Privacy Regulations Affecting Insurance Health Technology: Overview

Privacy regulations affecting insurance health technology no longer sit in a single legal bucket. For carriers using digital health screening, contactless vitals, external data vendors, or algorithmic underwriting tools, privacy obligations now come from overlapping regimes: HIPAA in some workflows, GLBA across core insurance operations, state consumer privacy statutes, biometric laws, and newer health-data statutes that reach well beyond traditional medical records. For chief medical officers, reinsurance medical directors, and compliance teams, the real challenge is not identifying one controlling rule. It is understanding which rule applies to which data flow, and when those rules collide.

"The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization." — U.S. Department of Health and Human Services, Summary of the HIPAA Rules

Privacy regulations affecting insurance health technology: the operating map

The easiest mistake in insurance health technology is assuming HIPAA covers everything. It doesn't. The U.S. Department of Health and Human Services makes clear that HIPAA applies to covered entities and business associates, not to every insurer workflow that touches health-related data. In practice, insurance health technology programs usually sit inside a wider framework:

• HIPAA governs protected health information in covered healthcare contexts
• GLBA governs nonpublic personal information held by financial institutions, including insurers
• NAIC privacy models shape state insurance privacy expectations
• State consumer privacy statutes add disclosure, access, deletion, and opt-out rights
• Biometric and consumer health data laws create separate consent standards for newer digital tools

That stack matters because the same blood pressure estimate, face scan, or screening result may be treated differently depending on how it was collected, who collected it, and whether it is being used for underwriting, servicing, fraud review, or vendor analytics.

Regulatory layer	What it usually covers	Why insurance teams care
HIPAA	Protected health information in covered healthcare settings	Relevant when carriers interface with provider, plan, or business-associate workflows
GLBA	Consumer financial and insurance information	Baseline privacy notice, safeguarding, and data-sharing duties for insurers
NAIC model privacy rules	State insurance privacy expectations	Drives insurer-specific governance, disclosures, and regulator scrutiny
State privacy statutes	Consumer rights over personal data	Adds access, deletion, correction, and sensitive-data obligations
State health and biometric laws	Consumer health data, biometric identifiers, facial data	Raises the bar for consent, sale restrictions, and vendor oversight

Where insurers are feeling the pressure now

Three pressure points show up again and again in digital underwriting reviews.

First, regulators are widening the definition of health data. Washington's My Health My Data Act was written broadly enough to reach data that falls outside HIPAA. Agent-search results on the statute note that most provisions took effect in 2024, require opt-in consent for collection and sharing, and give consumers deletion rights that extend to archived systems. For insurers evaluating face-based screening, symptom check tools, or condition inferences, that broader definition changes the risk profile fast.

Second, insurers are running into exemption complexity. Many state privacy laws contain HIPAA or GLBA exemptions, but those exemptions are not identical from state to state. Some are entity-based. Some are data-based. That means a carrier cannot safely assume that a GLBA program wipes away every state-law obligation tied to health-tech features.

Third, vendor relationships are becoming privacy-control points. The NAIC Privacy Protections Working Group is revising Model 672 because the older framework no longer fits modern data-sharing patterns. Agent-search results on the NAIC process show the revised draft is focused on consent, third-party contractual obligations, notification, and limits on disclosure and sale. That is exactly where underwriting technology programs tend to sprawl.

The main privacy questions compliance teams have to answer

A workable privacy program for insurance health technology starts with a short list of direct questions:

• What exact data elements are being collected?
• Is each element health data, biometric data, financial data, or all three?
• Which entity collected it: provider, insurer, vendor, or applicant directly?
• What legal basis supports collection and sharing?
• Which states' laws apply based on the consumer's location?
• How long must the data be retained for insurance recordkeeping?
• What happens when a deletion request conflicts with a retention duty?

Those questions sound basic. They aren't. In many underwriting programs, the same applicant journey crosses a website session, a camera capture, a vendor model, an underwriting rules engine, and a reinsurance workflow. If privacy classification happens only at intake, the rest of the chain stays under-governed.

Consent is becoming more granular

This is especially true for biometric and health-adjacent data. Washington's law requires separate consent logic for collection and sharing. Several other state laws taking effect across 2025 and 2026 are expanding sensitive-data requirements as well, according to the IAPP's U.S. State Privacy Legislation Tracker. For carriers, that means the old model of one broad privacy notice and one checkbox is getting harder to defend.

Deletion rights do not erase recordkeeping duties

Insurance teams also have to deal with regulatory conflict. Privacy laws may offer deletion rights on a 30- to 90-day clock, while insurance rules may expect retention of underwriting records for years. In practice, many compliance teams are moving toward a segregate-and-restrict model: retain what must be retained, but lock it down from secondary use, analytics reuse, or vendor redistribution.

Industry applications in insurance health technology

Applicant-facing digital screening

Applicant self-service screening tools create privacy exposure early. They often collect face imagery, inferred health signals, device metadata, and identity data in one session. Those flows need clear consumer notices, a tight purpose statement, and contractual limits on any model vendor touching the data.

Reinsurance and medical review

When digital underwriting files move to reinsurance or medical directors, privacy obligations move with them. Access controls, permitted-use language, and logging matter more here than broad policy statements. Regulators tend to ask who saw the data, why they saw it, and whether that use matched the disclosed purpose.

Algorithmic model governance

Privacy and model governance are now connected. If a carrier cannot explain where a model's input data came from, which consents applied, or how long those inputs were retained, privacy review becomes inseparable from fairness and examination readiness.

Current research and evidence

Recent academic work helps explain why this issue keeps expanding. Hemang Subramanian, Arijit Sengupta, and Yilin Xu of Florida International University wrote in the Journal of Medical Internet Research in 2024 that hacking and IT incidents remain the breach category with the largest impact on affected individuals in healthcare data environments. Their argument is useful for insurers because it shifts the discussion from paperwork compliance to system design: if health records and screening data remain centralized, high-value breach targets, privacy law alone will not reduce risk without better architecture.

Andrew Kweku Conduah of the University of Professional Studies, Accra, together with Sebastian Ofoe of the University of Ghana and Dorothy Siaw-Marfo of UPSA, argued in a 2024 review of global healthcare privacy frameworks that regulatory fragmentation remains one of the hardest barriers to effective data protection. That finding maps neatly onto insurance health technology, where the problem is rarely a total absence of rules. It is too many partially overlapping rules.

Government guidance points in the same direction. HHS still anchors the baseline with HIPAA's privacy, security, breach notification, and enforcement rules. But NAIC is updating insurer-specific privacy models because older insurance regulations were built for more static data exchanges. And state legislatures are pushing beyond both frameworks when health-related data is collected from apps, websites, and consumer devices outside traditional care delivery.

The future of privacy regulations affecting insurance health technology

The next phase will probably look less like one major federal overhaul and more like steady expansion at the state and insurance-regulator level.

A few trends are already visible:

• More state laws will treat health-related inferences as protected data, even when HIPAA does not apply
• Consent requirements will become more specific for biometric and sensitive data uses
• Vendor oversight will move from procurement language into active compliance monitoring
• NAIC-driven insurance privacy reforms will push carriers toward more detailed disclosure and contracting standards
• Examiners will expect privacy governance that maps directly to underwriting workflows, not generic enterprise policy binders

That last point matters most. A privacy program built for general corporate data will not satisfy questions about face scans, underwriting evidence, algorithmic inputs, or health-related inferences. Insurance health technology now needs workflow-level privacy governance.

Frequently asked questions

Does HIPAA cover all insurance health technology data?

No. HIPAA covers protected health information in covered-entity and business-associate contexts. Many insurer-operated screening or underwriting workflows may also be shaped by GLBA, state privacy statutes, biometric laws, and newer consumer health data laws.

Why are state health data laws important for insurers?

Because some of them define health data more broadly than HIPAA. A consumer-facing screening journey may create obligations even if the data never enters a traditional provider record.

How should carriers handle deletion requests when insurance rules require retention?

Most carriers treat this as a conflict-management issue rather than a pure deletion issue. Data that must be retained for underwriting or examination purposes is usually segregated, access-restricted, and blocked from secondary use.

What should insurers review first in a health-tech privacy audit?

Start with the data map: what is collected, where it flows, which vendors touch it, what consents apply, and which states' rules attach to the consumer. Without that map, policy review stays abstract.

For more on adjacent compliance questions, see What Is Data Governance? Framework for Insurance Health Data and NAIC Guidelines and Digital Health Screening: What Carriers Should Know.

Privacy rules are getting more detailed because insurance health technology is getting more ambitious. The carriers that handle that shift best will not be the ones with the longest privacy notice. They will be the ones with cleaner data maps, tighter vendor controls, and underwriting workflows built to show regulators exactly how health data is collected, used, retained, and restricted. Teams evaluating privacy-first infrastructure for digital underwriting can learn more at circadify.com/industries/payers-insurance?utm_source=tryvitalscheck&utm_medium=microsite&utm_campaign=privacy-regulations-insurance-health-technology.