Where wellness meets HIPAA, and where it does not
Most wellness operators believe HIPAA does not apply to them. They are usually right and increasingly often wrong.
A common assumption among wellness brands is that HIPAA does not apply to them. The assumption is right more often than it is wrong, but the wrong cases are getting more expensive each year, and the line between right and wrong has moved.
HIPAA, in plain terms, applies to “covered entities” (most healthcare providers, health plans, and clearinghouses) and to “business associates” of those entities (vendors that handle protected health information on the covered entity’s behalf). A direct-to-consumer wellness brand that is not billing insurance, not connected to a clinical practice, and not contracted to a covered entity is generally not covered. That carve-out is the one most wellness operators rely on, and for many of them it is still accurate.
What has changed is the surface area of unintentional contact with the covered side of healthcare. Three patterns matter for wellness operators in 2026.
The first is the partnership pattern. As wellness platforms have matured, they are increasingly entering arrangements with clinical providers, telehealth networks, and employers that include healthcare benefits. The moment a wellness brand handles individually identifiable health information on behalf of a covered entity, the brand is a business associate and HIPAA fully applies, regardless of how the wellness side of the business operates. A signed business associate agreement does not create the obligation; it just documents an obligation that already exists by virtue of the data flow.
The second is the connected-device pattern. Wearables, glucose monitors, blood pressure cuffs, and similar devices that integrate with both consumer apps and clinical workflows blur the line between consumer health data (regulated by the FTC, the FTC’s Health Breach Notification Rule, and state laws) and protected health information (regulated by HIPAA). The same device can be one or the other depending on which workflow it is sitting in. Operators frequently design their data architecture once and assume the regulatory classification follows. It does not.
The third is the state-law pattern. State health privacy laws like Washington’s My Health My Data Act and similar statutes adopted in other states reach consumer health data that is explicitly outside HIPAA. Many wellness operators react to this by saying “we are not covered by HIPAA,” which is true and also irrelevant. The Washington-style laws do not need HIPAA to bite. A wellness app that collects symptom data, mental health data, reproductive health data, or biometric identifiers is now covered by privacy regimes whether HIPAA applies or not.
The practical takeaway for this quarter is to map your data flows once and label them honestly. For each stream of identifiable health-adjacent data, ask: who collected it, on whose behalf is it processed, who else receives it, and which legal regime governs each leg. The wellness operators who get into trouble are not the ones who get the answer wrong. They are the ones who never asked the question.