Steps, Sleep, Safety: Rethinking Privacy for Wearable Health Devices

by Katie Bunch, Associate Member, University of Cincinnati Law Review Vol. 94

I. Introduction

Wearable healthcare devices are increasingly used in the United States to monitor metrics like heart rate, activity levels, and sleep cycles, tracking health overtime.¹ Despite their benefits, they collect sensitive health information that may not be adequately protected under existing privacy and health laws.² Unlike traditional medical records, data from wearables often falls outside the scope of the Health Insurance Portability and Accountability Act (“HIPAA”), which leaves consumers vulnerable to the sale of their personal information.³ Various states offer broad protections, but these protections are not uniform across the United States to protect all consumers.⁴ This gap highlights the need for broader and more consistent privacy protections to ensure that consumers’ sensitive health data is adequately safeguarded.⁵

This Article examines the gap between wearable technology and existing health privacy protections. Part II provides background on wearable devices, the scope and limitations of HIPAA, federal findings regarding third-party data sharing, and state-level privacy protections. Part III argues that the entity-based structure of HIPAA leaves wearable-generated health data vulnerable, and that reform is necessary to ensure meaningful protection. It then recommends amending HIPAA to either expand its coverage or adopt a data-based model; strengthening opt-in consent requirements; and harmonizing state-level protections into a more uniform federal framework. Part IV concludes by emphasizing the need to modernize privacy law as wearable technology becomes increasingly integrated into healthcare systems and daily life.

II. Background

A. Wearable Health Devices and Fitness Trackers

A wearable healthcare device is “autonomous,” “noninvasive,” and “performs a specific medical function such as monitoring or support over a prolonged period of time.”⁶ Users wear devices on their body or on a piece of clothing to monitor various health metrics, like heart rate, amount of activity, and blood pressure.⁷ In some instances, when a change in these metrics occurs, users receive alerts and the data is transmitted to the user’s physician.⁸ Additionally, the devices encourage lifestyle changes like exercise, sleep, or diet based on the continuous monitoring of the user’s metrics.⁹ Examples of such devices include Garmin, Fitbit, and more.¹⁰ Because wearable devices collect, store, and often transmit sensitive health data, their growing use raises important questions about whether and how that information is protected under HIPAA.

B. HIPAA Enforcement and Third Parties

HIPAA governs the privacy and security of Protected Health Information (“PHI”) of “covered entities” and their “business associates.”¹¹ PHI includes an individual’s medical information, details concerning payment for treatment, or any information maintained by a HIPAA covered organization that could identify an individual.¹² Covered entities include health plans, health care clearing houses, and health care providers that transmit health information electronically in connection with covered transactions.¹³ A business associate is a person or entity performing certain functions or services for a covered entity that involves the use or disclosure of PHI.¹⁴

Generally, HIPAA does not cover wearables.¹⁵ These wearables have the capability to gather large amounts of sensitive health information that could jeopardize the consumer’s future if the information is sold or shared with a third party that is not a covered entity or business associate.¹⁶

A Federal Trade Commission (“FTC”) study from 2014 highlighted the security risks concerning healthcare applications and wearable devices.¹⁷ In this study, more than 12 mobile health applications and devices transmitted healthcare information to 76 third parties, including information that could be traced back to specific users.¹⁸ Additionally, 18 third parties received device-specific identifiers, and 22 third parties had access to other key health information.¹⁹

C. State-Level Protections

1. Statutes

HIPAA is the “floor” of privacy protections; thus, states must follow HIPAA but can pass more stringent protections.²⁰ For example, Connecticut imposed additional privacy obligations on entities handling consumer health data, including requirements for transparency, consent, and restrictions on data sharing.²¹ In Washington, entities that collect consumer health data must maintain a privacy policy that discloses the categories of data collected, the purposes for the collection, and the third parties with whom the data is shared.²² The entities must also obtain consent before collecting or sharing additional categories of health data.²³ The California Consumer Privacy Act (“CCPA”) may also impose additional requirements on the collection and use of health-related data.²⁴ The CCPA gives consumers more control over their personal information that businesses collect about them, granting California residents significant rights over their personal information.²⁵ Consumers have the right to know what personal information is collected about them and whether it is sold or shared, the right to delete their personal information, the right to opt-out of the sharing or selling of their information, and the right to non-discrimination against those who exercise their privacy rights.²⁶ Therefore, while residents of California, Connecticut, and Washington benefit from expanded health privacy protections beyond HIPAA, individuals in other states may lack comparable safeguards.

2. Cases

In Doe v. Wellstar Health Sys., Inc., the plaintiffs were a group of individuals who used the defendant’s website and patient portal for healthcare services.²⁷ They alleged that the defendant captured and transmitted their PHI, consisting of sensitive information about medical conditions and treatments, to third parties without their consent through the use of Google and Meta.²⁸ The court found that the plaintiffs sufficiently alleged that the defendant intercepted these communications for a criminal or tortious purpose and held that such actions could invoke HIPAA.²⁹ Additionally, the court found that the plaintiffs sufficiently alleged that the defendant used their data for its own benefit, such as improving advertising, without compensating the plaintiffs or obtaining their consent.³⁰

Likewise, in Nienaber v. Overlake Hosp. Med. Ctr., plaintiffs alleged that a healthcare provider transmitted patient information to third parties via digital tracking technologies.³¹ The plaintiff claimed that the defendant improperly disclosed the PHI to Facebook and Google by tracking technologies.³² These transmissions led to targeted advertisements related to her medical conditions.³³ This case was ultimately dismissed due to insufficient factual evidence connecting the breach to plaintiff’s concrete harm, however, it illustrates how a patient’s PHI can be exposed through ordinary interactions with seemingly secure healthcare platforms.³⁴

A notable case that illustrates the negative consequences resulting from the illegal disclosure of PHI is Clemens v. ExecuPharm Inc.³⁵ This case involved a data breach where sensitive personal and financial information was intentionally accessed and misused by hackers who held the data for random and published it.³⁶ The court recognized that the PHI created a substantial risk of identity theft and fraud.³⁷ The harm to the plaintiffs included emotional distress, therapy costs, and the time and money spent mitigating the breach.³⁸ Similar cases show that plaintiffs are worried about identity theft and fraud,³⁹ misuse of their PHI,⁴⁰ emotional harm due to their violation of privacy,⁴¹ and diminished value of their PHI.⁴² While case law in this area is limited, these examples show the potential harms of unauthorized data sharing and tracking that plaintiffs could challenge under HIPAA.

Thus, as wearable health devices increasingly collect sensitive consumer health data, HIPAA protects that information only when it is handled by covered entities or their business associates. Federal enforcement actions and studies have identified risks associated with third-party data sharing, and states have enacted additional statutory protections as related case law continues to develop. This limited scope of federal protection highlights the growing tension between technological innovation and existing privacy regulations, setting up closer examination of the gaps in wearable data safeguards.

III. Discussion

The growth of wearable fitness trackers presents a gap between innovation and legal protection. While these devices provide health benefits and preventive care to consumers, the current regulatory framework does not adequately protect the vast amount of sensitive data that wearables collect. This gap demonstrates the need for HIPAA reform, the presence and strengthening of opt-in consent, and the uniformity of state privacy laws to ensure consistent protection for users.

A. HIPAA Reform

With technology and innovation increasing by the day, the definition of covered entities in HIPAA should be expanded to include wearable technology companies and mobile health applications that collect, store, or transmit consumer health data. For example, companies that manufacture wearable devices, such as Fitbit or other smartwatch platforms, collect detailed health metrics but are generally not considered covered entities or business associates under HIPAA. Given that HIPAA applies only to covered entities and their business associates, identical health information may be protected in a hospital setting but unprotected when collected through a smartwatch or mobile app, thus HIPAA reform is necessary.

Alternatively, HIPAA could be potentially revised to protect health information based on the nature of the data itself regardless of who collects the data. Under a framework like this, coverage would turn on whether the data reveals information about an individual’s physical or mental health, medical conditions, treatments, or biological metrics instead of whether the entity qualifies as a traditional healthcare provider or insurer. The law could distinguish between varying levels of sensitivity, imposing stricter requirements on data that are biometric or especially identifying. By grounding protection in the substance of the information itself, rather than the identity of the collector, this would ensure that similarly sensitive health data receives consistent safeguards.

Beyond expanding the definition of covered entities, HIPAA reform should include specific requirements for how wearable health data is collected, stored, and shared. For example, companies should be required to implement data security measures, conduct regular risk assessments, and limit the retention of sensitive health data to what is necessary only for the function of the device. Additionally, transparency to consumers should be required, including detailed notices about what data is being collected and stored, how it will be used, and which third parties may have access to the information. Lastly, regulators should clarify when wearable technology companies may qualify as business associates when their platforms interact with healthcare providers or electronic health record systems. Providing clearer guidance would help ensure that sensitive health information receives consistent protection even as consumer technology becomes more integrated into healthcare systems. Without reform, HIPAA may leave this growing category of sensitive, private health data vulnerable to misuse.

B. Opt-In Consent Requirements

In addition to reforming the scope of HIPAA, lawmakers should require affirmative consent before companies can share or monetize consumer health data. Vague consent that is not clear to the consumer is not sufficient when the data at issue includes heart rate patterns, sleep cycles, or other intimate metrics. This consent should be specific and informed. Strengthening consent requirements would better align corporate practices with consumer expectations and control over their own health information.

Lawmakers should also require that consent be specified and segmented, allowing consumers to choose exactly which types of health data they are willing to share and for what purposes. Companies should be required to refresh these permissions periodically and obtain new consent from consumers anytime there are new categories of data to be collected or shared. Providing users of wearables with clear and accessible dashboards to clearly see, manage, and potentially revoke consent would give consumers ongoing control over their information. Strengthening opt-in requirements in this way would not only protect sensitive health data but also build trust between consumers and wearable technology providers, encouraging innovation in a protected, ethical way. Building on the need for strong, specific opt-in consent, existing state-level frameworks provide concrete examples of how these protections can be implemented.

C. Harmonizing State-Level Frameworks

States should adopt the frameworks established in Washington, Connecticut, or California as models for broader privacy reform to ensure consistent protection of wearable health data. Washington’s consumer health data protections impose obligations on entities collecting health information, including transparency requirements and consent mandates. Similarly, Connecticut requires businesses to disclose data practices and limit the use of sensitive information. CCPA and its amendments grant consumers clear rights, including the right to know, delete, and opt out of the sale or sharing of personal information.

Washington, Connecticut, and California all offer approaches that should be implemented into a cohesive federal law. Washington’s statute focuses on transparency and consent, so consumers are informed about how their data is being used. Connecticut limits how sensitive information can be handled, which gives consumers more control over their protected information. California’s CCPA gives individuals clear rights, like deleting data, opting out of sharing, and preventing discrimination if they choose to protect their information. A federal framework could combine these features: clear transparency, limits on data use, and strong consumer rights. This would provide the opportunity to have consistent nationwide protection while still letting states enact stricter rules if they choose.

Although these state frameworks provide a positive step forward in the gray area of wearables, these protections depend on the consumer’s residency. A comprehensive federal framework should incorporate and expand upon these state-level innovations. Specifically, federal law should adopt broader definitions of “consumer health data,” require clear privacy policies within these companies, mandate opt-in consent for sensitive health information, and prohibit discrimination against the individuals who choose to exercise their privacy rights. Allowing these standards to reach nationwide would provide uniform protection while also preserving states’ ability to enact more stringent safeguards if desired.

As wearable technology becomes increasingly integrated into daily life and health care systems, privacy protections must evolve accordingly. Strengthening HIPAA, enhancing consent standards, and expanding comprehensive state-level models into a unified federal framework would better safeguard consumer health data while still allowing technological innovation to continue.

IV. Conclusion

Wearable healthcare devices provide substantial benefits through continuous health monitoring and preventative care, yet the sensitive data they generate often falls outside the protections of existing federal law. Because HIPAA’s entity-based framework does not adequately cover wearable technology companies, identical health information may receive inconsistent protection depending on who collects it. This inconsistency demonstrates the need to modernize privacy laws so that sensitive health information receives appropriate protection regardless of its source.

Addressing this gap requires a multifaceted approach. Reforming HIPAA to expand its scope or adopt a more data-based framework would help ensure that wearable-generated health information receives consistent protection. Strengthening opt-in consent requirements would provide consumers with clearer control over how their personal health data is collected and shared. Finally, harmonizing emerging state privacy frameworks into a more comprehensive federal model would provide uniform nationwide standards while still allowing states to enact stronger safeguards. Together, these reforms would allow wearable technology to continue advancing innovation in health monitoring while ensuring that consumer privacy keeps pace with technological change.

Cover Photo by Streetsh on Unsplash

Katie Bunch

References

1
Chris Dietz & Joshua Warburton, Prescribing Wearable Tech: Quantification, Data Protection, and the Problem of Consent, 22 Med. L. Rev. 1, 4 (2025).
2
Alexandra Troiano, Wearables and Personal Health Data: Putting a Premium on Your Privacy, 82 Brook. L. Rev. 1715, 1733 (2017).
3
Id. at 1740.
4
Id. at 1718.
5
Kenny Gutierrez, Privacy in Wearables: Innovation, Regulation, or Neither, 13 Hastings Sci. & Tech. L.J. 21, 28 (2022).
6
S.Y. Lee & K. Lee, Factors That Influence an Individual’s Intention to Adopt a Wearable Healthcare Device: The Case of a Wearable Fitness Tracker, 129 Technol. Forecasting & Soc. Change 154 (2018). https://www.sciencedirect.com/science/article/pii/S004016251730207X.
7
Id.
8
Id.
9
Id.
10
Id. at 155.
11
U.S. Dep’t of Health & Human Servs., Covered Entities and Business Associates, https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html (last visited Mar. 20, 2026).
12
Steve Alder, What is Protected Health Information? HIPAA J., https://www.hipaajournal.com/what-is-protected-health-information/ (last visited Mar. 6, 2026).
13
Id.
14
Id.
15
Paige Papandrea, Addressing the HIPAA-potamus Sized Gap in Wearable Technology Regulation, 104 Minn. L. Rev. 1095, 1096 (2019).
16
Id. at 1097.
17
Gutierrez, Privacy in Wearables, at 23.
18
Id.
19
Id. at 24.
20
B.J. Evans, The Forgotten Third Prong of HIPAA Preemption Analysis, 46 U.C. Davis L. Rev. 1175, 1179 (2013).
21
Jason C. Gavejian & Joseph J. Lazzarotti, Connecticut Adds Protections for Health Data and Minor to Privacy Law, Nat’l L. Rev. (July 18, 2023), https://natlawreview.com/article/connecticut-adds-protections-health-data-and-minors-to-privacy-law.
22
Paul F. Schmeltzer & Myriah V. Jaworski, New Privacy Law Alert: Washington’s My Health My Data Act, Clark Hill PLC (Apr. 20, 2023), https://www.clarkhill.com/news-events/news/new-privacy-law-alert-washingtons-my-health-my-data-act/.
23
Id.
24
Cal. Civ. Code §1798.100 (LexisNexis 2026).
25
Id.
26
Cal. Privacy Prot. Agency v. Superior Court, 99 Cal. App. 5^th 705, 713 (2024).
27
Doe v. Wellstar Health Sys., Inc., 799 F. Supp. 3d 1268, 1272 (N.D. Ga. 2025).
28
Id. at 1272.
29
Id. at 1277.
30
Id. at 1276.
31
Nienaber v. Overlake Hosp. Med. Ctr., 733 F. Supp. 3d 1072, 1084 (2024).
32
Id. at 1085.
33
Id. at 1089.
34
Id. at 1093.
35
Clemens v. ExecuPharm Inc., 48 F. 4^th 146 (3d Cir. 2022).
36
Id. at 150.
37
Id. at 155.
38
Id. at 158.
39
Attias v. CareFirst, Inc., 865 F.3d 620 (2017).
40
Reetz v. Advocate Aurora Health, Inc., 2022 WI App 59 (2022).
41
Charlie v. Rehoboth McKinley Christian Health Care Servs., 598 F. Supp. 3d 1145 (2022).
42
Id.