Does HIPAA Protect All Medical Information? PHI Coverage vs. Gaps in Apps, Wearables, and Employer Records

Short answer: no. HIPAA protects Protected Health Information (PHI) when it is handled by specific regulated organizations, but large amounts of health-related data fall outside its scope. This guide explains where HIPAA applies, where it does not—especially across consumer health apps, wearables, and employer records—and how state laws and the FTC’s Health Breach Notification Rule help fill the gaps.

Use this overview to understand the boundaries of HIPAA, reduce privacy risk, and strengthen data privacy compliance. This is informational content, not legal advice.

HIPAA Coverage Scope

What HIPAA actually protects

HIPAA safeguards PHI—individually identifiable health information such as diagnoses, medications, test results, and billing details—when that information is created, received, maintained, or transmitted by regulated parties. PHI can be in any form: paper, electronic, audio, or visual.

Who must comply

Only specific organizations are regulated: Covered Entities (health care providers, health plans, and health care clearinghouses) and their Business Associates (vendors that create, receive, maintain, or transmit PHI on their behalf). Business Associates must sign Business Associate Agreements (BAAs) and implement required security and privacy safeguards.

When data becomes PHI—and when it does not

Data is PHI if it relates to health, care, or payment and is linked to an identifiable person, but only when held by a Covered Entity or its Business Associate. The same data held by a consumer app that is not acting for a Covered Entity is typically not PHI. Properly de-identified data under HIPAA standards is not PHI.

Common gray areas

• A provider’s patient portal, remote monitoring tool, or telehealth platform operating under a BAA handles PHI.
• A standalone wellness or fitness app you download directly, without a provider relationship, generally does not handle PHI—even if it tracks heart rate or menstrual cycles.
• If a provider instructs you to use a specific app and the vendor signs a BAA, data in that app is usually PHI.

Health Apps and Wearables Exclusions

Direct-to-consumer apps

Most consumer health apps collect sensitive metrics—sleep, steps, symptoms, or mood—but they often operate outside HIPAA unless they are acting on behalf of a Covered Entity. Their data handling is governed by their privacy policies, state privacy laws, and, in some cases, the FTC’s Health Breach Notification Rule.

When an app can be inside HIPAA

If your clinician or health plan supplies an app (or requires one) and the app vendor signs a BAA, the app’s data typically becomes PHI. Integrations that pull data directly from an electronic health record or transmit readings into a provider’s system often indicate HIPAA coverage.

Wearables and device data

Wearables generally sit outside HIPAA when used personally. If a provider program enrolls you in a remote patient monitoring workflow and the device vendor is a Business Associate, the same measurements can become PHI. Coverage hinges on who controls the data flow and for whom the vendor acts.

Practical tips

• Ask whether the vendor signs a BAA; this is a strong signal of HIPAA applicability.
• Review permissions and sharing settings; limit background location and advertising identifiers.
• Do not assume “anonymized” equals safe—reidentification is possible when datasets are combined.

Employer Records Limitations

HIPAA’s boundary at work

HIPAA generally does not apply to employer-held records like sick notes, medical leave documentation, drug test results, or wellness program data managed by HR. HIPAA may apply to the employer’s group health plan, which is a Covered Entity, but not to the employer in its role as an employer.

Where problems arise

• Workplace wellness apps and screenings administered by the employer (not the health plan) are typically outside HIPAA.
• Data moving from a health plan to HR typically requires employee authorization and must be limited to the minimum necessary.
• Other laws (e.g., disability and leave laws) can restrict employer handling of medical information even when HIPAA does not.

Employee takeaways

• Ask who is collecting your data—the group health plan or your employer.
• Request written privacy notices for wellness or screening programs.
• Share only what is necessary; keep personal health logs separate from workplace systems.

State Health Data Laws

California’s Confidentiality of Medical Information Act

The Confidentiality of Medical Information Act (CMIA) provides strong protections for medical information related to California residents. It can cover providers, health plans, and certain contractors, and it has been interpreted to protect medical information beyond HIPAA’s definitions in some contexts, including obligations around disclosure and safeguarding.

Washington’s My Health My Data Act

The My Health My Data Act (MHMD) broadly regulates “consumer health data” held by many types of organizations, not just health care providers. It generally requires clear consent for collection and sharing, grants rights to access and delete, restricts geofencing around health care locations, and imposes robust security and transparency duties.

Why state laws matter

States increasingly treat health data as sensitive personal information, imposing consent, minimization, and deletion requirements even outside HIPAA. If your product processes health signals or inferences, you may need state-level compliance programs in addition to federal obligations.

FTC Health Breach Notification Rule

Who is covered

The Health Breach Notification Rule applies to vendors of personal health records (PHRs) and PHR-related entities that are not covered by HIPAA. It often captures health apps and wearable platforms that collect identifiable health data from users or connect to multiple data sources.

What counts as a breach

A breach includes unauthorized acquisition of unsecured, identifiable health information—and can include certain unauthorized disclosures to third parties, such as adtech or analytics partners, when users did not consent. Security incidents and inappropriate sharing practices can both trigger obligations.

Key obligations

Covered entities must notify affected individuals and the FTC and, in some cases, the media, within specified timeframes. Effective compliance requires incident response plans that evaluate both cybersecurity events and privacy misconfigurations that could expose health data.

Why it fills HIPAA’s gaps

For health apps and wearables outside HIPAA, the Health Breach Notification Rule establishes consequences for mishandling sensitive data and promotes transparency when misuse or breaches occur.

Consumer Awareness of HIPAA

Myths vs. facts

• Myth: HIPAA protects all health-related data. Fact: It protects PHI held by Covered Entities and Business Associates.
• Myth: Any app with health features is under HIPAA. Fact: Most direct-to-consumer apps are outside HIPAA unless they act for a Covered Entity under a BAA.
• Myth: HIPAA bans all sharing. Fact: HIPAA permits certain uses and disclosures (e.g., treatment, payment, operations) and respects patient rights.

How to tell if HIPAA applies

• Identify the data holder: provider/plan (likely HIPAA) vs. consumer app or employer (likely not).
• Look for a Notice of Privacy Practices (HIPAA) vs. a standard privacy policy (non-HIPAA).
• Ask whether the vendor is a Business Associate and will sign a BAA.

Practical protections

• Limit sharing to what you truly need; turn off cross-app tracking and unnecessary permissions.
• Use portals and apps offered by your provider or plan when you want PHI protections to apply.
• Periodically delete data you no longer need, and review connected apps and devices.

Data Sharing and Privacy Risks

Risk hotspots

Modern health data flows through clouds, SDKs, APIs, and data brokers. Location trails near clinics, symptom searches, and device IDs can reveal sensitive inferences. Even de-identified datasets may be linkable when combined with other signals.

If you’re an individual: reduce exposure

• Prefer apps that minimize data collection and clearly explain sharing.
• Opt out of personalized ads and analytics where possible; reset advertising IDs.
• Be cautious connecting apps to email, calendars, or social media accounts.
• Use device-level privacy controls and strong authentication for health portals.

If you’re an organization: build data privacy compliance

• Map data flows to determine when information is PHI and when other laws apply.
• Use BAAs, least-privilege access, encryption in transit and at rest, and strong key management.
• Limit third-party SDKs; vet vendors for privacy-by-design and breach response readiness.
• Honor consent, minimization, and deletion; maintain clear, accurate privacy notices.
• Conduct risk assessments for both security incidents and inadvertent data disclosures.

Conclusion

HIPAA protects PHI within the clinical and health plan ecosystem, but much of today’s health-related data—especially from apps, wearables, and employer programs—sits outside its umbrella. State laws and the FTC’s Health Breach Notification Rule help close gaps, yet responsibility ultimately rests with how you choose tools, configure sharing, and implement trustworthy privacy practices.

FAQs

What types of medical information does HIPAA protect?

HIPAA protects Protected Health Information (PHI)—identifiable health, care, or payment information—when it is created or handled by Covered Entities (providers, health plans, clearinghouses) or their Business Associates. The same data outside that ecosystem may not be PHI.

Are health app and wearable data covered by HIPAA?

Usually not. Most consumer apps and wearables are outside HIPAA unless they operate on behalf of a Covered Entity under a Business Associate Agreement. If your provider supplies or requires the app and the vendor signs a BAA, the data is more likely to be PHI.

Does HIPAA apply to employer-maintained health records?

Generally no. HIPAA applies to the group health plan component of employment benefits, not to the employer as an employer. HR files, wellness program data managed by the employer, and fitness challenges are typically outside HIPAA, though other laws may still restrict use and disclosure.

What state laws regulate health data outside HIPAA?

States increasingly regulate consumer health data. Examples include California’s Confidentiality of Medical Information Act and Washington’s My Health My Data Act, which impose consent, transparency, security, and deletion requirements on many organizations that are not covered by HIPAA.