, 2024 for many non-small businesses and June 30, 2024 for small businesses. Violations can be enforced under the state’s Consumer Protection Act.
What should I look for in a wellness company’s privacy policy?
Focus on whether the company shares health data with third parties (including advertising partners), what it says about breach notification, how long it retains data, and what choices you have. Outside HIPAA, the policy and consent terms often become the main rulebook, with the FTC stepping in when companies misrepresent their practices.
Can a company say it’s “HIPAA compliant” even if it’s not covered by HIPAA?
Companies can market compliance in ways that confuse consumers, and that can create legal risk. The FTC’s GoodRx case (February 2023) included allegations that the company misrepresented HIPAA compliance alongside allegations about sharing sensitive health data with advertising platforms; misleading HIPAA claims can be treated as deceptive.
