The Law

While HIPAA does not cover most healthtech products, in many cases, vitals monitors that track your glucose, heart rate, and other information actually are protected by HIPAA and its Privacy Rule. This is because these devices often collect and share data directly with healthcare providers at institutions covered by HIPAA regulations and thus must implement safeguards to protect your data privacy, provide patients with access to their health information, and obtain patent authorization before sharing the data with third parties.

Glucose monitors are typically classified as Class II medical devices, requiring FDA clearance before marketing. However, not all vitals healthtech products, including some continuous glucose monitors and any heart rate or blood pressure monitors not directly integrated into healthcare systems, are not covered by HIPAA, so it is important to understand whether your specific device is governed under these regulations.

Some state biometric privacy laws in Illinois, Texas, and Washington do govern the collection and use of such data, which could include certain vitals data collected by wearables, however, they usually focus on biometric identifiers like retina or iris scans and fingerprints as opposed to heart rate records. Since there are no comprehensive federal regulations surrounding the oligations that companies may ave in protecting your valuable health data, it is essential to evaluate the tech for yourself.

The Tech

Many devices exist to help patients collect data about their vitals and, in many cases, share their records for official healthcare provider purposes. The global blood glucose monitoring devices market size was estimated at $13.43B in 2023 and is expected to reach $14.42B this year. These devices offer many advantages like real-time monitoring, minimal invasiveness, and integration with AI.

Similarly, the heart rate monitor market, valued at $13.53B in 2024 and expected to reach $37.23B by 2031, offers products which allow users to test their heart rate at home. Major players in the heart rate monitor are wearable devices not subject to HIPAA governance.

However, there are still many privacy and security risks associated with vitals-related healthtech such as continuous glucose monitors (CGMs). For instance, beyond the fact that some of these devices are not regulated by HIPAA, even those that are interact with smartphones, computers, and other tech entities susceptible to data breaches and which fail to offer users the option to opt-out, make meaningful choices, or control their health data.