Health Information Is Protected Differently by Setting
HIPAA only applies to covered entities and their business associates. The same health-related data held by a bookstore, website, or smartwatch maker generally falls outside HIPAA and may instead be reached by the FTC or state laws like California's CMIA.
A major source of confusion is that U.S. health data is protected differently depending on the setting. HIPAA reaches covered entities and business associates; the same information elsewhere generally is not HIPAA-protected.
🧩 Same data, different rules
Buying a book about a rare cancer is governed by the bookstore's policy (and California's Reader Privacy Act), not HIPAA. A Wearable used under medical supervision is HIPAA-covered; the same data from a personal smartwatch goes to a manufacturer outside HIPAA, generally subject to FTC enforcement for unfair or deceptive practices.
Key terms - quick answers
What is “Wearable”?
An electronic device placed on the body that may collect medical information in real time, such as a smartwatch.
What is “CMIA”?
California's Confidentiality of Medical Information Act, which extends health privacy duties to software, hardware, and online service providers beyond HIPAA's reach.