Privacy GuideUpdated March 2026

Health Data Privacy: What Your Wearable Knows About You

Your fitness tracker knows your heart rate, sleep patterns, menstrual cycle, location, and activity levels. Here is what happens to that data — and what you can do about it.

Dr. Nathan Cross, MD, MPH

Editor-in-Chief • Health Tech Reviews

The Essential Reality: HIPAA does not protect your wearable or health app data unless your data flows through a covered healthcare entity. Most consumer health tech operates outside HIPAA. Your data may be shared with advertisers, data brokers, research institutions, and law enforcement depending on the company's privacy policy — which few users read.

What Data Wearables Actually Collect

Consumer wearables collect considerably more data than most users realize. Beyond the obvious biometrics (heart rate, steps, calories), modern wearables generate:

Continuous location data: GPS wearables log every movement, creating a detailed record of where you go, how often, and for how long.
Sleep patterns: Time you go to bed, wake up, your sleep quality, restlessness — longitudinal data that reveals far more about your lifestyle than discrete measurements suggest.
Stress indicators: HRV patterns used to infer psychological stress levels.
Reproductive health data: Period tracking apps collect menstrual cycle data, fertility markers, sexual activity logs, and pregnancy information.
Behavioral patterns: Exercise frequency, sedentary periods, device usage patterns.
Inferred health conditions: Some data brokers have demonstrated ability to infer conditions like hypertension, diabetes, and mental health disorders from wearable behavioral patterns.

What HIPAA Actually Covers (And Doesn't)

The Health Insurance Portability and Accountability Act (HIPAA) is widely misunderstood. HIPAA applies to "covered entities" — healthcare providers, health plans, and healthcare clearinghouses — and their business associates. It does not apply to consumer health apps, wearable manufacturers, or wellness platforms unless those entities are acting as business associates of a covered entity.

Practical consequence: your Apple Watch heart rate data, Fitbit sleep data, Clue period tracking data, and MyFitnessPal nutrition logs are not protected by HIPAA. They are governed only by the company's own privacy policy and applicable state law.

States with stronger health data protections (California's CCPA, Washington's My Health MY Data Act, and similar legislation in 12+ states as of 2026) provide some protections for consumer health data, but they vary significantly and are subject to change.

How Health Companies Use Your Data

Health tech companies monetize data in several ways that privacy policies permit:

First-Party Advertising

Companies use your health data to serve targeted advertising within their own apps. This is the most benign use — your data stays within one company's ecosystem.

Third-Party Data Sharing

Many apps share data with third-party analytics providers, advertising networks, and data brokers. These third parties may combine your health data with other databases to create detailed personal profiles. The 2021 report by the Norwegian Consumer Council documented that Grindr and multiple period tracking apps shared sensitive data with 135+ third parties, many of them advertising technology companies.

Research and Training Data

Anonymized (or "de-identified") health data is licensed to research institutions, pharmaceutical companies, and insurance actuaries. The ability to truly anonymize health data is contested — several academic studies have demonstrated re-identification of individuals from "anonymized" health datasets using publicly available auxiliary data.

Law Enforcement Requests

Health companies receive subpoenas and warrants for user data. Following the Dobbs v. Jackson decision, there have been documented instances of period tracking app data being subpoenaed in abortion-related criminal investigations. This is a live legal issue — companies' policies on law enforcement data requests vary from proactive compliance to active legal contestation.

Our 25-Point Privacy Assessment Framework

Every health app reviewed on Health Tech Reviews is assessed against our 25-point privacy checklist, which evaluates:

Data categories collected (what specific data types)
Third-party data sharing (named third parties)
Data encryption at rest and in transit
HIPAA compliance posture (where applicable)
Data deletion provisions (right to erasure)
Data portability (can you export your data)
Law enforcement data request policy
Data breach history and response
Opt-out mechanisms for data sharing
Privacy policy reading grade level and clarity

Apps scoring below 15/25 receive a privacy warning in their review. Apps with documented data incidents receive a permanent disclosure notice.

Protecting Your Health Data: Practical Steps

Use Apple Health or Google Health Connect as a firewall: Grant apps read access to Apple Health rather than directly to your wearable's cloud. Apple Health does not allow apps to share Apple Health data with third parties.
Audit app permissions periodically: On iOS: Settings → Privacy → Health. Remove access for apps you no longer use actively.
Read the data sharing section of privacy policies: Skip the generic sections, look specifically for "Third-Party Sharing" and "Law Enforcement" disclosures.
Use a dedicated email for health accounts: Prevents health data being combined with your primary identity across multiple data broker databases.
Exercise deletion rights proactively: Before deleting a health app, request data deletion via their privacy portal. Simply deleting the app does not delete your data from their servers.
For reproductive health data specifically: Consider apps with on-device-only storage (no cloud sync), or apps based in jurisdictions with strong health data protections.