HIPAA and Wearable Health Devices: When Do Wearables Become PHI?

The hardest HIPAA question about wearables is not how to secure them but when the law applies at all. The exact same stream of heart-rate, sleep, and step data can be completely outside HIPAA in the morning and squarely inside it by the afternoon, depending entirely on who is holding it and why. A patient’s personal smartwatch data is consumer data; the moment your clinic enrolls that patient in a remote monitoring program and pulls those readings into the chart, it becomes protected health information you are legally responsible for. Understanding that trigger point is the single most important thing a provider can get right about wearables, because it determines whether you need a Business Associate Agreement, encryption, and access controls, or nothing at all.

The line between consumer data and PHI

HIPAA only reaches information held by covered entities and their business associates. When an individual buys a fitness tracker and the data lives in the manufacturer’s consumer app, that manufacturer is generally not bound by HIPAA, which is why so much wearable data sits in a regulatory gap covered instead by FTC rules and state privacy law. The status changes when a healthcare provider or health plan brings the data into the treatment or payment relationship. If your practice issues connected blood-pressure cuffs, glucose monitors, or smartwatches and receives the readings to manage care, those readings are PHI, the platform that moves them is a business associate, and every HIPAA safeguard attaches. The practical task is to map exactly where, in your specific workflows, consumer data crosses that line.

Securing a remote patient monitoring program

Once wearable data is PHI, the exposure points are specific to connected devices. Data travels over Bluetooth and cellular links that must be encrypted; it lands in a monitoring platform that must sign a BAA and protect data at rest; clinicians view it through a dashboard that needs role-based access and audit logging; and patients must be reliably matched to their own device so readings are never attributed to the wrong person. Lost or stolen devices, shared logins on the monitoring portal, and vendors who sub-contract their analytics without telling you are the failures that turn into breaches. Each of these belongs explicitly in your documentation rather than being assumed away.

Start with the Security Risk Analysis

HIPAA requires every covered entity to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic PHI, under 45 CFR § 164.308(a)(1)(ii)(A). For a wearables or remote-monitoring program, that means inventorying the devices and platforms in use, documenting how readings travel from the patient to your record system, confirming encryption in transit and at rest, and verifying a Business Associate Agreement with the monitoring vendor. Because wearable technology and vendors change quickly, the analysis must be revisited whenever you add a device type or switch platforms. A current written analysis is also the first thing the Office for Civil Rights asks to see if a complaint or breach ever brings them to your door.

The proposed 2026 Security Rule changes

In December 2024, the Office for Civil Rights published a Notice of Proposed Rulemaking that would strengthen the HIPAA Security Rule. The proposal would make several currently “addressable” controls mandatory, including encryption of electronic PHI, multi-factor authentication, and a written technology asset inventory and network map refreshed at least annually. A remote monitoring program lives or dies on exactly those controls: encrypting device data, locking down dashboard access, and keeping an accurate inventory of every connected device and platform. The essential caveat is that this remains a proposed rule and is not final. If finalized as written, organizations would have roughly a 240-day compliance window once the final rule is published, so treat it as a strong signal rather than a present-day requirement.

How Medcurity helps

Medcurity walks healthcare organizations through a HIPAA Security Risk Analysis that accounts for modern data sources like wearables and remote monitoring, helping you identify exactly where consumer data becomes PHI in your own workflows and what safeguards each path requires. The platform generates the written documentation regulators expect, tracks your remediation tasks, and keeps your Business Associate Agreements organized. Pricing is $499/year (about $42/month) for a single organization; larger or multi-location operations can request a quote. To go deeper, begin with our HIPAA risk assessment overview and our step-by-step HIPAA compliance checklist.

Frequently asked questions

Is data from a Fitbit or Apple Watch covered by HIPAA?

Not on its own. When a consumer buys a wearable and the data stays in the manufacturer’s app, that company is usually not a HIPAA covered entity or business associate, so HIPAA does not apply. The same heart-rate or step data becomes protected health information the moment a covered provider or health plan collects it, ties it to the patient’s record, and uses it for treatment or payment.

When does a wearable vendor become a business associate?

When a covered entity hires or partners with the vendor to collect, store, transmit, or analyze patient data on its behalf. A remote patient monitoring program where a clinic provides patients with connected devices and receives the readings is the classic example, and it requires a signed Business Associate Agreement before any data flows.

What are the biggest HIPAA risks in a remote monitoring program?

Data in transit from the device to your systems, third-party platforms that aggregate the readings, patient identity verification, and access controls on the dashboard clinicians use. Bluetooth and cellular links must be secured, the monitoring platform must encrypt data and sign a BAA, and only staff with a treatment need should be able to view the feed.

Do patients have a right to the data we collect from their wearables?

Yes. Once wearable data is part of your designated record set, the HIPAA right of access applies, and patients can request a copy of the readings you hold. Build export and disclosure procedures into your remote monitoring program so you can respond within the required timeframe.