How the Government Accesses Your Personal Health Data Using This One Simple Trick

Blog Post | 114 KY. L. J. ONLINE | November 7, 2025

How the Government Accesses Your Personal Health Data Using This One Simple Trick

By: Maggie Dowdy, Staff Editor, Vol. 114 

Wearable devices, such as Fitbit, allow users to collect and access vast amounts of personal health data, enabling them to monitor everything from sleep patterns to brain activity.[1] These wearables often have associated health-tracking applications that display the collected data.[2] The practice of gathering intimate health data about oneself, known as “self-quantification,”[3] has become so routine that many users consider wearables an “extension of their bodies.”[4] While these wearables provide undeniable benefits, from increasing physical activity to improving symptoms of depression and anxiety,[5] they may pose a constitutional hazard. Under the third-party doctrine, once this data is shared with a third party, it is no longer protected under the Fourth Amendment and is fair game for government agents.[6] The current interpretation of the third-party doctrine is outdated, as it fails to protect personal health data by granting government agents unregulated access.[7]

The Fourth Amendment guarantees the right to protection from “unreasonable search and seizures.”[8] This protection limits government intrusion by requiring agents to obtain a warrant based on probable cause before conducting a search.[9]  In Katz v. United States,[10] the Supreme Court held that a search occurs when the government intrudes upon a citizen’s reasonable expectation of privacy.[11] In the decisions of United States v. Miller[12] and Smith v. Maryland,[13] the Supreme Court established that individuals have no reasonable expectation of privacy for any voluntary disclosure of information to third parties.[14] These rulings establish the third-party doctrine, which holds that voluntarily disclosing information to a third party eliminates any reasonable expectation of privacy and, by extension, Fourth Amendment protection.[15]

In 1986, Congress passed the Stored Communications Act (“SCA”), aiming to restrict entities from sharing consumer data with the government.[16] The Act, however, does not limit these entities from selling that data to third parties, typically data brokers,[17] who, in turn, are not restricted from sharing the data with the government.[18] Consequently, the SCA and data brokers create a legal loophole that allows the government to access health data without judicial oversight.[19] Proponents justify the third-party doctrine, claiming it serves as a societal interest by allowing government agents to use the data in criminal investigations,[20] yet this is something wearable users will never be subject to. This is not to suggest that the data cannot be used for investigations, but rather that it should be protected from open government access. As with all other searches, the government should be required to obtain a warrant before the government can search this personal digital data.[21]

The inadequacy of the SCA to protect wearable users appears in other federal statutes, such as the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes federal standards to protect against unauthorized disclosure of patient health information.[22] The HIPAA Privacy Rule grants individuals the right to “understand and control how their health information is used.”[23] This rule, however, only applies to organizations that are considered “covered entities,” which include healthcare providers, health plans, and healthcare clearinghouses,[24] and does not include apps unassociated with covered entities that obtain health information from wearable devices.[25] Even though these apps store information akin to that obtained by covered entities, data in many health apps do not receive HIPAA protection because they are not considered covered entities.[26] This leads to an absurd result. If information, such as a patient’s HIV status or menstrual cycle, were disclosed to a doctor, it would receive legal protection under HIPAA, but if the same information were obtained from a data broker through an uncovered health app, it would not be subject to HIPAA, which leaves users and their health information unprotected.[27]

In 2018, the Supreme Court attempted to limit the third-party doctrine in Carpenter v. United States.[28] In this case, the FBI was able to track Carpenter’s movement over 127 days through cell-site location information (CSLI) without a warrant.[29] The Court held that the warrantless acquisition constituted an unreasonable search and seizure because the facts of the case were “unique” and the data obtained was categorically different than records that are governed by the third-party doctrine.[30] Specifically, the Court reasoned that the disclosure of location was not voluntary as it is nearly impossible to function in modern society without a cell phone, and because location tracking occurs “without any affirmative act on the part of the user.”[31] While this seems to be great news for wearable users, Carpenter’s holding is limited to the acquisition of cell-site location information.[32] Rather than clarifying the application of the third-party doctrine, the Court instead created a categorical rule with exceptions based on ”uniqueness.”[33] The Court’s reasoning that Carpenter’s data was “unique” [34] doesn’t hold when compared with wearable devices. Wearable devices can track more information than CSLI, making the data in Carpenter less intrusive and less unique than data obtained from wearable devices.[35] Carpenter may have created a limitation on the third-party doctrine, but it fails to address the broader implications of wearables, health apps, and data brokers.

Although users must consent to privacy policies when creating accounts, these policies are rarely ever read, leaving most users unapprised of how their data is being used.[36] Moreover, a report from 2013 found that thirty-nine percent of free and thirty percent of paid health and fitness apps sent data to entities that were not disclosed within the privacy policy or the app itself,[37] meaning some disclosures are entirely involuntary. Protecting intimate health data begins with wearable companies creating more transparent disclosure polices. The Court must also establish a framework that weighs both the sensitivity of the data and whether a user’s consent to disclosure was truly voluntary to determine when data collection amounts to an unconstitutional search.[38] Additionally, there must be more regulated oversight of federal agencies that purchase data to ensure that health privacy remains protected.[39] As reliance on technology continues to develop, reforms are needed to ensure that the Fourth Amendment’s privacy protections reach wearable devices.[40]


[1] See Alxis Rodis, Fitbit Data and the Fourth Amendment: Why the Collection of Data from a Fitbit Constitutes a Search and Should Require a Warrant in Light of Carpenter v. United States, 29 Wm. & Mary Bill Rts. J. 533, 544 (2020).

[2] See Amol Mhatre, Self-Tracking Your Health Data, CBS News (May 22, 2022, at 09:20 ET), https://www.cbsnews.com/news/self-tracking-your-health-data-wearables/.

[3] See Kateryna Maltseva & Christoph Lutz, A Quantum of Self: A Study of Self-Quantification and Self-Disclosure, 81 Computs. in Human Behav. 102, 102 (2018).

[4]  Id. at 103 (“Frequent use of self-tracking devices and wearables leads people to grow attached to these devices and to consider them extensions of their bodies.”); see also Rodis, supra note 1, at 544 (explaining that in 2016, 102.4 million fitness trackers and smart watches were sold).

[5] Ty Ferguson, Timothy Olds, Rachel Curtis, Henry Blake, Alyson J Crozier, Kylie Dankiw, Dorothea Dumuid, Daiki Kasai, Edward O’Connor, Rosa Virgara & Carol Maher, Effectiveness of Wearable Activity Trackers to Increase Physical Activity and Improve Health: A Systematic Review of Systematic Reviews and Meta-Analyses, 4 Lancet Digit. Health 615, 615 (2022).

[6] See Tonja Jacobi & Dustin Stonecipher, A Solution for the Third-Party Doctrine in a Time of Data Sharing, Contract Tracking, and Mass Surveillance, 97 Notre Dame L. Rev. 823, 826 (2022); see also Rhea Bhatia, A Loophole in the Fourth Amendment: The Government’s Unregulated Purchase of Intimate Health Data, 98 Wash. L. Rev. Online 67, 69 (2024) (discussing that the government’s purchase of data from data brokers do not fall with the exceptions to the Fourth Amendmet’s warrant exceptions).

[7] H. Brian Holland, A Third-Party Doctrine for Digital Metadata, 41 Cardozo L. Rev. 1549, 1550 (2020); see Bhatia, supra note 6, at 69.

[8] U.S. Const. amend. IV.

[9]  E.g., Bhatia, supra note 6, at 69.

[10] Katz v. United States, 389 U.S. 347 (1967).

[11] See id. at 353 (holding that the government listening and recording to petitioner’s public phone booth conversation “violated the privacy upon which he justifiably relied while using the telephone booth and thus constituted a ‘search and seizure’ within the meaning of the Fourth Amendment.”). In his concurrence, Justice Harlan, introduced the “reasonable expectation of privacy” test. Id. at 361. “My understanding of the rule that has emerged from prior decisions is that there is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’” Id.

[12] United States v. Miller, 425 U.S. 435, 443 (1976) (holding that the respondent did not a reasonable expectation of privacy in information he voluntarily conveyed to the bank). “The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the government.” Id. (citing United States v. White, 401 U.S. 745, 751–52 (1971)).

[13] Smith v. Maryland, 442 U.S. 735, 745 (1979) (holding that a pen register to record Smith’s dialing and routing information was not a search because he did not have a legitimate expectation of privacy in the information he voluntarily handed over to a third party).

[14] Id. at 743–44 (“This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” (citing United States v. Miller, 425 U.S. 435, 442–44 (1977))).

[15] See Jacobi, supra note 6, at 825, 828.

[16] See Bhatia, supra note 6 at 71.

[17] See id. at 73–76. (referring to data brokers as the “middlemen of surveillance capitalism” because of their assistance to the government in “bypassing Fourth Amendment safeguards”).

[18] Id. at 71–72.

[19] Id. at 69; see also Jacobi, supra note 6, at 826 (explaining that the current interpretation of the third-party doctrine permits government agencies to access data without the agents being subjected to Fourth Amendment oversight).

[20] Jacobi, supra note 6, at 860; see Rodis, supra note 1, at 545–47 (discussing how Fitbits and other wearable devices may place a role in criminal investigations).

[21] See Riley v. California, 573 U.S. 373, 401 (2014) (holding that a search of digital data stored on a cell phone requires a warrant). Interestedly, the Court recognized the abundance of personal data that can be stored on a cell phone, including health apps, and the intrusiveness of a warrantless search of this data, but failed to address the data broker loophole. See id. at 395–96. “Mobile application software on a cell phone, or “apps,” offer a range of tools for managing detailed information about all aspects of a person’s life.” Id. at 396.

[22] Health Insurance Portability and Accountability Act of 1996 (HIPAA), Crt. of Disease Control and Prevention, https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html (Sep. 10, 2024).

[23] Id.

[24] Covered Entities and Business Associations, U.S. Dep’t of Health and Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html (last visited Nov. 3, 2025).

[25] See The Access Right, Health Apps, and APIs, U.S. Dep’t of Health and Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html (last visited Nov. 3, 2025) (discussing that HIPAA protection for information stored in apps depends on the relationship between a covered entity and the app. If the app is not a covered entity under HIPAA, the information is no longer subject to HIPAA rules, however, if the app was developed for, provided by, or on behalf of the covered entity, the information would still be subject to HIPAA regulation).

[26] See Bhatia, supra note 6, at 83 (discussing how it is counterintuitive that health apps unassociated with covered entities do not receive HIPAA protection although they contain information like those obtained by covered entities). Wearable devices like Fitbit, Apple Watches, and Garmin watches and their associated apps are not protected by HIPAA. See Thomas Germain, Guess What? HIPAA Isn’t a Medical Privacy Law, Consumer Reports, (June 13, 2022), https://www.consumerreports.org/health/health-privacy/guess-what-hipaa-isnt-a-medical-privacy-law-a2469399940/.

[27] See Bhatia, supra note 6, at 83–84 (contrasting how HIPAA protection would prevent a doctor from disclosing a patient’s HIV status, but data brokers could access that same information from apps and sell a list of 1,000 names for only seventy-nine dollars).

[28] Carpenter v. United States, 585 U.S. 296 (2018).

[29] See id. at 301–02.

[30] See id. at 313–16.

[31] Id. at 315.

[32] Id. at 316 (“Our decision today is a narrow one.”). The Court declined to address other issues associated with the third-party doctrine “to ensure that we don’t ‘embarrass the future.’” Id. (quoting Northwest Airlines, Inc. v. Minnesota, 322 U.S. 292, 300 (1944)).  

[33] Jacobi, supra note 6, at 862 (“What resulted was an admittedly narrow holding that endorsed a categorial rule with ad hoc exemptions determined by their “uniqueness.”).

[34] Carpenter, 585 U.S. at 315–16.

[35] See Jacobi, supra note 6, at 862–83 (explaining that the facts of Carpenter are not unique because countless wearable devices provide more information than CSLI, such as a person’s location, heart rate, step count, and sleep cycles).

[36] Rodis, supra note 1, at 550; see also Bhatia, supra note 6, at 96 (describing a recent study that revealed it would take it would take twenty-five days per year to read every privacy policy on each website a user visits).

[37] Linda Ackerman, Mobile Health and Fitness Applications and Information Privacy: Report to California Consumer Protection Foundation 5 (2013).

[38] Rodis, supra note 1, at 551–52.

[39] See Bhatia, supra note 6, at 95 (discussing that the U.S. is one of the largest customers of commercial data brokers). Government agencies such as the Federal Breau of Investigation (FBI), United States Department of Defense (DOD), Immigration and Customs Enforcement (ICE), and Internal Service Revenue (IRS) have all purchased data from data broker, with the FBI and DOD having contracts with data brokers. Id. at 76.

[40] In United States v. Jones, 565 U.S. 419, 417 (2012), Justice Sotomayor, in her concurrence, expressed concern that the third-party doctrine was “ill suited to the digital age.” This provides hope that the Court will modernize the Fourth Amendment to account for our growing reliance on technology.