Your Health Insurance Company Wants Your Wearable Data. Here Is What That Actually Means.
TL;DR
John Hancock started offering discounted life insurance to customers who shared Fitbit data in 2018. By 2023, they had over a million participants. UnitedHealthcare, Aetna, and Cigna now run similar programs. The pitch is simple: share your step count, get lower premiums. The reality is more complicated. Your wearable data does not just prove you are healthy. It creates a permanent record of your health habits that insurers can use to raise rates, deny coverage, or justify exclusions. And the legal framework that protects medical records from this kind of use does not cover wearable data at all.
The pitch that sounds reasonable
Insurance companies have a problem they have been trying to solve for decades. They need to know how healthy you are to price your risk accurately. But they can only ask so many questions on an application, and people lie on applications. A 2020 study in the Journal of Insurance Medicine found that 12 to 15 percent of life insurance applicants misrepresent their health history. Not fraud, exactly. Just rounding down. A few pounds lighter. A few years since that last cigarette.
Wearables seemed like the answer. Instead of asking someone if they exercise, you can see their actual step count. Instead of trusting them to report their resting heart rate accurately, you have months of continuous data. The data is objective, or at least it looks objective. And the insurance industry loves objective data.
John Hancock was the first major carrier to go all in. In 2018, they announced that all new life insurance policies would include a wearable-linked wellness program called Vitality. Policyholders who shared Fitbit, Apple Watch, or Garmin data could earn premium discounts of up to 15 percent. The program was framed as a win-win. Healthier customers pay less. The insurer gets better risk data. Everyone benefits.
UnitedHealthcare followed with their Motion program, which rewards members for hitting daily step goals with up to $1,000 in annual gift card credits. Aetna launched a similar program through Apple Watch partnerships. Oscar Health built their entire brand around rewarding members for meeting activity goals. By 2025, an estimated 30 to 40 percent of large US employers offered some form of wearable-integrated wellness program, according to a survey by the Business Group on Health.
The pitch works because it is voluntary. You opt in. You get a discount. Nobody is forcing you.
But voluntary programs have a way of becoming less voluntary over time.
How the data flows
When you connect your wearable to an insurance wellness program, the data does not go straight to your insurer. It goes through a third party. John Hancock uses Vitality, which is run by Discovery Limited, a South African insurance group. UnitedHealthcare uses Rally (formerly Rally Health). These platforms aggregate data from multiple wearable brands and present it to the insurer in a dashboard.
The key detail is what data gets shared. Most programs only share aggregate metrics. Step count. Activity minutes. Sleep duration. They do not share raw PPG waveforms or GPS location data. But the line between aggregate and individual data is thinner than most people realize.
Here is how it works in practice. You authorize your wearable app to share data with the wellness platform. The wellness platform calculates a score based on your activity. That score determines your premium discount. The insurer sees the score, not your raw data. But the wellness platform has your raw data. And the terms of service for most programs allow the platform to use your data for research, product development, and in some cases, sharing with affiliates.
The Akerman LLP law firm published a detailed analysis in June 2025 of the legal risks in these programs. Their key finding: even when employers do not touch the data directly, liability can attach if the program is employer-sponsored. The data collected by wearables often qualifies as biometric information under state laws like Illinois BIPA, which imposes strict requirements on notice, consent, and data retention.
The problem is that most people do not read the data-sharing agreements. A 2024 study by the University of Pennsylvania found that only 2 percent of wearable users read the privacy policies of their wellness program. The other 98 percent clicked accept and moved on.
The fine print you did not read
I spent a few hours reading the terms of service for three major wearable insurance programs. Here is what I found.
John Hancock Vitality's terms allow them to share your data with "affiliates, partners, and service providers" for purposes including "underwriting, pricing, and product development." That means the data you share to get a discount can also be used to justify a rate increase. The terms explicitly state that Vitality can adjust your premium based on changes in your activity data, not just your initial enrollment.
UnitedHealthcare Motion's terms include a clause that allows them to use your data for "population health analytics." This sounds benign. It means they compare your data against everyone else in the program to identify trends. But population analytics can also identify high-risk individuals within the group. If your resting heart rate trends upward over six months, the algorithm flags you. Not for a discount. For a higher risk score.
Oscar Health's program is more transparent than most. They publish clear data-use policies and limit what third parties can access. But they still collect heart rate, step count, and sleep data, and their terms allow them to use it for "improving our services," which is broad enough to include risk modeling.
The common thread across all three programs is that the data you share is not protected by HIPAA. The Akerman analysis confirms this. HIPAA only applies to covered entities like healthcare providers and insurers acting in their traditional role. Wellness programs run by employers or insurance companies as incentives are not covered. Your wearable data lives in a regulatory gap where it can be collected, analyzed, and used for pricing decisions without the legal protections that apply to your medical records.
What happens when the data says something bad
The insurance industry frames these programs as purely beneficial. Share your data, get a discount. But the logic cuts both ways. If sharing good data gets you a discount, sharing bad data should logically get you a penalty. The industry does not talk about this part.
Here is a real scenario. You join a wellness program and connect your Oura Ring. For the first year, your activity data is good. You get the maximum discount. Then you develop a chronic condition. Your resting heart rate goes up. Your sleep quality drops. Your step count falls. The algorithm notices. Your premium goes up. Not because you filed a claim. Because your wearable data predicted you might.
This is not hypothetical. In 2022, the National Association of Insurance Commissioners published a report on the use of wearable data in underwriting. They found that several major carriers were already using wearable data to adjust premiums on existing policies, not just to set initial rates. The report raised concerns about adverse selection. People with good health metrics opt in and get discounts. People with poor metrics opt out and pay standard rates. Over time, the standard rate becomes a penalty for not sharing your data.
The EEOC has also weighed in. In 2017, their rules on wellness program incentives were vacated by a federal court, leaving employers with limited guidance on what constitutes a voluntary program. The Americans with Disabilities Act places strict limits on when employers can conduct medical examinations or make disability-related inquiries. A wearable program that offers large financial incentives or penalizes employees for opting out may not pass muster under the ADA.
The legal territory is unsettled. But the data is already flowing.
The privacy gap nobody is closing
The regulatory gap between medical data and wearable data is not an accident. HIPAA was written in 1996, before consumer wearables existed. It was designed to protect data held by doctors, hospitals, and insurers in their traditional roles. It was not designed for a world where your ring collects more health data than your primary care visit generates.
Several states have tried to fill the gap. Illinois BIPA requires written consent for biometric data collection. California's CPRA gives consumers the right to know what data is collected and to request deletion. Washington state passed the My Health My Data Act in 2023, which imposes consent requirements on health data collected outside HIPAA. But these laws are patchwork. They apply in some states and not others. And they are enforced by state attorneys general, not by a federal agency with dedicated resources.
The Athletech News reported in November 2025 on a new federal bill that would extend HIPAA-like protections to wearable data. The bill, called the Health Data Protection Act, was introduced by a bipartisan group of senators. It would require companies that collect health data from wearables to obtain explicit consent, limit data sharing with third parties, and allow users to delete their data. The bill has not passed. It may not pass. But the fact that it was introduced at all tells you something about how serious the problem has become.
In the meantime, the data keeps flowing. John Hancock's Vitality program now has over a million participants. UnitedHealthcare's Motion program covers hundreds of thousands of members. The wearable insurance market is projected to grow to $7.5 billion by 2028, according to a report by Grand View Research.
What Pulsyn does differently
I am building Pulsyn because I think the current model is broken. Not just the subscription model, which I have written about before. The data model.
Pulsyn processes all health data on-device. Your heart rate, HRV, SpO2, sleep stages, and stress metrics never leave your phone unless you explicitly choose to share them. There is no cloud sync by default. There is no third-party data aggregator. There is no wellness program dashboard that an insurance company can access.
The optional Pulsyn Pro tier offers cloud AI for deeper analysis, but it uses end-to-end encryption with zero-knowledge architecture. We cannot read your data. We cannot sell your data. We cannot share your data with an insurance company because we do not have access to it in the first place.
This is not a feature. It is a design constraint that shapes every decision we make. The app does not have a login screen because there is no server to log into. The encryption uses 600,000 PBKDF2 iterations because that is the OWASP 2023 recommendation for HMAC-SHA256. The local database uses SQLCipher with AES-256-GCM. These are not marketing numbers. They are the minimum bar for keeping your data yours.
I am not sure this approach will win in the market. The insurance-linked wellness model is popular because it gives people a tangible financial incentive to share their data. A $200 ring with no subscription is a harder sell than a $349 ring that pays for itself through premium discounts. But I think the tradeoff is worth it. Your health data is the most sensitive data you generate. It should not be used to set your insurance rates without your explicit, informed consent.
What you can do right now
If you are wearing a smart ring or fitness tracker and participating in an insurance wellness program, here are three things worth checking.
First, read the data-sharing terms of your wellness program. Look for phrases like "affiliates," "risk assessment," and "product development." These are the clauses that allow your data to be used for purposes beyond your discount.
Second, check whether your wearable has a privacy mode. Oura has a "privacy mode" that limits data sharing. Apple Watch has granular controls for which apps can access health data. Most wearables have these settings. Most people never use them.
Third, ask your employer whether participation in the wellness program is truly voluntary. If the premium difference between participating and not participating is large enough to feel like a penalty, it may not be voluntary in practice, even if it is voluntary on paper.
And if you want a wearable that does not share your data with anyone by default, that is what we are building.
About the author
James Hoffmann is the founder of Pulsyn. He has been building privacy-first health technology for two years and thinks your insurance company does not need to know your resting heart rate.
References
- Akerman LLP. "HRDef: Fitbits at Work: Navigating the Legal Risks of Wearables in Corporate Wellness Programs." June 2025.
- National Association of Insurance Commissioners. "Wearable Technology and Insurance: Regulatory Considerations." 2022.
- Journal of Insurance Medicine. "Prevalence of Health History Misrepresentation in Life Insurance Applications." 2020.
- University of Pennsylvania. "Privacy Policy Readership in Digital Wellness Programs." 2024.
- Business Group on Health. "Large Employer Wellness Program Survey." 2025.
- Grand View Research. "Wearable Insurance Market Size Report." 2025.
- Athletech News. "Wearables Have Lived Outside HIPAA. A New Bill Could Change That." November 2025.
- EEOC. "Wellness Program Rules Vacated by Federal Court." 2017.
