Does HIPAA Protect Health Information in Apps, Wearables, and Employer Wellness Programs?

HIPAA Scope for Health Apps

Whether HIPAA protects health information in mobile apps depends on who is collecting or receiving the data and for what purpose. HIPAA covers “protected health information” (PHI) held or transmitted by Covered Entities—health plans, most health care providers, and health care clearinghouses—and their Business Associates that handle PHI on their behalf.

Apps are typically subject to HIPAA when they are offered by your provider or insurer, or when an app developer signs a Business Associate agreement to operate on a Covered Entity’s behalf. Examples include patient portal apps, telehealth apps provided by a clinic, and care-management apps that feed data into an electronic health record.

• HIPAA likely applies when your provider or health plan asks you to use an app and the vendor is a Business Associate.
• HIPAA generally does not apply when you download a direct-to-consumer app (for fitness, fertility, medication reminders, or symptom tracking) that collects data for its own purposes and not on behalf of a Covered Entity.
• When you ask a provider to transmit your records to a third-party app, HIPAA protects the provider’s disclosure, but the app may fall outside HIPAA unless it is a Business Associate.

If HIPAA applies, the Security Rule’s Data Security Requirements—risk analysis, access controls, encryption, audit logs, and breach notification—govern how ePHI is protected. If HIPAA does not apply, the app still has obligations under consumer protection and state privacy laws; following strong security practices and clear privacy notices remains essential for Health Data Privacy Compliance.

HIPAA Regulations for Wearable Devices

Most consumer wearables (such as fitness trackers and smartwatches) are not covered by HIPAA when you buy and use them on your own. The data they collect—steps, heart rate, sleep—usually sits with the device maker or app provider, outside the HIPAA framework.

HIPAA can apply to wearable data when a Covered Entity or its Business Associate deploys the device for clinical care or plan operations. For example, remote patient monitoring programs that provide a connected blood pressure cuff and route readings to your provider’s system typically create PHI protected by HIPAA.

• Wearable vendor as Business Associate: if the vendor stores or analyzes readings for a hospital or health plan, it generally needs a Business Associate agreement and must meet HIPAA’s security and privacy rules.
• Direct-to-consumer wearables: the vendor’s privacy policy and state laws govern. Sharing data with advertisers or data brokers may be restricted by state “consumer health data” statutes.

Regardless of coverage, prioritize devices that use strong authentication, encryption in transit and at rest, timely patches, and transparent data-sharing controls. These safeguards align with HIPAA’s Data Security Requirements and reduce risk even when HIPAA does not apply.

HIPAA and Employer Wellness Programs

For employer wellness programs, the key question is whether the program is part of a Group Health Plan. If the wellness program is offered through or integrated with the employer’s Group Health Plan (including many employee assistance programs), HIPAA applies to PHI collected and used for plan purposes.

• When HIPAA applies: the plan is a Covered Entity. Employers acting as plan sponsors must maintain a firewall between employment functions and plan administration, use PHI only for plan purposes, and ensure Business Associate agreements with wellness vendors, app platforms, and wearable integrators.
• When HIPAA does not apply: a standalone wellness program run by the employer outside the Group Health Plan is generally not a HIPAA Covered Entity. Other laws—such as state privacy statutes and federal workplace laws—still restrict collection and use of sensitive health data.

Where HIPAA governs, follow minimum-necessary access, secure transmission and storage, workforce training, incident response, and breach notification rules. Avoid storing PHI in personnel files, and limit the employer’s access to summary health information needed for plan design rather than identifiable data about individual employees.

State Health Data Privacy Laws

When data falls outside HIPAA, state laws often fill the gap. Two influential examples are California’s Confidentiality of Medical Information Act and Washington’s My Health My Data Act, both of which can reach apps and wearables in certain contexts.

The Confidentiality of Medical Information Act protects “medical information” held by providers, health plans, and their contractors. It may also apply when an app or vendor receives medical information from these entities to perform services, imposing rules for use, disclosure, and security beyond HIPAA in some situations.

The My Health My Data Act broadly regulates “consumer health data,” including inferences about health. It requires clear notices, consent for collection and sharing, limits on secondary uses, deletion rights, and a ban on geofencing near health care facilities. These requirements can directly affect app publishers, wearable makers, and wellness vendors operating in or targeting residents of covered states.

Several other states now treat health data as sensitive and require heightened controls—such as opt-in consent, limits on sales or targeted advertising, and timely deletion. If HIPAA does not apply to your use case, you should assume state privacy regimes will still impose meaningful obligations on collection, sharing, and retention.

Employer Responsibilities for Health Data Security

Employers administering wellness programs through a Group Health Plan must implement HIPAA-aligned Data Security Requirements. Core expectations include documented risk analyses, access and authorization controls, encryption, secure vendor integrations, audit logging, workforce training, and prompt breach notification. Contracts with vendors should expressly define their role as Business Associates when they handle PHI.

For programs outside HIPAA, anchor your Health Data Privacy Compliance in state law obligations: provide a concise privacy notice, collect only what you need, obtain consent where required, honor deletion and access requests, restrict sharing with advertising or analytics partners absent explicit permissions, and avoid geolocation tracking near health facilities where prohibited. Conduct vendor due diligence, define data retention limits, and prohibit reidentification of de-identified data.

• Map data flows end to end, separating plan administration from HR and employment decisions.
• Limit dashboards to aggregated metrics; avoid exposing identifiable participant data to managers.
• Establish deletion triggers when employees leave or when the program ends.
• Test incident response plans and ensure rapid consumer notification where laws require it.

Consumer Rights Under State Health Laws

Even when HIPAA does not apply, many states give you rights over your health-related data. Common rights include to know what is collected, to access and receive a copy, to correct inaccuracies, to delete data, to withdraw consent, and to opt out of sales or targeted advertising based on health data.

To exercise these rights, look for “Privacy” or “Data Request” links in the app or account settings, submit a verified request, and specify whether you seek access, deletion, or opt-out. Keep confirmation emails, and follow up if the response window passes. If your request is denied, many laws provide an appeal process.

Protect yourself by reviewing sharing settings, turning off unnecessary sensors, unlinking third-party integrations you do not use, enabling multi-factor authentication, and using strong, unique passwords. Choosing vendors that publish clear retention limits and honor deletion requests reduces long-term exposure.

In short, HIPAA protects health information when it is handled by Covered Entities and their Business Associates or when a wellness program operates as part of a Group Health Plan. For most stand‑alone apps and consumer wearables, state privacy laws and strong security practices are the primary guardrails, so selecting trustworthy vendors and understanding your rights are essential.

FAQs.

Does HIPAA cover health data collected by mobile apps?

Only if the app is offered by a Covered Entity (like your provider or health plan) or the developer is acting as a Business Associate on that entity’s behalf. Direct-to-consumer apps that collect data for their own purposes usually fall outside HIPAA and are governed by state privacy laws and consumer protection rules.

Are wearable devices subject to HIPAA protections?

Consumer wearables are generally not covered by HIPAA. If a wearable is supplied for clinical care or plan administration and the vendor handles data for a Covered Entity under a Business Associate agreement, the data is typically PHI and HIPAA protections apply.

When do employer wellness programs fall under HIPAA?

When the program operates through or is integrated with a Group Health Plan, HIPAA applies to PHI collected and used for plan purposes. Standalone employer-run programs outside the plan are usually not HIPAA-covered, though state privacy laws and other workplace rules still apply.

What state laws apply to health data privacy beyond HIPAA?

California’s Confidentiality of Medical Information Act and Washington’s My Health My Data Act are leading examples that can cover health data in apps, wearables, and wellness platforms. Many states also treat health data as sensitive, imposing consent, transparency, and deletion obligations even when HIPAA does not apply.