Good question. HIPAA applies to covered entities (insurers, hospitals) and their business associates. We're neither - users are entering their information anonymously to do plan comparison. That said, we treat the data very carefully - we don't sell it, don't share it, and enrollment (where PII is collected) is on Healthcare.gov.