Wearable devices are now among the most personal data-collection tools people use. They track more than your phone and collect more biological details than your bank statement. The main federal law that most protects health information was designed for hospitals and insurers, not for companies like Apple or Oura. So, what fills that gap, and how does it hold up when we look at it through the lens of Coercive Capitalism?

“The things you think are healthcare data may not actually be so.” — David Reis, Lahey Hospital and Medical Center

The Murder Case That Started with a Fitbit

In December 2015, Connie Dabate was shot and killed in the basement of her home in Ellington, Connecticut. Her husband, Richard, told police an intruder dressed in camouflage had broken in, tied him to a chair, and shot his wife when she came home early from the gym.

The story had a problem. Connie was wearing a Fitbit clipped to her waistband that morning, and the device recorded her walking roughly 1,217 feet during the window when Richard said she was already lying dead, far more than the 125 feet between her car and the basement where her body was found.

The mismatch helped unravel his account. Richard Dabate was convicted of murder in 2022 and sentenced to 65 years. In 2025, the Connecticut Supreme Court upheld the conviction in a unanimous ruling that also affirmed the reliability of the Fitbit data.

At first glance, this seems like a reassuring story—a wearable device helped catch a killer. But if you look at it another way, the same technology that helped convict someone guilty could just as easily be used against an innocent person, or someone involved in an insurance dispute or lawsuit. The point is, the same data that proves guilt can also put you at risk.

Both outcomes are possible because there is no privacy framework for this kind of data. The law most people think protects them was never designed or written with wearables in mind.

Why HIPAA Does Not Apply

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect patient information as it moves through the healthcare system.

It applies only to what the law calls covered entities, defined narrowly as doctors, hospitals, health plans, and the vendors working directly on their behalf.

Consumer wearable companies are not included in this definition unless they work directly with a medical provider or insurer for a patient. This is rare because most companies want to avoid the strict requirements of HIPAA.

Your smartwatch can alert you to an irregular heartbeat, track your sleep, log your menstrual cycle, and record your location all day. But legally, none of this is treated as health data, unlike your doctor’s records.

Already Used Against People in Court

This gap has already been tested in court many times, often in ways wearable owners never expected when they started using these devices. The key point is that wearables appear in legal disputes, and the same unprotected data can help or harm you, depending on who uses it.

In a federal product liability case over an artificial hip implant, defense attorneys learned the plaintiff had worn a Fitbit daily and successfully compelled production of his step-count records, while the court allowed more sensitive categories, such as heart rate, sleep, and location, to be redacted as too invasive for the dispute at hand.

In an earlier case out of Calgary, a personal trainer’s own attorney pulled her Fitbit data to argue her post-accident activity had dropped below what would be expected for someone her age and profession, an attempt to use the device in her own favor.

Defense and insurance attorneys note the reverse happens just as often.

Fitness tracker data has been used to dispute where someone was before an accident, challenge whether an injury occurred as described, and undermine a disability claim by showing the claimant was hiking or walking within days of the alleged harm.

None of this needs a hack or data breach. All it takes is a subpoena, since the data was never protected to begin with. This is the real result of the gap: regular legal processes can access your data.

Yes, It Can Be Sold

Wearable data falls outside HIPAA. Most fitness trackers and smart rings are not regulated by the FDA because they are sold as wellness products rather than medical devices. Because of this, the data from your wrist can legally be sold to data brokers, employers, and law enforcement, just like any other consumer data.

This is not theoretical. The exact legal category wearables fall into already has a documented history of being sold. The FTC has brought enforcement actions against GoodRx, BetterHelp, and the fertility app Premom for sharing sensitive health data with Facebook, Google, and ad networks, despite explicitly promising users it would not. None of those three were wearable companies, but they fall into the same legal category as Fitbit, Oura, and Whoop, and the FTC’s own Health Breach Notification Rule has since been expanded to cover health apps and trackers. Fitbit itself has faced a class action alleging it shared heart rate and sleep data with third parties beyond what users reasonably expected, and Whoop has faced a separate suit over biometric data collection that allegedly omitted the consent and retention disclosures required by Illinois law.

Law enforcement has also already purchased commercial location data, including from wearables, without a warrant, the same loophole long used to buy cell phone location data from brokers instead of asking a judge for it. A peer-reviewed review of wearable privacy practices states this directly: that agencies have used purchased wearable data for location tracking, and that the legal gap allowing it is structural, not an oversight anyone is racing to close.

It is important to look at where this is going, not just where things stand now. In June 2025, HHS Secretary Robert F. Kennedy Jr. told Congress he wanted every American to have a wearable device within four years, a goal he supported with a major advertising campaign. Later, he told Axios that wearables “are not for everyone because of concerns like cost and personal privacy.” In that same report, a privacy attorney repeated the main point: once health data is collected by a wearable, HIPAA does not apply, and only the company’s privacy policy stands between you and a data sale. Privacy advocates and labor groups have also warned that employers could use this data against workers, since there are almost no rules to stop it.

This does not mean a federal mandate is on the way, and Kennedy later stepped back from that idea. What is clear is that the current HHS Secretary has publicly pushed for every American to wear a device, even though there are no clear legal protections in place, and has been campaigning for it.

The Voluntary Pipeline Insurers Built

Insurance companies have created a voluntary and popular way to collect this same information.

John Hancock’s Vitality program rewards life insurance policyholders for meeting step and exercise targets tracked via an Apple Watch or Fitbit, offering premium discounts of up to 25 percent and a heavily subsidized watch in exchange.

Members can claim an Apple Watch for as little as $25 upfront, paying the rest in monthly installments tied to how many workouts they log.

To be fair to the company, John Hancock’s own program materials state plainly that biometric data collected through Vitality will not be used to reclassify a policyholder’s risk level or serve as the sole basis for refusing to reinstate a lapsed policy.

That is a real contractual promise, not a loophole, and it deserves to be described accurately rather than treated as something it is not.

But this is just a promise from one company, for one product, and it could change with a new policy or if the company is bought by someone else.

The real issue is the system itself—a constant stream of your biometric data is sent straight to the company that determines your insurance value. This setup does not go away or disappear just because the current terms seem good. The real result is control: a system can be used in the future, not just now.

This system is important because it could be misused in the future, even if no company is using it that way right now.

The One State that Closed the Gap

Lawmakers in exactly one state have actually closed this gap.

Washington’s My Health My Data Act was enacted because many people believe federal law protects all their health information, much like hospital records are protected. In reality, HIPAA only covers a few types of organizations and leaves data collected by apps, wearables, and websites unprotected. This law aims to fix that gap.

The law gives people in Washington real rights. They can see what health data has been collected about them, ask for it to be deleted, and stop it from being sold without their written permission. This is the practical benefit of closing the gap.

It is the first state law specifically designed to close the HIPAA gap for fitness trackers, period-tracking apps, and wellness platforms.

If you do not live in Washington, none of those rights apply to you.

Right now, your level of protection depends on where you live. This is not how health privacy was meant to work, but when HIPAA was written in 1996, no one expected devices like these to exist.

Coercive Capitalism

This is where the Coercive Capitalism model helps explain things. The gap is not just a mistake waiting for new laws, but a system that works the way the business model wants it to.

The test has four parts, and it is worth defining each one before applying it here.

First, voluntary trade: you choose to wear the device and share its data, usually because it is useful or because someone offers a discount or a free watch in return.

Second, genuine benefit received: the device frequently works as advertised. You walk more. You sleep better. You catch an irregular heartbeat early.

Third, data weaponized back: the same continuous record that motivated or rewarded you becomes evidence the moment your interests diverge from the interests of whoever holds the data, an opposing party in a lawsuit, an insurer reviewing a claim, a prosecutor building a timeline.

Fourth, the cost of leaving is high. Once you have accepted the discounted watch, the lower premium, or have years of your data stored by a company, there is no easy way to undo it. You cannot take back data that has already been collected, and leaving the program usually means losing the benefits that made you join.

If you apply this test to wearable data, it meets all four points. This is what makes it different from a typical privacy issue. People agree to the trade and get real benefits, which is why most do not question it until their data ends up in a courtroom or an insurance file.