§What HIPAA Privacy Rule requires
Source: 45 CFR Part 164 Subpart E — Standards for Privacy of Individually Identifiable Health Information — accessed 2026-05-11.
Jurisdiction. Applies to U.S. Covered Entities (health plans, healthcare clearinghouses, and most healthcare providers) and their Business Associates. Effective date for the original Privacy Rule: 14 April 2003.
Personal data definition. Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or business associate. The Safe Harbor de-identification method at 45 CFR §164.514(b)(2) lists 18 categories of identifiers that must be removed for information to be considered de-identified, including names, geographic subdivisions smaller than a state, dates more specific than year, telephone and fax numbers, email addresses, social security numbers, medical record numbers, account numbers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number, characteristic, or code.
Key requirements relevant to mobile analytics. The Privacy Rule governs how PHI may be used and disclosed: permitted uses for treatment, payment, and operations; required notices to individuals; rights of access, amendment, and accounting of disclosures; and the minimum necessary principle (45 CFR §164.502(b)) which limits use and disclosure of PHI to the minimum necessary to accomplish the intended purpose. A Business Associate Agreement (BAA) is required where PHI flows to a vendor.
⚑Where mobile analytics typically creates exposure for telehealth apps
A mobile app that handles PHI — for example a telehealth app, a covered-entity patient portal, or a digital health platform that has signed BAAs — has to ensure that PHI does not flow into any analytics pipeline that lacks the contractual protections HIPAA requires. The challenge with conventional analytics SDKs is that they accept free-form event parameters: a developer can unintentionally log symptom, medication_name, diagnosis_code, heart_rate, or appointment_type alongside a persistent user identifier — and that combination is PHI by definition.
Telehealth apps routinely process appointment metadata, symptom descriptions, diagnosis codes, medication names, vitals (heart rate, blood pressure, glucose), and prescription details. Each of these is individually identifying when combined with a user identifier in an analytics event.
Health-related data is treated as a special category under most privacy regimes — GDPR Art. 9, CPRA sensitive personal information, and PHI under HIPAA. A single event like appointment_booked with parameters { specialty: 'oncology', user_id: '...' } is structurally health data tied to an identifier.
▸What Respectlytics's design does (technical facts)
Respectlytics's API stores exactly five fields per event: event_name, session_id (rotates every two hours, RAM-only), timestamp, platform, and country. Health-category fields are rejected at the API with a 400. A telehealth app can use Respectlytics to track product signals (appointment_booked_paid, prescription_renewal_attempted) at the session level — the actual clinical content stays in the EHR or telehealth platform where it belongs.
Reduces the surface. Removing the surface where the categories covered by HIPAA Privacy Rule could be collected in the first place narrows what a HIPAA Privacy Rule review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does HIPAA apply to my mobile app?
HIPAA's Privacy and Security Rules apply to covered entities and business associates as defined at 45 CFR §160.103. A direct-to-consumer wellness app that is not operating on behalf of a covered entity is often outside HIPAA's scope but may still be subject to FTC Act §5 and state law. Consult your legal team to determine your status.
Is de-identified data still PHI?
No — the Privacy Rule does not restrict use or disclosure of de-identified information. The Safe Harbor method at §164.514(b)(2) is one of two paths to de-identification and lists 18 specific identifiers that must be removed.
Does using Respectlytics by itself resolve HIPAA Privacy Rule obligations for our telehealth apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets HIPAA Privacy Rule's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies HIPAA Privacy Rule for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.