With all the talk about HIPAA and privacy protections, it would not be unreasonable for people to believe that their health information is protected everywhere, all the time. But for all the regulations that now exist to protect patients’ personal health information, there remains a large gap – a gap wide enough for most of your medical history to fall through and out into the public domain.

HIPAA does not apply universally. In fact, the privacy protections created by HIPAA only apply to certain groups of entities: health care providers (doctors, hospitals, etc.), health care clearinghouses (entities that process health information, such as billing services), and health plans (insurance companies), as well as some of the companies they do business with.

Who’s not covered by HIPAA? Private genetic testing companies, such as 23andMe, health “wearables” like FitBit, and countless other apps designed to store health information for consumers. As reported recently in the Washington Post, some of these repositories of health information have been vulnerable to hacks or have been just plain sloppy about protecting the privacy of their customers’ information. And because all of this information – which individuals voluntarily disclosed – is outside the protection of HIPAA, there’s not much the government can do about it.

It’s perhaps ironic that a statute that’s so technology-focused could be undermined by modern technology. New frontiers in medicine and technology will likely lead to new frontiers in privacy regulations, as well – eventually. In the meantime, individuals would be safe to assume that, as with all personal information shared online, the health information stored in our phones and on our wrists is anything but private.