Vault Door

Updates to U.S. Health-Data Privacy and Wearable Tech

By Hunter H. Moss and Scott. C Hall

This year marks a pivotal shift from the era of rapid, unregulated health-tech innovation to one of stringent governance. The proliferation of wearable devices, health applications and remote monitoring tools has led to an unprecedented expansion in legal oversight. New HIPAA regulations, state-level “sensitive health data” laws, and the FTC-broadened breach notification rules collectively underscore a unified message from regulators: safeguard health metrics across all platforms. Organizations handling any health-related data must now navigate an increasingly complex web of overlapping federal and state regulations to avoid significant legal repercussions.

HIPAA Updates You Must Implement in 2025: Reproductive Health Privacy Rule

In April 2024, the Department of Health and Human Services (HHS) issued a Final Rule under HIPAA aimed at strengthening privacy protections for reproductive health information. The rule, effective June 25, 2024, and with a compliance deadline of December 23, 2024, would have required covered entities to obtain a signed attestation before disclosing protected health information (PHI) related to lawful reproductive healthcare. It also mandated updates to Notices of Privacy Practices (NPPs) by February 16, 2026.

However, in a recent development, a federal district court in Texas vacated the rule on July 3, 2025, holding that HHS exceeded its statutory authority and violated the Administrative Procedure Act. The court’s ruling halts enforcement of the reproductive health privacy rule nationwide unless overturned on appeal. As of now, the rule is not enforceable, and covered entities are not obligated to implement its provisions, although legal appeals may follow and some organizations may still voluntarily adopt its safeguards as a best practice.

For now, entities should monitor ongoing litigation and consider documenting their approach to reproductive-health disclosures in the event the rule is revived or replaced.

HIPAA Security Rule Notice of Proposed Rulemaking

On December 27, 2024, the Office for Civil Rights (OCR) at HHS issued an Notice of Proposed Rulemaking (NPRM) proposing significant amendments to the HIPAA Security Rule to bolster cybersecurity protections for electronic protected health information (ePHI). Key proposed changes include mandatory multi-factor authentication (MFA), encryption of ePHI both at rest and in transit, annual technical and non-technical evaluations, and a 24-hour breach notification requirement for business associates. No Final Rule on the matter has been issued.

FTC Health Breach Notification Rule Now Applicable to Health Apps

The FTC’s amended Health Breach Notification Rule (HBNR), effective July 29, 2024, expands the scope of entities required to notify consumers and the FTC of breaches involving health information to apps and platforms not covered by HIPAA.

  • Applies to fitness, fertility, mental health, and other apps tracking health data.
  • Requires notification to consumers and the FTC within 60 days of breach discovery.
  • Enforcement actions may include civil penalties.

State Spotlight – Sensitive Health-Data Laws Beyond HIPAA

Several states have enacted laws that treat biometric, wellness, geolocation, and inferred health data as sensitive, even when not covered by HIPAA:

Washington – My Health My Data Act (MHMDA)

  • Effective March 31, 2024 (or June 30 for small businesses).
  • Covers data ”collected, derived, or inferred,” including metrics from wearables.
  • Requires opt-in consent and bans geofencing near reproductive health facilities (1,750 feet).

California – Privacy Rights Act (CPRA)

  • Classifies wearable-derived metrics (e.g., heart rate, skin temperature, sleep) as “sensitive personal information.”
  • Grants consumers the right to opt out of sale or use and mandates data protection impact assessments (DPIAs).

Texas – Data Privacy and Security Act (TDPSA)

  • Effective July 1, 2024.
  • Covers biometric identifiers and physical health
    indicators.
  • Entities must offer opt-out rights and adhere to purpose limitation and data minimization.

Florida – Digital Bill of Rights (FDBR)

  • Effective July 1, 2024.
  • Targets precise geolocation and biometric data, including data collected passively by connected devices.
  • No cure period for violations—raising litigation risk for platform providers and developers.

Intersections and Blind Spots

The convergence of federal and state regulations creates complex compliance challenges, particularly for entities operating across multiple jurisdictions. For example, a wearable device used in a healthcare setting may be subject to HIPAA, while the same device used by a consumer falls under state laws like MHMDA or the CPRA. Employers providing wellness programs must navigate HIPAA, the Americans with Disabilities Act (ADA), and state privacy laws, depending on the nature of the data collected and its use.

Takeaways for Businesses

To navigate the evolving regulatory landscape, businesses should:

  • Conduct Comprehensive Risk Analyses: Evaluate data flows to identify where health-related data is collected, stored, and shared.
  • Update Policies and Notices: Revise privacy policies and Notices of Privacy Practices to reflect new legal requirements.
  • Enhance Security Measures: Implement MFA, encryption, and other security controls as proposed in the HIPAA Security Rule NPRM.
  • Review and Amend Contracts: Ensure business associate agreements and vendor contracts include provisions for breach notification and data protection.
  • Train Staff: Educate employees on new privacy obligations and procedures for handling health-related data.

While HIPAA remains a foundational framework for health data privacy, the expanding landscape of state laws and FTC regulations necessitates a more comprehensive approach to compliance. Organizations must proactively assess their data practices, update security measures, and ensure transparency with consumers to navigate the complexities of health data privacy in 2025 and beyond.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.