← All articles · Health Privacy

Wearables and Consent: What Patients Need to Know

Wearables and Consent: What Patients Need to Know

If I use a health wearable, I should assume my data may have fewer legal protections than I expect. A heart-rate reading in my doctor’s chart may be covered by HIPAA, but the same reading in a watch app may not be. And since only 9% of people read full terms before tapping “accept,” many users agree to data sharing without knowing where their information goes.

Before I say yes, I need to know a few basic things:

  • Who controls my data: often the device or app company, not my doctor
  • What law applies: HIPAA may cover clinic records, but not most consumer apps
  • Who may get access: app partners, ad companies, researchers, or other third parties
  • What “anonymous” can mean: de-identified or aggregated data can still carry risk
  • How to limit sharing: check permissions, use deletion tools, and share only what I need

A few facts stand out. One FTC study found health apps and devices sent data to 76 third parties. Another report found some health apps shared data with more than 135 third parties. And research cited here says some “anonymized” wearable data has been re-identified at rates up to 86%.

Here’s the short version: I should treat wearable consent like a health decision, not a setup screen. That means checking what is collected, where it is stored, how long it is kept, and how to turn access off later. This is especially important when using an AI-driven health app that integrates deeply with your personal data.

Topic What I should know
Data control The app company often sets the rules
HIPAA Usually covers providers, not most consumer wearables
Data sharing May include analytics, ads, research, or AI training
Deletion Deleting the app does not delete server data
Best privacy step Share the least amount of data needed

If I want the health upside without giving away too much, the safest move is simple: review permissions, ask direct questions, and keep sharing narrow unless I have a clear reason not to.

Wearable Consent and Data Privacy: What Patients Need to Know

Wearable Consent and Data Privacy: What Patients Need to Know

Is Your Smartwatch Spying on You? We Analysed 17 Privacy Policies to Find Out.

Wearable consent is often murky because app terms, not patient intent, decide how data gets used. And with round-the-clock tracking, one vague permission can expose months of personal health data.

Who Actually Owns and Controls Your Data

Your doctor usually doesn't control your wearable data. In most cases, the device maker or app company does.

Your clinician only sees what you choose to share with them or what gets pulled into their Electronic Health Record (EHR) system. But seeing data isn't the same as controlling it. That's the catch. Patients may be able to view their own numbers, yet still have very little say over how that data is stored, shared, or reused.

For most wearables, the rules come from the terms of service and privacy policy - not from any plain idea of patient ownership.

And once data leaves your device, it can go much farther than people think. A 2014 FTC study found that 12 mobile health applications and devices transmitted user health information via real-time data sync to 76 separate third parties. Of those third parties, 18 received device IDs and 22 had access to additional health information [5]. That's a big deal because chronic-care wearables don't collect data once. They collect it all the time.

When you set up a new wearable, you're often agreeing to several things in one shot, all tucked behind a single "Accept" button.

Access to the app's main features can be bundled with permission to use your data for analytics, AI training, research, or marketing. So what looks like a simple setup step may carry a lot more baggage than users expect.

A 2021 report found that certain health-related apps shared sensitive user data with more than 135 third parties, and most of them were advertising technology companies [2]. The fine print was in the privacy policy, but most users never read it.

The FTC's action against Flo Health shows how this can play out. The fertility-tracking app allegedly shared sensitive health data with Facebook and Google for advertising purposes, despite telling users their data was private. A follow-on class-action lawsuit led to settlements in which Flo Health paid $8 million and Google paid $48 million [6].

Why HIPAA Does Not Always Cover Wearable Data

The legal label changes everything. HIPAA applies to covered entities, not all health data. It covers hospitals, health plans, and their business associates [3][7].

Most consumer wearable companies are tech companies, not healthcare providers. Unless they have a formal Business Associate Agreement (BAA) with your clinician, they usually sit outside HIPAA's reach [5]. That means heart rate, sleep, and ECG data may be HIPAA-protected in a clinic, but not when the same data sits inside a consumer app.

Most Americans don't realize HIPAA does not stop health apps from selling collected data [4]. That's a major blind spot. And it's one reason this issue sticks around so stubbornly: people assume the law protects data that, in many cases, it doesn't. Before you tap "Accept," it's worth knowing which rights you still have - and which ones you may already be giving away.

What Patients Need to Know Before Saying Yes

If the last section showed why consent gets blurry, this section gets practical: what should you check before you agree?

Real consent starts with plain English. You should be told what data is being collected, why it's being collected, who can access it, how long it's kept, and how to revoke access. Too often, wearable setup screens hide those details inside long legal text that almost nobody reads. Good consent should use layered notices: a short plain-language summary, separate opt-ins for sensitive uses, and a clear way to pull permission back.

Your rights usually go further than many people think. In many cases, you should be able to:

  • View your data
  • Download it
  • Correct it
  • Delete it
  • Limit sharing

One small but important detail: deleting an app from your phone does not delete your data from company servers. If you want data erased, you usually need to submit a deletion request through your account settings or the app's privacy portal.

That matters because legal protection often depends on where the data lives.

Protected Health Information Versus Consumer Health Data

The same heart rate reading can be treated very differently under the law depending on where it was recorded.

If your cardiologist records your heart rate during an office visit, that data is Protected Health Information (PHI). It falls under HIPAA, which sets strict rules on who can view or share it. If your smartwatch logs that same number during a walk, it's consumer health data. In that case, the rules usually come from the company's privacy policy and any state consumer privacy laws that apply.

If your clinic pulls smartwatch data into your Electronic Health Record (EHR) for treatment, that copy becomes PHI. But the copy still stored on the device company's servers stays consumer health data.

PHI Consumer Health Data
Main rule set HIPAA (Federal) FTC oversight and state privacy laws (e.g., CCPA, MHMDA)
Typical collector Doctors, hospitals, insurers Tech companies (Apple, Fitbit, Garmin)
Can It Be Sold? No, without specific authorization Sometimes, depending on the policy and state law
Example Heart rate recorded at a clinic Heart rate recorded by a smartwatch

That difference isn't just legal fine print. It shapes what a company can do with your data and what you can do to control it.

Even when data is described as "anonymous", risk doesn't disappear.

What De-identified, Aggregated, and AI-Processed Data Mean for You

De-identified data has had direct personal identifiers removed. In the U.S., once data is de-identified, HIPAA no longer applies to it [8]. Aggregated data combines information from many users to show broad patterns instead of one person's record.

On paper, that sounds safe. In practice, it can get messy.

Research has found that supposedly anonymized wearable data can be re-identified with success rates as high as 86%, sometimes using as little as five minutes of live data from a device such as an ECG or gait sensor [8]. For people managing chronic conditions, the risk can grow over time. Long-term tracking creates more data points, and more data points can make downstream reuse easier.

AI-analyzed data adds one more layer. AI systems can pull together wearable data, biometrics, bloodwork, and lifestyle information to generate recommendations. With tools like Healify, patients should check whether their personal data is used to train or improve AI models.

Practical Steps to Protect Your Privacy Without Losing Useful Features

Once you know where wearable data can end up, the next step is pretty simple: check a few key points before you connect anything.

Focus on five things before you hit accept:

  • what data is collected
  • how it's used
  • who receives it
  • how long it's kept
  • how to opt out of specific uses

Don't waste time on the generic intro sections. Jump straight to headings like "Third-Party Sharing", "Data Retention," and "Law Enforcement." Those sections usually show how a company handles your information in practice [2].

Watch for vague wording. Phrases like "may share your data with third parties" or consent forms with no per-feature opt-out should make you pause [9]. It's also smart to check whether the app uses local storage or cloud storage. With local storage, data stays on your phone. With cloud storage, data goes to company servers. Local storage lowers exposure [9].

Questions to Ask Your Clinician or App Provider

If the policy still feels murky, ask direct questions before linking the device.

  • Will my data enter my official medical record? [9][1]
  • Who has access to my data, and is it shared with advertisers or data brokers? [2]
  • Can I disconnect specific data streams - like location or sleep tracking - without losing core features? [1]
  • What happens to my data when I stop using the device or switch providers? [9][2]

If a provider or app company can't answer those clearly, that's useful information on its own. It tells you a lot about how seriously they treat privacy.

Sharing More Data Versus Sharing Only What You Need To

There is a real trade-off here. In most cases, the safest setup is the least permissive one that still lets the feature work.

Sharing more data - syncing all sensors, turning on cloud backup, and linking multiple platforms - can open the door to useful features like personalized AI coaching, real-time clinician alerts, and long-term trend analysis [9]. But it also increases exposure to data brokerage, re-identification risk, and possible use in places you may not expect, like life insurance underwriting [10].

Sharing less keeps your data footprint smaller and lowers risk, but you may lose some "smart" features or need to enter data by hand [9].

Approach Potential Benefits Potential Risks How Patients Can Reduce Risk
Broader Sharing (cloud sync, all sensors) Personalized AI coaching, real-time clinician alerts, longitudinal health trends [9] Data brokerage, re-identification, legal requests [2][1] Audit third-party access monthly; use local storage where available [9]
Narrower Sharing (local storage, specific permissions) Stronger privacy, smaller data footprint, lower leak risk [9] Fewer cloud backups, limited cross-app features, less personalized insights [9] Grant read-only access to Apple Health as a firewall rather than linking wearable clouds directly [2]

A good middle ground is to give apps read access through Apple Health instead of linking them straight to a wearable company's cloud. Apple Health works like a firewall: the app can read only what you allow, but it doesn't get direct access to the wearable cloud [2].

In Healify, review wearable integration settings, turn off any data type you don't need, and match sharing levels to your comfort.

U.S. Rules, Patient Rights, and Key Takeaways

HIPAA, FTC Oversight, and State Privacy Laws: The Basics

FTC

Once consent is clear, the next step is figuring out which legal rules apply.

In the U.S., wearable privacy law is patchy. And those gaps matter.

HIPAA applies to health plans, clearinghouses, most providers, and their business associates. But consumer wearables usually sit outside HIPAA and fall under FTC oversight and state privacy law instead.

Outside HIPAA, the FTC is the main federal regulator for consumer health apps and wearables. Its Health Breach Notification Rule now clearly covers health apps and platforms that fall outside HIPAA's reach [12]. Violations can bring civil penalties, and regulators do enforce the rule.

State law adds another layer. Washington's My Health My Data Act and California's CPRA treat some wearable metrics, like heart rate and sleep data, as sensitive personal information. Washington also requires opt-in consent before collection or sharing [12]. So your privacy rights can change based on where you live.

And, of course, rights on paper don't do much unless you use them.

How to Use Your Data Rights in Practice

Knowing your rights helps. Using them is what makes the difference.

Start by asking for a copy of your data. Many apps include a download your data option in account settings. If you want your data erased, send a formal deletion request through the company's privacy portal. Deleting the app from your phone does not remove data from the company's servers [2].

On iPhone, go to Settings → Privacy → Health to check which apps can access your health data. Remove access for apps you no longer use [2]. Turn on multi-factor authentication for all health-related accounts [13]. If you think an app shared your data without your permission, report it to the FTC or your state Attorney General [11][13].

Deleting the app from your phone does not erase data from the company's servers.

Enforcement is possible, but it usually happens after the damage is done.

What Patients Using Wearables Should Remember

Wearable data can help with patient-centered treatment plans and chronic care. It can give better trend tracking, faster feedback from clinicians, and more tailored guidance. But consent is not just clicking "I agree." It means knowing what data is being collected, where it goes, who can see it, and how to take it back.

A simple habit goes a long way: review permissions on a regular basis. Check access, remove old permissions, and only share the data a feature actually needs.

FAQs

How can I tell if my wearable data is protected by HIPAA?

HIPAA protects wearable health data only when a covered entity handles it as protected health information. That includes health care providers, health plans, and their business associates.

Here’s the simple way to think about it: if your wearable data flows into a HIPAA-covered setup, like medical record integration with your doctor or insurer, HIPAA may apply. If it doesn’t, it likely isn’t HIPAA-protected.

What should I check before I tap "Accept" on a wearable app?

Before you tap Accept, take a minute to see how the app handles your health data. Read the privacy policy and look for the basics: what data it collects, how long it keeps that data, and whether it shares anything with third parties.

It also helps to check your control options. Can you opt out of sharing? Can you withdraw consent later? And if you decide to leave, does the app let you export or delete your data? A good policy should also spell out its encryption standards in plain English.

How do I fully delete my wearable data, not just the app?

Deleting the app from your phone does not remove your data from the company’s servers. If you want it gone for good, submit a deletion request through the platform’s privacy portal before you uninstall the app.

It’s also smart to check the manufacturer’s privacy policy for its data deletion or “right to erasure” steps. And if you’re getting rid of the device itself, do a factory reset to wipe any information stored on it locally.

Try Healify free — your AI health coach

Personalized nutrition, fitness, and wellness insights based on your health data.