Healthcare Alternative Data: Signal + HIPAA Bounds

Healthcare-related alternative data sits in the tightest regulatory frame of any vertical on the catalog. Claims data is HIPAA-covered the moment it is identifiable and flows through a covered entity or business associate; mobility data that resolves to medical facility visits at the device level now sits under explicit FTC consent-order prohibitions on sensitive-category sale; and even non-HIPAA health data flowing through consumer apps now falls under the FTC Health Breach Notification Rule as expanded in 2024. And yet, operator-grade buyers still extract real signal — claims-adjacent procurement patterns, aggregated mobility-to-care-category analytics, de-identified prescription dynamics, condition-level survey and sentiment — when they treat the compliance frame as the scaffolding, not the obstacle. This piece is the working map: what's available, where the value really is, what HIPAA covers vs bounds, what the 2024 HBNR update changed for non-HIPAA data, and what an operator-grade healthcare alt-data program looks like. For the catalog surface see Healthcare industry hub, Alternative Data for Finance solution, and the companion healthcare data: privacy-safe signals for life sciences and payer analytics.

Where Healthcare Alt-Data Signal Lives: Three Lanes

The operator-grade healthcare alt-data map has three lanes — each with a distinct data source, a distinct compliance frame, and a distinct set of valid use cases. Conflating the lanes is the most common procurement mistake in the category, and the one that produces the most regulatory exposure. The three:

• Claims-adjacent patterns, de-identified under HIPAA Safe Harbor. Procurement-rate patterns, pharmacy-refill timing, encounter-level category mixes, and provider-level volume patterns — all sourced through HIPAA-covered entities or business associates, all de-identified per the Safe Harbor 18-identifier rule or the Expert Determination method. The signal is high-specificity for life-sciences procurement analytics, payer-mix analysis, and drug-class market sizing.
• Aggregated mobility-to-care-category analytics. Metro-level or cohort-level visitation patterns mapped to care-category venue types (not named clinics) from carrier panels or SDK-consented mobility data that has passed sensitive-category scrubbing. The signal resolves trends like "urgent-care utilization rose 12% in DMA X between Q3 and Q4" without ever resolving to a device visiting a named facility. Useful for life-sciences market analytics, public-health trend-tracking, and retail-pharmacy site selection at the trade-area level.
• Consented-survey and sentiment panels. First-party consented panels of patients and caregivers with explicit enrollment and ongoing consent, resolving to condition-level sentiment, treatment-satisfaction scores, unmet-need classification, and prescription-switching intent. Non-HIPAA because the data never flows through a covered entity; governed instead by the panel's own consent framework and (post-2024) the FTC HBNR rule where applicable.

A buyer sourcing across all three lanes gets a compound view — claims-adjacent tells you what got prescribed and procured, mobility aggregates tell you where utilization is shifting at the population level, and survey panels tell you what patients report about adherence, side-effects, and switching intent. Any one lane alone is partial; the stack is where the analytics work gets done. For the life-sciences and payer framing see healthcare data: privacy-safe signals for life sciences and payer analytics.

What HIPAA Actually Covers — And What It Doesn't

The common procurement mistake is treating HIPAA as a broad "all health data" regulation. It isn't. HIPAA Privacy Rule applies to HIPAA-covered health data (PHI) held by, or flowing through, covered entities (health plans, health care providers, health care clearinghouses) and their business associates. It does not apply to health data collected directly by consumer-facing apps that are not affiliated with a covered entity — fitness trackers, wellness platforms, symptom-checker apps, period-tracker apps, most nutrition apps. That gap is the core of why the FTC expanded the HBNR rule in 2024, and it is also the gap where much of the non-HIPAA health data in the alternative-data ecosystem lives. The operational implications for a healthcare alt-data buyer in 2026:

1. If the data originates from a covered entity or business associate (claims, EHR extracts, encounter records), it is HIPAA-covered and must be de-identified under Safe Harbor or Expert Determination before it can be procured or resold as alternative data. Data-Use Agreements must reflect that chain.
2. If the data originates from a direct consumer-facing app or consumer device not affiliated with a covered entity (fitness tracker, symptom checker, wellness survey), it is not HIPAA-covered — but as of 2024 it typically falls under the FTC HBNR for breach-notification and a widening set of state privacy laws for consent and sale restriction.
3. If the data is a mobility feed that shows devices visiting medical facilities at the device level, it is neither HIPAA-covered (the carrier or SDK is not a covered entity) nor safe to license post-2024 FTC consent orders. This is the hardest frame in the category and most vendors now scrub these visits from their feeds by default.
4. If the data is aggregated to metro-level or cohort-level care-category analytics with no device-level or person-level resolution, it falls outside HIPAA, outside HBNR (no individually-identifiable health information), and outside the FTC sensitive-category consent-order scope. This is the bulk of the operator-grade mobility-to-healthcare analytics market.

The buyer's diligence question to ask of every feed is: what compliance frame applies to the origin of this data, and does the de-identification or aggregation step in the vendor's pipeline move it to a frame where my intended use case is allowed? Treat the question as mandatory for every SKU, not something answered at the vendor level.

The FTC HBNR 2024 Update: Non-HIPAA Health Data Got Rules

The most important 2024 development for non-HIPAA health data is the FTC's finalization of its expanded Health Breach Notification Rule. The original HBNR from 2009 applied narrowly to vendors of personal health records and PHR-related entities. The 2024 expansion clarified that the rule covers a much broader class of apps and services that access or use consumer health information — including health apps not affiliated with covered entities, wellness platforms, direct-to-consumer genetic testing, and fitness and mental-health services. The expanded rule requires breach notification to affected consumers and the FTC within defined windows, and it defines a breach to include unauthorized disclosures — including unauthorized sale or sharing of identifiable health data to third parties. For alt-data buyers sourcing through consumer-facing health apps, the HBNR update is the governing rule for breach risk and it creates clear FTC-enforcement exposure for weak-consent data pipelines. A compliant 2026 procurement motion requires the vendor to affirmatively document that its data-source apps or services have HBNR-compliant privacy policies and consent flows, and that the sale or sharing of the data for alt-data use is covered by the consent language shown to the end user at collection. For the post-FTC-orders diligence overview see data brokers post-FTC consent orders: procurement diligence in 2026.

Mobility Aggregated Is the Line; Device-Level Is Not

Mobility-to-healthcare analytics is operator-grade in 2026 — but only at the aggregate level. The three FTC consent orders reshaped what device-level location data can be sold for in this category, and the top-tier mobility vendors all now apply sensitive-category scrubbing to visit data involving medical facilities, reproductive-health clinics, and similar venues. The usable signal is metro-level or cohort-level aggregate — urgent-care utilization rates by DMA, retail-clinic visitation trends across a trade area, pharmacy-category foot traffic mapped to retail-category proxies. The unusable signal is any device-level trace that resolves a named person to a named clinic visit; that is both an FTC-order third rail and, in practice, no longer a product that reputable mobility vendors sell. The 2026 geo-panel audit captures the broader panel-math context. For the solutions frame see Alternative Data for Finance and the device graph decay companion on identity-resolution freshness math — short version: healthcare alt-data programs should be built on aggregated-cohort analytics as the primary mobility lane, not on device-level identity resolution.

Building a Compliant Healthcare Alt-Data Program

An operator-grade healthcare alt-data program in 2026 looks like a three-lane stack with clear compliance documentation on each lane. Lane one: claims-adjacent de-identified feeds (Safe Harbor or Expert Determination documented; Data-Use Agreement captures the flow from covered entity through business associate through de-identification). Lane two: aggregated mobility-to-care-category analytics (vendor documents sensitive-category scrubbing; contract explicitly forbids device-level or identified-individual visit resolution). Lane three: consented-survey and sentiment panels (panel consent framework documented; HBNR-compliance attestation for consumer-app sources). Cross-lane analytics happen at the aggregate or cohort level, with joins governed by the narrowest compliance frame across the joined tables. Clean-room or secure-computation infrastructure handles the cases where richer joins are needed without cross-contaminating the compliance frames. Life-sciences, payer, and investor buyers who build this way get the signal — procurement dynamics, utilization trends, patient sentiment — without carrying inherited exposure from mis-framed SKUs. For the catalog surface see Healthcare industry hub, Alternative Data for Finance, MAID Feed, and Global Mobility & Location Data; for the broader compliance program see FCRA vs non-FCRA lead data as the parallel non-healthcare compliance-lane discussion.