Skip to content
Pulsyn
A digital privacy concept image showing data security and protection themes

Your Wearable Data Isn't Covered by HIPAA. The FTC, Congress, and 20 States Are Trying to Fix That.

James Hoffmann James Hoffmann
June 5, 2026 · 11 min read
HipaaFtcLegislationPrivacyWearables

TL;DR

Your Oura, WHOOP, or Fitbit data is not protected by HIPAA. It never has been. The FTC launched a healthcare task force on March 23, 2026. Congress introduced at least three bills. Twenty states passed their own privacy laws. But none of this fixes the core problem: if your health data lives on a company's server, legislation only changes what they can do with it. Pulsyn removes the server entirely.

What HIPAA actually covers (and why your wearable data isn't included)

HIPAA, the Health Insurance Portability and Accountability Act, was signed in 1996. It applies to "covered entities": healthcare providers, health plans, and healthcare clearinghouses. It also applies to their "business associates" (companies that handle health data on their behalf).

Your Oura ring is not a covered entity. Neither is WHOOP, Fitbit, Garmin, or Apple. When you sync your sleep data to Oura's cloud, that data is not protected by HIPAA. It is protected by Oura's privacy policy. A privacy policy is a promise. Promises can change.

This is not a loophole. It is the design of the law. HIPAA was written for medical billing, not for consumer fitness trackers. The law predates the iPhone by eleven years. It predates the Oura ring by twenty-four years. Congress in 1996 did not foresee a world where a titanium ring on your finger would stream your heart rate variability to a server in Finland.

The Federal Trade Commission has acknowledged this gap explicitly. In a 2021 policy statement, the FTC clarified that health apps and fitness trackers fall outside HIPAA and are instead subject to the FTC Act and the Health Breach Notification Rule. The FTC can act, but its authority is narrower than HIPAA. It cannot impose the same criminal penalties. It cannot require the same data minimization standards. It is a smaller hammer hitting a bigger target.

The result is a legal gray zone. Your doctor's office cannot share your blood pressure reading without your consent. But Oura can share your HRV, sleep stages, and menstrual cycle data with third-party advertisers, and the legal framework for stopping them is murky. ClassAction.org and Milberg LLC are currently investigating Oura for allegedly doing exactly that: sending private health data, including gender, height, weight, women's health data, and sleep metrics, to third-party advertisers without consent. (ClassAction.org Issue #389, April 29, 2026.)

A medical records file with patient health data. The exact type of information HIPAA protects in a hospital but not on your wearable device

The FTC healthcare task force

On March 23, 2026, the Federal Trade Commission announced a new Healthcare Task Force. According to Fierce Healthcare and Crowell & Moring, the task force is identifying "new priority areas for enforcement" in health tech. The FTC is explicitly targeting health apps and wearables that operate outside HIPAA.

This is a big deal. The FTC has enforcement power. It can fine companies. It can force consent decrees. It can ban specific business practices. But the FTC's task force is reactive. It punishes companies after they misuse data. It does not prevent the misuse from happening in the first place.

The FTC's action is also narrow. It focuses on "unfair or deceptive practices." If a company changes its privacy policy and notifies you in an email you did not read, that might not be deceptive under current law. If a company anonymizes your data before selling it, the FTC might not have jurisdiction at all. Anonymization is a weak defense: researchers have repeatedly shown that de-anonymization of health data is possible, especially when combined with location or demographic information.

The FTC task force is necessary. It is not sufficient.

Consider the timeline. The FTC typically investigates for months or years before taking action. In the meantime, your data is already collected, already stored, already being used for purposes you did not anticipate. The FTC's action is a speed bump, not a wall. It might fine a company millions of dollars, but that fine is a cost of doing business. Meta paid $5 billion for Cambridge Analytica. It still collects data.

The three bills in Congress

Congress has noticed the gap. At least three federal bills have been introduced in 2026 to address consumer health data privacy.

The first is the You Own the Data Act (YODA), H.R.8652, introduced May 4, 2026. It gives individuals control over the collection and sharing of their personal data. The bill received 838 upvotes on r/privacy, which is a decent signal of public interest, though Reddit upvotes are not a legislative scorecard.

The second is the SMARTWATCH Data Act, reintroduced by Senator Bill Cassidy (R-LA), chair of the Senate HELP Committee. This bill would extend HIPAA-like protections to wearable and wellness app data. It would require HHS and FTC rulemaking. The bill was first introduced in November 2025 as the Health Information Privacy Reform Act and has since been covered by Fierce Healthcare, the ABA, HIPAA Journal, Cato, and Athletech News.

The third is a new federal privacy legislation attempt by House Republicans, introduced April 24, 2026. According to the HIPAA Journal, this bill would preempt state privacy laws, including Washington's My Health My Data Act. Preemption is a double-edged sword: it creates a national standard, but it might override stronger state protections.

All three bills face the same structural problem. They regulate what companies can do with data they already possess. They do not prevent companies from possessing the data in the first place. Oura is reportedly lobbying to water down the SMARTWATCH Data Act. (TechRadar, cited in our June 3 privacy intel brief.) When a company's business model depends on your data, its incentives and your interests are not aligned.

The US Capitol building, where three bills are currently trying to close the wearable data privacy gap that HIPAA left open

The state law patchwork

While Congress debates, states are moving. Twenty-plus US states now have their own privacy laws. Indiana, Kentucky, and Rhode Island's laws took effect in 2026. Oklahoma enacted its law on March 27, 2026. Alabama passed its privacy bill unanimously (104-0 in the House, 34-0 in the Senate) and awaits the governor's signature.

New York added a specific consumer protection angle. On May 8, 2026, Governor Kathy Hochul signed the "One Fair Price" law, which requires subscription cancellation to be as easy as signing up. Algorithmic pricing must be disclosed. This does not directly protect health data, but it does attack the subscription model that wearable companies use to monetize your biometric stream.

The state patchwork creates a compliance nightmare for wearable companies. Oura must comply with California's automatic renewal law (which it is currently accused of violating, per TopClassActions.com). It must comply with Washington's My Health My Data Act. It must comply with New York's subscription law. And if the House GOP federal bill passes, all of those state laws might be preempted.

For consumers, the patchwork is worse. Your protections depend on your zip code. Move from Seattle to Phoenix and your legal rights change. This is not a privacy strategy. It is a legal circus.

Washington's My Health My Data Act is one of the strongest state laws. It requires explicit consent for collecting and sharing health data. It defines health data broadly, including biometric information, which covers everything a smart ring measures. But the law only applies in Washington. If you live in Texas, you do not have those protections. If you live in Florida, your wearable data is governed by a weaker statute that does not explicitly name biometric data.

Why legislation is a band-aid

Every bill, task force, and state law shares a common assumption: the problem is what companies do with your data. The solution is to regulate those actions.

This is wrong. The problem is that companies have your data at all.

Regulation is a band-aid on a structural wound. When Oura stores your sleep data in the cloud, three things are true regardless of what laws pass:

  1. Oura can be subpoenaed. Your data can become evidence in a divorce, a custody battle, or a criminal case. We have already written about this: fitness tracker data is appearing in courtrooms. ("Your Fitness Tracker Is Evidence," May 26, 2026.)

  2. Oura can be breached. On May 18, 2026, hackers stole 1.8 million medical records from NYC Health + Hospitals. The breach included fingerprints, palm prints, diagnoses, medications, and geolocation data. Oura has a biometric database. If it is breached, your HRV, sleep stages, and body temperature are exposed. Pulsyn has no biometric database. There is nothing to breach.

  3. Oura can be acquired. An IPO means public-market pressure. Oura filed confidential IPO paperwork on May 21, 2026, per CNBC. Public companies answer to shareholders. Shareholders want revenue growth. Data monetization is the easiest growth lever. Oura's privacy will get worse, not better, because Wall Street rewards extraction.

Legislation cannot fix any of these three problems. A law cannot prevent a subpoena. A law cannot prevent a breach. A law cannot prevent an acquisition.

What Pulsyn does differently

Pulsyn's architecture makes legislation irrelevant. We do not have a privacy policy that promises to protect your data. We have an architecture that makes it impossible for us to access your data in the first place.

Here is how it works. Your Pulsyn ring stores your biometric data locally. It syncs to your phone via Bluetooth Low Energy. The phone app stores the data in a SQLCipher database encrypted with AES-256. The encryption key is derived from your PIN using 600,000 PBKDF2 iterations. That is the OWASP 2023 recommendation for HMAC-SHA256. We do not know your PIN. We cannot decrypt your database. We cannot see your data. We cannot sell it. We cannot subpoena it because we do not have it. We cannot breach it because we do not store it.

Our optional premium tier gives you access to cloud AI with deeper context windows. But this is opt-in. The default is local-only. The AI runs on your phone, not in the cloud. Your health data never leaves your device unless you explicitly choose to send it.

This is not a marketing position. It is a technical fact. The difference between a privacy policy and a privacy architecture is the difference between a promise and a proof. Legislation regulates promises. Pulsyn built a proof.

I want to be clear about what this means in practice. If you wear a Pulsyn ring, your data is on your phone. If you lose your phone, you lose your data. We cannot recover it. We do not have a backup. That is a tradeoff. Some users will find it inconvenient. But the alternative is that we hold your data for you, which is the exact model that creates the privacy risks this legislation is trying to solve. We chose the tradeoff that favors your control over our convenience.

I am not sure if the current legislative wave will pass. The SMARTWATCH Data Act has bipartisan support but faces lobbying pressure from the wearable industry. The House GOP bill might preempt state laws and create a weaker national standard. The FTC task force will punish bad actors but cannot prevent them from existing. I do not think legislation will catch up with technology in the next five years. Maybe longer.

That uncertainty is why we built Pulsyn the way we did. If the law eventually protects your data, great. If it does not, you are already protected.

A smartwatch on a wrist. The form factor most people associate with health tracking, but the data from that device goes to a cloud server that legislation is still trying to regulate

About the author

James Hoffmann is the founder of Pulsyn. He has been reverse-engineering BLE health devices and privacy architectures for two years.

References

  1. Federal Trade Commission. "FTC Announces Healthcare Task Force." March 23, 2026. (via Fierce Healthcare, Crowell & Moring.)
  2. ClassAction.org. Issue #389. "Oura Ring Health Data Sharing Investigation." April 29, 2026.
  3. H.R.8652. "You Own the Data Act (YODA)." Introduced May 4, 2026.
  4. Senator Bill Cassidy. "Health Information Privacy Reform Act / SMARTWATCH Data Act." Introduced November 2025; reintroduced 2026. (via Fierce Healthcare, ABA, HIPAA Journal, Cato, Athletech News.)
  5. HIPAA Journal. "House Republicans Introduce New Federal Privacy Legislation." April 24, 2026.
  6. MultiState, Baker Donelson, Mayer Brown. State privacy law tracking. 2026.
  7. New York State. "One Fair Price" law. Signed May 8, 2026.
  8. CNBC. "Oura Files Confidentially for IPO." May 21, 2026.
  9. TechCrunch. "NYC Health + Hospitals Breach: 1.8M Records Stolen." May 18, 2026.
  10. TopClassActions.com. "Oura Accused of Violating California Automatic Renewal Law." 2026.

Related Articles