OUTSIDE FDA, Inside the Crosshairs: Cybersecurity Risks for General Wellness and Fitness Products notes that low‑risk general wellness devices fall outside active FDA device regulation, but still face regulatory scrutiny. The piece emphasises that the absence of FDA oversight does not remove risk, as these products often collect sensitive health data and may be subject to the FTC’s Health Breach Notification Rule (HBNR), HIPAA, and state privacy and breach‑notification laws.
It highlights that the FTC’s HBNR applies to entities not subject to HIPAA but handling unsecured, personally identifiable health information, including personal health record vendors and related apps and devices, with developers potentially becoming PHR vendors when aggregating data. The article references the FTC underscoring HBNR’s reach in 2021 and notes the FTC’s Mobile Health App Interactive Tool as a resource for developers.
It also explains that marketing choices and integrations—such as syncing with provider portals or collecting geolocation data via APIs—can cause a general wellness product to qualify as a PHR and thus come under FTC oversight, even if developers do not realise it. According to the article, Part One and Part Two of the series discuss FDA’s 2026 General Wellness guidance and the intersection of multiple regulatory regimes.