White House Health Data Tracking System: What Patients and Providers Need to Know
Background
On July 30, 2025, the Trump administration announced a plan to launch a new “private health tracking system” in partnership with more than 60 major health and technology companies. Picture Apple, Google, Amazon, CVS and United Health all working together with the Centers for Medicare & Medicaid Services (CMS) to create a “patient-centric digital health ecosystem.”[1] What does this mean for patients and providers as well as for the legal landscape?
What’s Being Proposed
The idea is to make health data easier to share and use among appropriate parties. Patients could opt in to connect their medical records, insurance claims and even data for apps or wearables into a single, secure system. Stated goals include less paperwork; easier access to patient records; the ability to manage chronic conditions, like diabetes and obesity; and enabling digital check-ins, medication reminders, and AI health assistants. CMS has set out voluntary criteria for companies that want to be a part of these CMS-aligned networks. If all proceeds as planned, the first wave of this system could be live by early 2026.
The potential benefits for patients include better access to records from multiple providers; apps that combine data from your fitness tracker, lab results, and prescriptions; and easier access to insurance information and provider directories.
Benefits for providers include a more robust picture of a patient’s health; better tools for managing chronic conditions; less time on administrative paperwork; and stronger patient engagement through digital tools.
Legal and Privacy Questions
Lawyers, providers, and patients need to be aware of specific concerns.
· Privacy Risks: The Health Insurance Portability and Accountability Act (HIPAA) covers traditional insurers and providers, but many apps and wearables are not necessarily covered by HIPAA. That means sensitive health-adjacent data could fall outside HIPAA protections. In other words, sensitive medical information may be exposed to larger pools of entities, including private tech firms that may not be subject to the same regulations as healthcare providers under HIPAA.[2]
· Consent: Although the proposed system is touted as opt-in, the specific details on how patients opt-in (and later revoke consent) are unclear. Providers will also choose whether to participate. We don’t know yet how easy it will be to opt out; whether patients can restrict certain data from being shared; and what happens with shared data once consent is withdrawn.
· Secondary uses of data: Will patient data be used for advertising, analytics or research? That depends on how the contracts and policies are written. There is potential for unexpected uses.[3]
· Patchwork of laws: State privacy laws (California, Washington and others) may apply differently depending on where patients live. This could present some thorny issues.
Implications for Providers
If you are a health care provider or health system, the following risks should be considered:
· Liability: Ensuring patient consent is properly obtained; ensuring that data shared into the system is accurate and secure. Providers may be held responsible for breaches if business associates or tech partners are involved.
· Compliance Challenges: A large number of entities becoming involved means more complex vendor agreements. Ensure that non-covered entities (such as apps or fitness trackers) do not violate patients’ expectations or legal rights.
· Technology/infrastructure costs: Ensuring providers meet interoperability criteria, implement secure digital identity credentials and align EHRs or systems.
· Uncertainty: The legal and regulatory framework is still evolving. Providers may be exposed to state privacy laws and consumer data protection statutes in addition to HIPAA.[4]
Providers should also prepare to: (1) audit vendors and partners – especially apps and tech platforms that fall outside of HIPAA; (2) update consent forms and policies to be clear and transparent; (3) watch the evolving patchwork of state and federal rules; and, (4) prepare for patients to ask questions about how their data is used. There are several legal changes in the coming months that could reshape how this system works. For instance, there are proposed changes to HIPAA’s security rules and privacy rules; a proposed federal law, the American Privacy Rights Act, that would apply to many companies that are not subject to HIPAA that strengthen consumer privacy rights; and the expansion of state protections.
Considerations for Women’s Health
In a post Roe v. Wade context, reproductive health deserves special attention. Because the system may combine medical records, insurance claims and app-based data (like fertility or menstrual tracking), there is a risk that sensitive reproductive health information could circulate beyond traditional HIPAA protections. In states with abortion restrictions, questions remain about whether this data could be subpoenaed or accessed for enforcement purposes.
Federal legislation such as the My Body, My Data Act [5] aim to strengthen privacy protections for reproductive information, and states like California and Washington have already taken steps in this direction. But, until stronger safeguards are in place, patients and providers should be cautious. Patients need to be aware of whether their reproductive data is being shared before opting in, and providers should update consent forms to explain how his information may be handled.
While the system may promise convenience, reproductive health data requires an extra layer of scrutiny to ensure that sensitive information is not misused or weaponized in the wake of Dobbs.
The Bottom Line
While this initiative could transform the way patients and providers interact with health data, there are also serious legal, privacy and compliance challenges. Patients should be cautious and informed before opting in, and providers need to prepare for new compliance obligations and patient questions.
[1] CMS, White House, Tech Leaders Commit to Create Patient-Centric Healthcare Ecosystem (July 30, 2025).
[2] The Guardian, Trump Administration Launching Health Tracking System with Big Tech’s Help (July 30, 2025).
[3] For instance, tech companies with access to health information may target people with ads or sell patient data. See Pratika Katiyar, Rewire News Group, Big Tech is Coming for your Health Data. Here’s How to Protect Your Information (September 23, 2025).
[4] For more information about the use of online tracking technologies and the implications of HIPAA, the Office for Civil Rights at the U.S. Department of Health and Human Services issued a Bulletin to highlight the obligations of HIPAA covered entities when using online tracking technologies.
[5] For complete text of the proposed bill, see Senate Bill 1656. Proposed in 2023, it was recently reintroduced by U.S. Senators Mazie K. Hirondo (D-HI), Ron Wyden (D-OR), and Representative Sara Jacobs (D-CA). Press Release, Senator Mazie Hirono, Hirono, Wyden, Jacobs, Reintroduce Bill to Protect Reproductive and Sexual Health Data (June 13, 2025).
