A wave of bipartisan federal bills is targeting how AI companies collect and monetize personal health data, and the digital health startups that treated user data as a revenue asset are running out of time to adapt.
The warning shot has been fired. In March 2026, senators at a Health, Education, Labor and Pensions Committee hearing asked bluntly who gets to profit from the health data users voluntarily hand over to AI-powered tools. Sen. Bill Cassidy, the Louisiana Republican, put it plainly: "I do think there's some consumer safeguards that should be implemented." That kind of statement from a senior Republican senator, in a committee with real jurisdiction over health policy, is not noise. It's a compliance signal, and founders building in digital health should be treating it as one.
The core problem is a gap so wide you could drive a wearable fleet through it. HIPAA governs health data held by covered entities, meaning hospitals, insurers, and their direct contractors. What it does not govern is the vast and growing category of consumer health technology sitting outside that system: fitness trackers, mental health apps, AI health coaches, sleep monitors, chatbots that ask about your symptoms. The moment a user syncs their Apple Watch to a wellness startup's platform, or types their medication history into an AI assistant, that data falls outside federal protection. Companies can collect it, aggregate it, sell it, and build advertising profiles from it without triggering any federal health privacy law. That's the business model Congress is now looking at.
Several pieces of legislation are converging on this gap from different angles. The bipartisan Smartwatch Data Act, introduced by Sens. Jacky Rosen and Bill Cassidy, would require consumer consent before wearable health data can be sold or shared, and would route enforcement through HHS under the same framework as HIPAA. Cassidy has separately introduced the Health Information Privacy Reform Act, which would extend HIPAA-like protections directly to wearable data. Meanwhile, Sens. Josh Hawley and Richard Blumenthal introduced the AI Accountability and Personal Data Protection Act in July 2025, a bill that creates a federal civil cause of action against any company that collects, processes, or sells personal data without express prior consent, with no carve-out for health information. None of these bills has passed. But bipartisan co-sponsorship, committee hearings, and parallel introductions across multiple sessions are the legislative equivalent of a company filing multiple patent applications: the intent is clear, and the direction is set.
The FDA complicated the picture further. In January 2026, the agency issued guidance expanding the category of wearables that qualify as "general wellness" products, exempting more devices from its review process without a public comment period. That means more hardware generating more intimate physiological data, with less federal scrutiny at exactly the moment Congress is asking harder questions about where that data goes. The two moves are pulling in opposite directions, and the resulting uncertainty is precisely what makes this a compliance minefield for founders.
Here's the thing that makes this moment different from previous tech privacy debates: the data being generated now is qualitatively more sensitive than what earlier regulatory conversations assumed. Wearable sensors can infer mood, stress levels, and behavioral patterns from biometric signals. AI health assistants trained on user conversations develop detailed longitudinal pictures of a person's physical and mental state. This isn't browsing history. When a startup uses that data to train models it licenses to insurers or pharma companies, the exposure for the user, and eventually for the founder, is in a different class entirely.
What this means for founders building now
The digital health market has grown fast on the assumption that non-HIPAA health data is essentially fair game. Bessemer Venture Partners' State of Health AI 2026 report documents the sector producing eight AI healthcare unicorns by 2025 and healthcare AI spending nearly tripling to $1.4 billion. That capital formation happened against a regulatory backdrop where the gap was known but the political will to close it was absent. That calculus is shifting.
Any founder whose business model involves monetizing user-generated health data, whether through data licensing, targeted advertising, or model training sold to third parties, is now operating on borrowed time. The legislative proposals on the table are not fringe efforts. The Smartwatch Data Act has drawn backing from senators on both sides of the aisle who sit on the committee with direct jurisdiction over the issue. Hawley and Blumenthal do not agree on much, but they co-authored the AI accountability bill. That breadth of support is what makes this a serious signal rather than performative tech skepticism.
The smarter response for founders is not to wait for a final law and then react. Washington's track record on technology legislation means the actual statute, if it passes, will look different from any of the current proposals. But the direction, consent-based data collection, prohibition on sale without explicit authorization, and HHS-style enforcement, is consistent across every bill in the stack. Build the consent infrastructure now. Audit what your data pipeline actually does with health information. Figure out which third-party relationships depend on data sharing that users didn't knowingly authorize. These are not compliance exercises; they're strategic decisions that become harder and more expensive the longer they're deferred. The founders who treat this as a moat to build rather than a cost to absorb are going to be better positioned when the rules finally land.
Also read: Taiwan Raided Super Micro's Offices Today as the Nvidia Chip Smuggling Case Reaches a New Front • Arena hit $100M in annualized revenue by letting AI companies pay to be evaluated, and that is exactly the problem • Cursor's mobile app signals that coding has become a job you supervise, not a desk you sit at
