HIPAA Doesn’t Protect Your Health App or Wearable Data: How to Keep Consumer Health Info Private

HIPAA Coverage Limitations

What HIPAA covers—and what it doesn’t

HIPAA safeguards protected health information when it’s held by covered entities like doctors, hospitals, health plans, and their business associates. Most consumer health apps and wearables sit outside this ecosystem, so the data you enter or generate there typically isn’t protected by HIPAA.

If an app acts on behalf of your provider under a Business Associate Agreement, data flowing through that arrangement can be covered. Yet information the app collects for its own features—community, ads, or analytics—usually remains outside HIPAA’s scope.

Implications for you

Because HIPAA often doesn’t apply, your app data is governed mainly by consumer privacy laws and the app’s own privacy policy. That means your protections vary widely, and risks like unauthorized data sharing or profiling can arise even without a classic “data breach.”

FTC Health Breach Notification Rule

Who is covered and when it applies

The Health Breach Notification Rule (HBNR) applies to vendors of personal health records and related entities that collect or manage identifiable health information outside HIPAA. It can be triggered not only by hacks but also by unauthorized disclosures—such as sharing sensitive health data with advertising or analytics partners without valid authorization.

What the rule requires

When a qualifying breach occurs, covered companies must provide timely notices to affected consumers and to the FTC, and in some cases to the media. Organizations should document incidents, assess whether data was acquired without authorization, and implement processes to notify users and mitigate harm.

Practical steps for developers

• Map data flows to identify whether you are a PHR vendor or related entity.
• Treat unauthorized data sharing with ad-tech as a potential breach scenario.
• Maintain incident response plans and keep evidence of investigations and notices.

State Health Data Privacy Laws

Confidentiality of Medical Information Act

California’s Confidentiality of Medical Information Act (CMIA) protects “medical information” held by healthcare providers, health plans, and certain contractors. Some health apps can fall within CMIA if they maintain medical information derived from, or on behalf of, covered entities, triggering stricter confidentiality and security duties.

My Health My Data Act

Washington’s My Health My Data Act broadly covers consumer health data outside HIPAA, requiring clear notices, consent for collection and sharing, data minimization, and consumer rights such as access and deletion. It restricts geofencing around health locations and enables enforcement that includes private lawsuits and state action.

What this means across states

Coverage, definitions, and rights differ by state, so the same app feature can face different obligations depending on where users live. Companies should design for the strictest common requirements to reduce compliance risk and build trust.

Data Sharing Risks and Third Parties

Where data flows—and why it matters

Health apps often embed third-party SDKs for analytics, crash reports, push notifications, and advertising. These components can transmit identifiers, usage patterns, and sometimes sensitive health signals to multiple parties, creating re-identification and profiling risks.

High‑risk patterns to watch

• Cross‑app tracking and fingerprinting that tie health data to ad profiles.
• Location and geofencing data revealing clinic visits or conditions.
• Cloud logs and misconfigured storage that expose sensitive metrics.
• Social logins or sharing tools that enable broader data propagation.

The biggest hazard is unauthorized data sharing—flows you didn’t expect or consent to—especially when toggles don’t fully disable background transmissions.

Privacy Measures for Consumers

Data Minimization Techniques

• Choose apps that let you use core features without creating an account.
• Skip optional fields, disconnect social features, and decline precise location.
• Regularly delete old entries and revoke unused integrations and permissions.

On-Device Processing

Prefer tools that process data locally—sleep analysis, heart‑rate trends, or cycle tracking—so raw signals never leave your phone or watch. Offline modes and local analytics reduce exposure if an account is compromised.

End-to-End Encryption

Use services that offer end‑to‑end encryption for backups, notes, and file sync so only you hold the keys. Protect the device itself with a strong passcode or passkey, enable encrypted backups, and turn on remote‑wipe to contain loss or theft.

Permission and network controls

• Set location to “While Using” and “Approximate” when possible.
• Disable background app refresh and limit tracking or ad personalization.
• Block cross‑app tracking and reset advertising identifiers periodically.

Account hygiene and transparency

• Use a unique email alias and strong, unique passwords or passkeys.
• Review data exports to see exactly what the app holds about you.
• Submit deletion requests where state law or app policy allows.

Data Storage and Security Options

Local‑only vs. cloud storage

Local‑only storage minimizes exposure but requires diligent backups. Cloud storage adds convenience and redundancy, yet it increases the number of parties and systems touching your data.

Securing cloud use

• Prefer end‑to‑end encrypted vaults where the provider cannot see your content.
• Segment data: keep the most sensitive files in a separate, encrypted container.
• Set short retention windows for logs and delete stale device backups.

Sharing data safely

• Export only the minimum necessary data for a specific purpose.
• Share via end‑to‑end encrypted channels and verify recipients.
• Avoid public links; set expiration and view‑only restrictions when possible.

Regulatory Enforcement and Compliance

What organizations should implement

• Data maps and inventories covering collection, use, sharing, and retention.
• Privacy by design with documented Data Protection Impact Assessments.
• Vendor due diligence, contractual limits on secondary use, and ongoing audits.
• Breach readiness for the Health Breach Notification Rule and state requirements.
• Clear notices, consent flows, and robust user rights handling across states.

How enforcement happens

Regulators can pursue deceptive or unfair practices, undisclosed or unauthorized data sharing, insecure design, and failure to notify. Remedies may include civil penalties, deletion of ill‑gotten data, mandated security programs, and long‑term compliance reporting.

Conclusion

Because HIPAA rarely reaches consumer apps and wearables, protecting your privacy requires a mix of smart product choices and strong security habits. Favor on‑device processing, end‑to‑end encryption, and data minimization, and scrutinize how apps share data with third parties.

FAQs

Does HIPAA apply to health apps and wearables?

Usually no. HIPAA covers medical providers, health plans, and their business associates—not most standalone consumer apps or wearables. If an app operates on behalf of your provider under a formal agreement, those specific data flows may be covered, but the app’s broader consumer features typically are not.

What laws protect consumer health data outside HIPAA?

Key protections can come from the FTC’s Health Breach Notification Rule, state laws like California’s Confidentiality of Medical Information Act and Washington’s My Health My Data Act, and general consumer protection rules against unfair or deceptive practices. Coverage and rights vary by jurisdiction.

How can users secure their health data on apps?

Minimize what you share, prefer on‑device processing, and use end‑to‑end encryption for storage and backups. Lock down permissions, disable background tracking, use strong authentication, review exports, and send deletion requests where offered or required by law.

What are the risks of sharing health app data with third parties?

Third‑party SDKs and partners can create profiling, re‑identification, and targeted advertising risks, especially if data is shared without valid consent. Unauthorized data sharing may expose sensitive health inferences, location patterns, and device identifiers across multiple platforms.