HIPAA does apply to anything including Internet. The Devil is in the details...
In round one most of the companies on the edge of healthcare (health magazines, tech businesses surveying people about their needs before referring them to providers, meditation apps, even some scheduling apps) would claim (still claim) that either the data is not PHI at all or that they anonymize everything and send no PHI (name, SSN, diagnosis, etc.).
Then in round two The Office of Civil Rights at HHS (USA) came out with guidance calling bullshit on that -- labeling 3rd party tracking cookies, IP addresses, etc. as potentially PHI. We all know darn well that any data aggregator worth their salt collects data from multiple websites and then combines it in a unified database in which they can piece together identity even if no PHI is provided to them from the health/medical sources. A simple example -- health site A tells Google that I am looking at info on depression and my IP address. Also gives them a tracking cookie in my browser. Then I log into Gmail (so they have my name and email address and phone number and same IP address) and I mention feeling depressed to a friend in email. Then a televideo service screws up and sends Google "anonymous" data (such as IP address and tracking cookie) that I am logging into the specific telehealth portal of a therapist. Odds are pretty good that if Google wants to, they have an AI that knows with a high degree of certain that I have depression and what therapist I am seeing.
In round 3, I recently read where some of those more aggressive protections that the Office of Civil Rights was pushing were struck down in court. I apologize but I don't have the link or details handy. One of my healthcare infosec bots posted the article a few weeks ago.
