Wellness apps 'in crosshairs'

A fitness tracker that stays outside Food and Drug Administration device rules can still face Federal Trade Commission, Health Insurance Portability and Accountability Act, and state privacy scrutiny if it handles identifiable health data. (troutman.com) The warning comes from an April 21, 2026 legal analysis by Troutman Pepper Locke, the third part of a series on general wellness products after the Food and Drug Administration issued guidance on low-risk devices in January 2026. The article says products that track fitness, sleep, fertility, diet, or mental health can fall outside active Food and Drug Administration oversight and still trigger other legal duties. (troutman.com) The Federal Trade Commission’s Health Breach Notification Rule covers vendors of personal health records and related entities that are not covered by HIPAA, and amendments that took effect July 29, 2024 expressly clarified coverage of many health apps. The rule requires notice to users, the FTC, and sometimes the media after a breach of unsecured, individually identifiable health data. (federalregister.gov, ftc.gov) A personal health record is basically a consumer-controlled file that can pull health information from more than one source, like an app that combines manual symptom entries with data from a wearable. The FTC says an app that collects consumer information and syncs with a fitness tracker is probably covered. (ftc.gov) HIPAA does not automatically cover a wellness app just because it handles health-related information. Federal health department guidance says app developers come under HIPAA when they are covered entities themselves or when they act as business associates for a covered entity such as a hospital, insurer, or doctor group. (hhs.gov) State law is widening the net beyond HIPAA. Washington’s My Health My Data Act, signed on April 27, 2023, applies to consumer health data held by many non-HIPAA businesses and took effect for most regulated entities on March 31, 2024, with small businesses following on June 30, 2024. (atg.wa.gov, app.leg.wa.gov) Washington says the law covers companies that do business in the state or target Washington consumers and collect, process, share, or sell consumer health data. The statute adds deletion rights, consent rules, limits on selling health data, and a ban on using geofences around health care facilities. (atg.wa.gov, app.leg.wa.gov) The enforcement backdrop is not theoretical. The FTC’s first Health Breach Notification Rule case, announced on February 1, 2023, required GoodRx to pay a $1.5 million civil penalty over alleged unauthorized disclosures of health information to advertising platforms. (ftc.gov) The agency followed with a May 2023 settlement with Premom developer Easy Healthcare over alleged sharing of fertility data and failure to give required breach notices, and it had already finalized a June 2021 order with Flo Health over allegations that the app shared sensitive reproductive health data after promising privacy. Premom said in its own statement that the settlement was not an admission of wrongdoing. (ftc.gov, ftc.gov, premom.com) Troutman’s practical advice is less about one statute than about product design: map where data comes from, decide which metrics count as sensitive health information, review vendor contracts, and run recurring security risk assessments. For wellness app makers, the legal line is no longer just whether a product is a medical device. (troutman.com, hhs.gov, ftc.gov)