Wearables Have Lived Outside HIPAA. A New Bill Could Change That

woman places a wearable smartwatch on someone's wrist

credit: Lomb/shutterstock.com

Consumer biodata may be entering a regulated era. Is the wearable industry ready to meet it?

Wearables have become the wellness consumer’s most trusted sidekick and a major opportunity for brands that rely on real-time metrics and insights, but the data behind those devices still lives in a gray zone, and Washington has noticed.

Senate Health, Education, Labor and Pensions Committee chair Bill Cassidy, MD (R-La.) has introduced the Health Information Privacy Reform Act, a bill that would bring new privacy standards to smartwatches, rings, trackers and health apps that currently fall outside the Health Insurance Portability and Accountability Act, commonly known as HIPAA.

A Bill for the Wild West of Wearables

Though it was created to cover traditional provider-patient interactions, Cassidy argues that HIPAA has not kept pace with products that connect people to health insights without ever entering a medical setting.

And because wearables and wellness apps are built and operated by consumer tech companies, rather than healthcare providers, the data they collect usually falls outside HIPAA entirely.

“Smartwatches and health apps change the way people manage their health,” Cassidy said in a press release. “They’re helpful tools, but present new privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room. Let’s make sure that Americans’ data is secured and only collected and used with their consent.”

If passed, companies that collect health metrics would need to clearly explain what information they gather and how it is used or shared. It also opens the door to exploring whether consumers should have the option to share data for research and be compensated.

Whoop Lands in the Regulatory Spotlight

The proposed bill also comes at a time when regulators have been taking a closer look at how wellness features are presented across the wearable category.

In July, the U.S. Food and Drug Administration sent wearable giant Whoop a warning letter stating that its Blood Pressure Insights feature is a medical device that lacks required marketing authorization under federal law.

Whoop has disagreed with the interpretation and has defended Blood Pressure Insights as a wellness feature rather than a diagnostic tool.

man wearing whoop device on wrist — credit: Whoop

More Devices, More Data & MAHA

The surge in wearable adoption adds even more pressure. U.S. retail sales of fitness trackers are up 88% year-to-date compared to 2024, according to new data from Circana, and more than 1.3 million devices were sold in the first seven months of 2025, a 35% year-over-year increase. Smart rings now dominate the category, loved by Gen Z and accounting for 75% of tracker revenue, up from 46% a year ago.

Amid this activity, federal interest in wearables is rising, too. The push appears to align with themes in the Make America Healthy Again (MAHA) movement. Earlier this summer, Health and Human Services Secretary Robert F. Kennedy Jr. said the department plans to launch one of its largest national efforts to encourage Americans to use a wearable health device.

“My vision is that every American is wearing a wearable within four years,” Kennedy Jr. said.

Wearable Companies Shift to Clarity Mode

At the same time, some companies are already moving toward greater transparency around how they handle health data. Whoop appears to be one of them.

The Gym as a Clinic: Fitness Facilities Embrace Health & Longevity

The human performance brand’s privacy policy shows a last updated date of October 9, though it’s unclear what was changed. The notice outlines how the company collects, uses and protects member data and makes clear that it is not a HIPAA-covered entity, at least under current rules.

Whoop’s more advanced features, such as ECG readings and blood pressure insights, are governed by medical device regulations, and the company says this data is stored separately and encrypted. Whoop has created a page that details how these regulated features are managed and how members can control their data.

Oura Moves to Reassure Its Community

It’s not just government officials paying attention; consumers are getting louder about data transparency, too.

Smart ring leader Oura had faced a wave of user concern in August after announcing a collaboration involving data analytics giant Palantir on projects with the U.S. Department of Defense, prompting some users on Reddit and TikTok to raise privacy concerns.

woman wears a ceramic Oura Ring 4 — credit: Oura

Oura published a detailed response reiterating that member data is not sold, rented or shared with government entities without explicit consent and that its work with the U.S. Department of Defense is limited to service members enrolled in specific programs. The company outlined how it encrypts and protects user information, emphasized its privacy-first business model and noted that its enterprise platform sits entirely separate from its consumer offering.

Sometimes it’s not just heart rate or sleep data at stake, as Sweden’s officials were reminded. As widely reported this summer, the country’s national security service said it was investigating reports that bodyguards accidentally exposed the private travel locations of high-profile officials, including the king and queen, after their running and cycling routes were publicly visible on the social fitness app Strava.