What Does HIPAA Not Protect? Health Data Outside Its Scope (Apps, Employers, Wearables)

Wondering what HIPAA does not protect? This guide maps where HIPAA stops and where other rules—and your own choices—take over, focusing on apps, employers, and wearables that capture Consumer Health Data every day.

HIPAA Coverage Limitations

Who HIPAA actually covers

HIPAA regulates Covered Entities—health plans, most health care providers, and health care clearinghouses—and their Business Associates that handle Protected Health Information (PHI) for them. PHI is health-related data tied to an identifiable person when used for treatment, payment, or health care operations.

What falls outside HIPAA

Data created or held outside the clinical and insurance system often is not PHI. That includes information you enter into consumer apps, metrics from wearables you buy directly, data brokers’ profiles, many employer records, and marketing or analytics data collected by websites. HIPAA also does not cover de-identified data or data that never touched a Covered Entity or Business Associate in the first place.

Illustrative examples

• Steps, sleep, and heart rate stored by a retail fitness tracker are usually outside HIPAA.
• Mood logs in a mental health app are typically not PHI unless the app operates on behalf of your clinician’s practice.
• Employment records about sick leave or accommodations are generally not protected by HIPAA, even when health-related.

Health Data Collected by Apps and Wearables

What these tools collect

• Biometrics and vitals: heart rate, SpO2, ECG snippets, temperature, blood pressure, and glucose from connected devices.
• Activity and behavior: steps, workouts, sleep, fertility cycles, medication reminders, and symptom tracking.
• Contextual signals: location, IP address, device identifiers, contacts with Bluetooth beacons—often used to build inferences.

When HIPAA can apply to an app

If your provider or health plan gives you an app or connects a wearable through a vendor acting as a Business Associate, the data flowing in that role may be PHI. Most consumer apps you download directly, however, are not acting for a Covered Entity, so HIPAA generally does not apply.

Health IoT Privacy considerations

Connected scales, thermometers, fertility sensors, and blood pressure cuffs share data via cloud services and SDKs. Health IoT Privacy risks arise when devices pass granular readings to analytics or advertising partners; those flows are usually governed by the app’s privacy policy and state or federal consumer protection laws—not HIPAA.

Employer-Related Health Data

Employment records versus group health plans

Your employer is typically not a Covered Entity. HIPAA does not protect most employment records, such as vaccination verification, accommodation requests, or fitness-for-duty information. A separate group health plan sponsored by an employer is a Covered Entity, but plan PHI must be walled off from general HR files.

Workplace Wellness Programs

Data from Workplace Wellness Programs—health risk assessments, biometric screenings, coaching—may fall outside HIPAA if the program is offered directly by the employer or a consumer app. If the program runs through the group health plan (or a vendor serving the plan), HIPAA can apply to that plan data, while non-plan copies may remain outside it.

Practical questions to ask

• Is the program part of the employer’s group health plan or just a perk?
• Who receives your results—HR, the plan, or only an aggregate report?
• Is the vendor a Business Associate of the plan, or a direct-to-consumer service?

State Privacy Laws Governing Consumer Health Data

How state privacy statutes fill gaps

Several State Privacy Statutes regulate Consumer Health Data collected outside HIPAA. General privacy laws may treat health-related or biometric data as “sensitive,” requiring consent, access and deletion rights, or opt-outs for sales and targeted advertising.

Health-specific state laws

Some states have enacted consumer health data laws that define “consumer health data” broadly and restrict collection, use, and sharing, sometimes banning tactics like geofencing near health facilities. These rules apply to many apps, wearables, and websites that are not Covered Entities.

What these rights mean for you

• Notice and consent: clearer disclosures and, in some states, opt-in for sensitive data.
• Access, correction, and deletion: request what a company holds and ask them to delete it.
• Limits on selling or sharing: opt out of sale or cross-context behavioral advertising where available.

Federal Trade Commission Oversight

Deception and unfairness

The FTC enforces against deceptive or unfair practices by consumer apps and devices, including false “HIPAA compliant” claims or undisclosed sharing of health signals with advertisers. Privacy promises in notices and in-app dialogs must match actual data flows.

Health Breach Notification Rule

The FTC’s Health Breach Notification Rule covers certain non-HIPAA health apps and connected devices. If there is a breach of unsecured, personally identifiable health data—including some unauthorized disclosures—companies must notify affected consumers and the FTC, and sometimes the media, on defined timelines.

How this fits with HIPAA

HIPAA breach rules apply to Covered Entities and Business Associates. The FTC’s rule helps cover breaches in the consumer health ecosystem that HIPAA does not reach.

Consumer Misconceptions About HIPAA

• “HIPAA protects all health data.” Not true. It protects PHI in the hands of Covered Entities and their Business Associates—not most consumer apps, wearables, or employer HR files.
• “A company saying it’s ‘HIPAA compliant’ means my app data is under HIPAA.” Marketing claims don’t determine coverage; the company’s role and data flows do.
• “Employers can’t ask about health information because of HIPAA.” HIPAA rarely applies to employer employment records; other laws may govern what employers can ask and how they must safeguard it.
• “Deleting an app deletes my data everywhere.” Companies may retain backups or share data with partners; use access/deletion rights where state law provides them.

Data Sharing and Privacy Policies of Health Apps

What to look for in a policy

• Data categories: vitals, cycle data, mental health notes, location, device IDs, and inferences.
• Purposes: core features versus advertising, analytics, or research.
• Sharing: ad tech, social media pixels, data brokers, affiliates, or “service providers.”
• Retention: how long data is kept and deletion timelines.
• User rights: access, correction, deletion, and opt-out options under State Privacy Statutes.

Controls you can use today

• Minimize inputs: share only what the feature truly needs; disable continuous location when possible.
• Review permissions: Bluetooth, motion, contacts, and background activity can reveal health patterns.
• Limit cross-app tracking: use platform privacy settings to reduce targeted advertising.
• Prefer local or offline modes when offered; export and delete data you no longer need.

Key takeaways

HIPAA protects PHI within the clinical and insurance system. Much of the data generated by consumer apps, wearables, and employers sits outside HIPAA and is instead governed by state privacy laws and the FTC’s consumer protection authority, including the Health Breach Notification Rule. Knowing which rules apply—and reading data sharing and privacy policies—helps you choose tools and settings that match your privacy expectations.

FAQs

What types of health data does HIPAA not cover?

HIPAA generally does not cover health data created or held outside Covered Entities and their Business Associates. Examples include fitness and wellness metrics in consumer apps, wearable-generated data you store in a retail account, health-related browsing and location signals collected by sites or ad tech, many employment records, and data that has been de-identified under HIPAA standards.

Are health apps and wearable devices protected under HIPAA?

Usually no. A consumer app or wearable is covered by HIPAA only when it is operating for a Covered Entity—such as a provider’s app connected to your medical record through a Business Associate. Most direct-to-consumer apps and devices are instead governed by privacy policies, State Privacy Statutes, and FTC oversight.

Does HIPAA apply to employer-collected health information?

Most employer employment records are not protected by HIPAA. If the information is held by the employer’s group health plan (a Covered Entity) or a vendor acting as its Business Associate, HIPAA can apply to that plan data. Wellness programs run outside the plan, or general HR files, typically fall outside HIPAA.

How do state laws protect health data outside HIPAA?

State Privacy Statutes and health-specific consumer laws can treat Consumer Health Data as sensitive, require clear notices and consent, provide access and deletion rights, restrict sales or sharing, and in some cases prohibit practices like geofencing around health facilities. These laws help protect data that HIPAA does not reach, including information from apps, wearables, and websites.