AI Health Bots Are Collecting Your Data — Here’s How to Check Their Privacy Promises
The past year has seen a surge in AI-powered health chatbots and wellness tools. From apps that check your symptoms to bots that offer mental health support, these services promise convenience and personalized advice. But experts are growing concerned that the privacy policies behind these tools are often vague, buried in legalese, or missing key details about how user data is handled.
A recent article in Healthcare Brew highlighted the problem: many health bot companies provide unclear or incomplete privacy disclosures, and federal regulations have not kept pace. For the average user, that means the health information you share—symptoms, habits, even biometric data—could be used in ways you never expected.
What Happened
In June 2026, Healthcare Brew reported that privacy researchers and consumer advocates are calling out AI health bot companies for obscuring their data practices. While some apps claim to follow industry standards, experts found that policies often fail to explain:
- Whether the data is shared with third parties for advertising or research.
- How long the data is retained.
- Whether users can delete their information.
- What happens to data if the company is acquired.
The article noted that many of these tools operate outside the reach of HIPAA, the U.S. health privacy law. HIPAA applies only to covered entities like doctors and insurers. A standalone chatbot developed by a tech startup may not qualify, leaving your data protected only by the app’s own terms.
Why It Matters
When you type “I’ve been feeling chest pain” or “my sleep has been terrible” into a chatbot, you’re handing over sensitive health details. Companies can aggregate this data to train their models, sell insights to pharmaceutical firms, or target you with ads. Unlike a doctor’s office, which must follow strict rules about confidentiality, many AI health bots are subject to little more than their own privacy policy—and those policies are often designed to give the company maximum flexibility.
Even if a chatbot claims to anonymize data, research has shown that re-identification is often possible. The risk is not hypothetical: past incidents have revealed how health apps leaked or sold user data without clear consent. As the Healthcare Brew piece points out, the speed of AI adoption is outpacing the Federal Trade Commission’s ability to write or enforce rules, though the FTC has taken action against a few companies for deceptive data practices.
What Readers Can Do
You do not have to avoid AI health tools entirely, but there are concrete steps you can take to protect your privacy before you start typing.
1. Read the privacy policy before you sign up.
Yes, it is tedious. But focus on these sections: “Information We Collect,” “How We Use Your Information,” and “Data Sharing.” Look for clear language about whether your data is sold or shared with third parties. If the policy is full of phrases like “we may share data with partners” or “for business purposes,” consider that a red flag.
2. Check if the app has a HIPAA business associate agreement.
If the tool is offered by a healthcare provider or integrated with a clinic, it may be covered. Most consumer-only bots are not. The absence of HIPAA coverage does not automatically mean the app is unsafe, but it means you have fewer legal protections.
3. Limit what you share.
Only provide information that is necessary for the function you want. Avoid entering identifying details like full name, address, or date of birth unless required. Some apps let you use a pseudonym.
4. Use the app’s account controls.
Look for settings that let you delete your data or prevent it from being used for research or advertising. Not all apps offer this, but if they do, use it. If they don’t, that’s another red flag.
5. Consider using a separate device or browser.
For particularly sensitive queries, you can use a device with less tracking, or access the tool through a private browsing window. This does not stop the chatbot itself from collecting data, but it reduces cross-site tracking.
6. Stay informed about regulatory changes.
The FTC and some state legislatures are working on more comprehensive rules. Following consumer protection news can help you spot new risks and rights.
Current Regulatory Landscape
Right now, no single U.S. federal law specifically governs AI health bots. The FTC can sue companies for deceptive practices under Section 5 of the FTC Act, but that is reactive. A few states, like California and Washington, have broader privacy laws (CCPA, My Health My Data Act) that may cover some health data. But coverage depends on the company’s size and where you live. The Healthcare Brew piece highlights that experts are calling for clearer federal guidelines, though none have been enacted as of mid-2026.
Sources
- Healthcare Brew (2026). “Experts call out obscure privacy policies for AI health bots, limited federal rules.” [Link to article – please access via news.google.com or the publication directly.]
- FTC guidance on health apps. “Mobile Health Apps: Interactive Tool.” Federal Trade Commission.
- State privacy laws: California Consumer Privacy Act (CCPA), Washington My Health My Data Act.