4 min read

HIPAA compliance in wearable devices

Picture of Kirsten Peremore Kirsten Peremore November 11, 2025

HIPAA Compliance
HIPAA compliance in wearable devices

Wearable devices like fitness trackers and consumer health apps aren’t automatically covered by HIPAA, and their makers aren’t required to follow HIPAA rules just because they collect health-related data. HIPAA only steps in when a healthcare provider, health plan, or one of their business associates actually receives, uses, or stores that data. 

Once wearable data flows into a clinical setting, whether it’s sent to a doctor, synced to an EHR, or processed by a vendor working on behalf of a provider, it becomes protected health information, and all HIPAA privacy and security requirements apply. Suppose a wearable company takes on the role of a business associate by handling that data for a covered entity. In that case, it must follow HIPAA safeguards and sign a Business Associate Agreement.

The larger problem is that most wearable data never enters the healthcare system. As the authors note in an NPJ Digital Medicine study, “The widespread adoption of consumer wearable devices has enabled continuous biometric data collection at an unprecedented scale, raising important questions about data privacy, security, and user rights.” 

They found that privacy protections across 17 major manufacturers vary dramatically, with High Risk ratings most common for transparency reporting (76%) and vulnerability disclosure (65%), and that companies like Xiaomi, Wyze, and Huawei had the highest cumulative risk scores. Another observation explains why HIPAA fails to reach most wearable data: “Despite regulatory frameworks designed to protect consumers, the commercial ecosystem surrounding wearable devices continues to pose substantial privacy risks.”

 

When wearable data becomes protected health information

Wearable data becomes PHI only when it can be tied to a specific person and is actually used for healthcare. If a doctor relies on information from a patient’s smartwatch, or if a remote monitoring program pulls sensor data into a clinical system, that data becomes part of the patient’s health record and must be protected under HIPAA. The same applies when a wearable company handles that information on behalf of a provider—once they step into the role of a business associate, they must follow HIPAA’s rules for security, privacy, encryption, access controls, and breach notification.

The challenge is that most wearable data never enters a clinical setting. Many devices feed information into third-party apps, cloud platforms, or analytics tools that aren’t covered by HIPAA at all. Wearable data sits in ecosystems governed only by long, confusing privacy policies that most users never read. 

These policies often allow broad data sharing, leaving people exposed to risks they don’t fully understand. That’s why researchers in the above study argue that “inconsistencies in data governance across the industry…underscore the need for stronger, sector-specific privacy standards.” Wearables create nonstop streams of intimate biometric information, and the traditional HIPAA framework wasn’t built to regulate data that lives outside the healthcare system.

 

The legislative changes around wearables 

Senator Bill Cassidy’s Health Information Privacy Reform Act, directly addresses the confusion around what wearable data is, and isn’t, protected by HIPAA. The bill makes something clear that most people don’t realize: HIPAA does not cover most data generated by wearables, because it usually stays inside consumer apps and tech platforms rather than entering the healthcare system. 

Senator Cassidy’s proposal would require wearable companies to be upfront about this. Users would need to be told clearly, before they start using the device, that their health and biometric data might not have the same legal protections as information shared with a doctor or hospital.

The goal is to stop letting people assume they’re protected when they’re not. Right now, wearable manufacturers can collect heart rate trends, sleep patterns, activity levels, stress indicators, and even location-linked health insights under lengthy privacy policies that few people read or fully understand. Once users agree, companies often have wide discretion to share or monetize that data in ways consumers might never expect.

 

Best practices for HIPAA compliant wearable devices

  1. User authentication: This may include PIN codes, biometric authentication (such as fingerprint or iris scanning), or secure pairing with authorized devices.
  2. Secure data storage on the device: Use secure storage mechanisms and encryption techniques to safeguard data in case of device loss or theft.
  3. Secure data transmission: Establish secure communication channels between the wearable device and healthcare systems, such as secure Wi-Fi, SSL/TLS, or virtual private networks (VPNs). 
  4. Device security and anti-tampering measures:This may include secure boot processes, device integrity checks, firmware updates with digital signatures, and mechanisms to detect and respond to potential security breaches.
  5. Access controls and user permissions: Implement access controls on the wearable device to ensure that only authorized users can access and view PHI. 
  6. Data minimization: Avoid unnecessary data collection to reduce the risk of exposure or unauthorized access.
  7. Secure data synchronization: If the wearable device synchronizes data with external systems or apps, ensure that the synchronization process is secure and compliant with HIPAA requirements. 

Wearable devices and third party apps accessing data 

Many wearable companies share user data with third parties, advertisers, analytics firms, cloud providers, and in some cases even government agencies, under privacy policies that are long, complicated, and easy to ignore. Most users click agree without realizing how much access they’ve just granted or how widely their information can travel. 

One study Ethical considerations for the use of consumer wearables in health research shows just how common this is, noting that 97% of people agree to privacy policies that should take around 30 minutes to read in as little as 51 seconds. In reality, people often have no idea who ends up with their heart rate trends, sleep patterns, or location-linked health information, or why those parties are receiving it.

A major concern is how little visibility users have into government or private data requests. As the study bluntly states, “data collected…is often sent to the company as part of the data collection/analysis process and may be used for a multitude of different purposes, including selling this data to third-party vendors or marketing companies.”

There’s no single, strong rulebook governing all of this. HIPAA only applies when the data flows into the healthcare system, which means the vast majority of wearable data, collected daily through apps and cloud platforms, sits outside those protections. For everything else, users are mostly relying on the promises companies make in their privacy policies, and those promises vary wildly.

Related: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Do wearable companies sell aggregated or anonymized data?

Frequently. Anonymized data is often shared with advertisers, analytics firms, and health research partners, but anonymization is not foolproof. Activity patterns, routes, or rare biometric features can make you identifiable again.

 

Can police or government agencies request my wearable data?

Yes. Some companies comply with legal requests, subpoenas, or warrants. Users are not always notified.

 
Send PHI securely—No portals required. The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.