Health data – including health used for non-health-related purposes – is not regulated by a single national privacy framework. HIPAA is the primary federal law governing the use and disclosure of protected health information, but HIPAA covers an increasingly smaller slice of the health data pie. Other federal laws may apply, both to data regulated by HIPAA and to data outside of HIPAA’s framework, and states have their own sets of often-more-restrictive laws. In short, the current legal landscape is a patchwork of laws, sometimes overlapping (and at times conflicting), with numerous gaps in comprehensive protections.