Do Fitness Trackers and Health Apps Need HIPAA Compliance?

The question “do fitness trackers need HIPAA compliance” almost always gets answered wrong because people assume HIPAA follows the data. It does not. HIPAA follows the relationship. The same heart-rate reading can be completely outside HIPAA in one context and squarely inside it in another, depending on who is holding it and why. Understanding that distinction is what tells you whether a wearable or health app triggers HIPAA at all.

HIPAA applies to entities, not to “health data”

HIPAA regulates three kinds of “covered entities” — healthcare providers who bill electronically, health plans, and clearinghouses — plus the “business associates” that handle protected health information on their behalf. It does not regulate health information generally. So when a consumer buys a Fitbit, an Apple Watch, or a calorie-tracking app and the data flows only between that person and the vendor, HIPAA simply does not apply. The vendor has no relationship with a covered entity, so the data, however sensitive, is not PHI in the HIPAA sense.

When the same device does trigger HIPAA

The picture flips the moment a covered entity brings the device into care. If a cardiology practice prescribes a remote-monitoring wearable, or a clinic deploys an app that feeds readings into the patient’s chart, the app or device vendor is now creating, receiving, or transmitting PHI on the provider’s behalf. That makes the vendor a business associate, and a signed business associate agreement is required before patient data starts flowing. The hardware did not change — the relationship did. This is exactly why provider-deployed wearables and patient apps belong in your compliance scope while staff members’ personal fitness bands do not.

“Not HIPAA” does not mean “no rules”

Consumers and app makers sometimes assume that falling outside HIPAA means there is no regulation. That is wrong. The Federal Trade Commission’s Health Breach Notification Rule reaches many consumer health apps and connected devices that are not HIPAA-covered, requiring them to notify users when unsecured health information is breached. A growing set of state consumer-health-data laws, including Washington’s My Health My Data Act, add further obligations. So a non-HIPAA health app still operates inside a real legal framework — just a different one.

For providers: put the app in your risk analysis

If you are a covered entity adding a patient-facing app or wearable program, the compliance work is concrete. First, determine whether the vendor will handle PHI on your behalf; if so, execute a business associate agreement before launch. Then bring the app, its data flows, and the devices it runs on into your Security Risk Analysis — the requirement under 45 CFR § 164.308(a)(1)(ii)(A) to identify risks to ePHI across all systems. Connected devices and mobile apps are a frequent blind spot precisely because they live on phones and home networks outside the clinic’s walls. The proposed 2026 Security Rule update reinforces this direction: HHS’s Notice of Proposed Rulemaking, published in December 2024, would require detailed asset inventories and make safeguards like encryption and multi-factor authentication explicit. It is a proposal, not final, with a 240-day compliance window once published — but it signals that device- and app-level controls will only get more scrutiny.

How Medcurity helps

Medcurity’s guided Security Risk Analysis helps providers account for every system that touches PHI — including patient-facing apps and connected devices that are easy to overlook — and flags where a business associate agreement is needed. The platform is $499/year (about $42/month) for most practices; larger or multi-location organizations can request a quote. For related guidance, see our HIPAA and mobile health apps guide and the business associate agreement guide.

Frequently asked questions

Is my Fitbit or Apple Watch data protected by HIPAA?

Generally no. When you buy a fitness tracker or download a health app on your own and the data flows only to you and the vendor, HIPAA does not apply, because the vendor is not a covered entity or business associate. HIPAA protects health information held by healthcare providers, health plans, clearinghouses, and their vendors — not data you generate as a consumer.

When does a health app or wearable fall under HIPAA?

When a HIPAA covered entity brings it into care. If a clinic provides or prescribes a remote-monitoring device, or integrates an app so data flows into the medical record, the app or device vendor is handling PHI on the provider’s behalf and becomes a business associate that needs a signed business associate agreement. The same physical device can be outside HIPAA for a consumer and inside HIPAA when a provider deploys it.

If HIPAA doesn’t apply, is the data unregulated?

No. The FTC’s Health Breach Notification Rule covers many consumer health apps and connected devices that are not subject to HIPAA, requiring notification when unsecured health data is breached. State consumer-health-data laws, such as Washington’s My Health My Data Act, can also apply. So ‘not HIPAA’ does not mean ‘no rules.’

We’re a provider adding a patient-facing app — what do we do?

Treat it like any other vendor that touches PHI. Confirm whether the vendor will create, receive, maintain, or transmit PHI on your behalf; if so, execute a business associate agreement before going live, and include the app and its data flows in your Security Risk Analysis. Verify device-level encryption and authentication, and document the decision either way.