Senior-living tech: does HIPAA reach your sensors?

Q: When does HIPAA actually attach for a senior-living technology vendor?

HIPAA attaches when the community you serve is itself a covered entity and it hires you to handle protected health information on its behalf. Skilled-nursing facilities and many assisted-living operators that furnish billed health services and submit electronic claims are covered entities. If such a facility feeds you identifiable resident health information to store, transmit, or analyze, you are usually a business associate and a business associate agreement is required, and you are directly liable to the HHS Office for Civil Rights. The trigger is the covered-entity relationship plus the flow of protected health information to you, not the senior-living label.

Q: Is passive sensor data from a fall or motion sensor protected health information?

It depends on who holds it and why. Passive sensor and IoT data, such as motion, bed-occupancy, or fall-detection signals, is not protected health information just because it relates to a person's body or activity. It becomes PHI when a covered entity or its business associate holds it as part of the covered relationship. When a hardware vendor collects the same signals directly through its own device cloud API and is not acting for a covered entity, the data is generally not PHI, but it can be consumer health data under state laws such as Washington MHMDA and can be medical information under CMIA-type laws. The same fall-sensor reading can be PHI in a skilled-nursing deployment and consumer health data in a direct-to-consumer deployment.

Q: If HIPAA does not apply to my senior-living product, what law does?

Several regimes reach resident and consumer health data outside HIPAA. State consumer-health-data laws such as Washington's My Health My Data Act (RCW 19.373) reach consumer health data of in-state consumers with consent, sale, and privacy-policy duties and a private right of action. California's CMIA can treat a health or wellness software vendor as a provider of health care under Cal. Civ. Code 56.06. The FTC Health Breach Notification Rule (16 CFR Part 318) applies to vendors of personal health records not covered by HIPAA. Several comprehensive state privacy laws also apply to the company even where they exempt HIPAA data. The applicable set depends on where your residents and users are located.

If you sell technology into an independent-living community that does not bill Medicare, you are usually not a HIPAA business associate, because that community is usually not a covered entity. But that is the start of the analysis, not the end. Here is when HIPAA actually attaches, how passive sensor and IoT data flows through your device cloud, and the state and federal privacy laws that reach resident data even when HIPAA does not.

Independent living vs assisted living vs skilled nursing Passive sensor and IoT data through a cloud API MHMDA, CMIA, and the FTC rule still apply CA Bar #279869

Where HIPAA attaches

Sergei Tokmakov, Esq. | California Bar #279869

🤖 AI Legal Analyst

Describe your senior-living product

Tell me what your device or platform does, which communities you sell to, and what data your sensors or app collect, and I will tell you where HIPAA likely lands and which other privacy laws to plan for. A full opinion on your facts is the $240 Written Attorney Consultation, not this chat. AI-generated legal information, attorney-supervised, not legal advice.

Tap a situation to ask

Ask the AI about your deployment

Common questions free, no email

Is a vendor to independent living a HIPAA business associate?

Usually not. An independent-living community that provides housing and lifestyle services and does not furnish billed health care or submit electronic claims is usually not a HIPAA covered entity. If the community is not a covered entity, a technology vendor to it is usually not a business associate. That does not mean no privacy law applies. Consumer-health-data laws, CMIA-type laws, and the FTC Health Breach Notification Rule can still reach the resident data you collect.

When does HIPAA actually attach?

When the community is itself a covered entity, such as a skilled-nursing facility or an assisted-living operator that furnishes billed health services and submits electronic claims, and it hires you to handle protected health information on its behalf. If identifiable resident health information flows to you in that relationship, you are usually a business associate, a BAA is required, and you are directly liable to the HHS Office for Civil Rights.

Is passive sensor data PHI?

It depends on who holds it and why. Motion, bed-occupancy, and fall signals are not PHI just because they relate to a person. They become PHI when a covered entity or its business associate holds them in the covered relationship. When your hardware cloud collects the same signals directly and you are not acting for a covered entity, the data is generally not PHI, but it can be consumer health data under state law and medical information under CMIA-type laws.

If HIPAA does not apply, what does?

State consumer-health-data laws (Washington MHMDA, RCW 19.373), CMIA-type laws (California, Cal. Civ. Code 56.06), and the FTC Health Breach Notification Rule (16 CFR Part 318) for vendors of personal health records not covered by HIPAA. Several comprehensive state privacy laws also reach the company even where they exempt HIPAA data. The set depends on where your residents and users live.

Senior living is not one thing for HIPAA. The label on the building matters far less than whether the operator furnishes billed health care and submits standard electronic transactions. Read your customer against these three.

Independent living

Independent-living community that does not bill Medicare?

Provides housing and lifestyle services, not billed clinical care, and does not submit standard electronic health-care transactions. Usually not a HIPAA covered entity. A technology vendor to it is usually not a business associate.

Customer usually not covered → you usually not a business associate

Assisted living

Assisted living: it depends on what it bills

Mixed. Some assisted-living operators furnish and bill health services and submit electronic claims, which can make them covered entities. Others provide custodial and lifestyle services only. You have to look at the specific operator and whether protected health information flows to you, not the category.

If it bills health services electronically → may be covered If custodial only → may not be

Skilled nursing

Skilled-nursing facility that bills

A skilled-nursing facility that furnishes billed health care and submits standard electronic transactions is typically a HIPAA covered entity. If it feeds you identifiable resident health information, you are usually a business associate and a BAA is required.

Customer typically covered → you are usually a business associate

The label is not the test. Independent living, assisted living, and skilled nursing are operating models, not HIPAA categories. The HIPAA question is always the same two-step: is my customer a covered entity, and does protected health information flow to me on its behalf. Apply it to the actual operator and the actual data flow.

HIPAA reaches a senior-living technology vendor only through business-associate status, and that takes two conditions together.

Both of these must be true for HIPAA to attach to you:

Your customer is a covered entity.? A health plan, a clearinghouse, or a health-care provider that transmits health information electronically in a HIPAA-covered transaction (45 CFR 160.103). A skilled-nursing facility or a billing assisted-living operator can be one. An independent-living community usually is not.
Protected health information? flows to you on its behalf. You create, receive, maintain, or transmit identifiable resident health information for the covered entity. If your device or platform never receives PHI from the covered entity, business-associate status may not attach even though the customer is covered.

When both are true, the covered entity must sign a business associate agreement with you, and since the HITECH amendments you are directly liable to the HHS Office for Civil Rights for safeguarding the data, not only contractually liable to the customer. Source: 45 CFR 160.103 (covered entity and business associate); business-associate direct liability under HITECH. General information, confirm the current text.

Do not sign a BAA reflexively. Procurement teams often send a BAA by default. If you are not actually a business associate, signing one can give you HIPAA obligations you do not meet, including breach-notification and safeguard duties keyed to data you do not hold. If you are a business associate, you do need one, and it should match what your product actually does. Either way, the BAA is a document to scope before you sign, not a checkbox.

Senior-living technology often runs on passive sensors: motion, bed occupancy, door, wearable, and fall detection. The legal character of that data depends on the path it travels, not on how clinical it feels.

Three things drive how sensor and IoT data is regulated:

Who holds it. Sensor data held by a covered entity or its business associate, inside the covered relationship, is PHI. The same data held by a hardware vendor that is not acting for a covered entity is generally not PHI.
The path through your device cloud. When a hardware vendor's devices send signals to the vendor's own cloud API, the vendor is the one collecting and processing that data. If the vendor is not a business associate, that flow is outside HIPAA, but it is squarely the kind of consumer health data that state laws reach.
Whether it is identifiable. Linked to a named resident or unit, it is sensitive personal data and often consumer health data. Genuinely de-identified or aggregated data is treated differently, but de-identification has to actually meet the applicable standard and be documented.

General information. Whether a specific sensor stream is PHI, consumer health data, or neither is fact-specific and depends on the deployment and the holder.

The hardware-vendor cloud pattern. A very common architecture: the sensors are a third-party hardware vendor's, the signals flow to that vendor's cloud, and your platform reads them through the vendor's API. Map that chain carefully. The hardware vendor may be your sub-processor or sub-business-associate, the data may change character as it moves, and your contracts with the hardware vendor and with the community both have to reflect who carries which obligation. A fall signal can be PHI in a skilled-nursing deployment under a BAA and consumer health data in a direct-to-family deployment, even on identical hardware.

For the common case, an independent-living deployment where you are not a business associate, this is where your real obligations live. Three regimes routinely reach resident and consumer health data that HIPAA never touches.

1. State consumer-health-data laws (MHMDA-type). Washington's My Health My Data Act (Chapter 19.373 RCW) reaches consumer health data of Washington consumers held outside the HIPAA-covered stream, including, potentially, health-related sensor inferences, with a separate consumer-health-data privacy policy, layered consent, and a private right of action through the state Consumer Protection Act. Nevada (SB 370) and Connecticut have related consumer-health-data regimes. These reach the resident data your sensors generate when you are not a business associate. Source: Chapter 19.373 RCW, app.leg.wa.gov/rcw/default.aspx?cite=19.373. General information.

2. CMIA-type medical-information laws. California's Confidentiality of Medical Information Act can be stricter than HIPAA and, under Cal. Civ. Code 56.06, can treat a business offering health or wellness software, mobile apps, or certain digital health services as a provider of health care directly subject to the CMIA, with a private right of action. A senior-living monitoring app collecting health-related signals in California should test itself against CMIA directly, not assume HIPAA absence ends the analysis. Source: Cal. Civ. Code 56.06, leginfo.legislature.ca.gov. General information.

3. FTC Health Breach Notification Rule. The FTC Health Breach Notification Rule (16 CFR Part 318) applies to vendors of personal health records, related entities, and their third-party service providers that are not covered by HIPAA. A senior-living app that maintains resident health information for consumers and is not a HIPAA business associate can fall within it, and a breach can require notice to affected individuals, the FTC, and in some cases the media. It is the federal breach regime that fills the gap when HIPAA does not reach you. Source: 16 CFR Part 318, law.cornell.edu/cfr/text/16/part-318. The rule expressly does not apply to HIPAA-covered entities or their business associates. General information.

And the entity-level state-law trap. Several comprehensive state privacy laws (for example Oregon, Maryland, and New Jersey) exempt HIPAA data at the data level but do not exempt the company at the entity level. So even where some of your data is HIPAA-covered, your organization may still owe comprehensive-law duties for the rest. Where your residents and users live decides which of these apply.

General illustrations, not conclusions about your product. Your facts control. Tap each card for the reasoning.

Independent living

Fall sensors in an independent-living community

The community does not bill Medicare. Your device cloud collects motion and fall signals directly.

Tap for the reasoning

Usually outside HIPAA.

The community is usually not a covered entity, so you are usually not a business associate. But the resident sensor data is consumer health data under MHMDA-type laws, can be medical information under CMIA, and a breach can trigger the FTC Health Breach Notification Rule.

Tap to flip back

Skilled nursing

Same sensors deployed in a skilled-nursing facility

The facility bills health care and pipes identifiable resident data into your platform.

Tap for the reasoning

Business associate. HIPAA applies.

The facility is a covered entity and PHI flows to you on its behalf. A BAA is required and you are directly liable to OCR. State laws can apply on top. Identical hardware, different legal posture, because the holder and relationship changed.

Tap to flip back

Direct to family

A monitoring device sold directly to families

Families buy the device for a parent at home. No community, no covered entity involved.

Tap for the reasoning

Outside HIPAA, inside consumer law.

No covered-entity relationship, so no HIPAA. But you hold consumers' health-related data, so consumer-health-data laws, CMIA, and the FTC Health Breach Notification Rule are your real obligations, plus accurate terms about what the product is and is not.

Tap to flip back

Third-party hardware

You read a hardware vendor's sensor cloud via API

You do not make the sensors; you ingest their signals through the hardware vendor's cloud API.

Tap for the reasoning

Map the chain and the contracts.

The hardware vendor may be your sub-processor or sub-business-associate. The data can change character as it moves. Your contract with the hardware vendor and your contract with the community both have to reflect who carries which obligation. Do not assume the API hides the data-protection duty.

Tap to flip back

Healthcare SaaS HubFull HIPAA, BAA, and 50-state health-privacy map Does HIPAA apply to my startupThe covered-entity / business-associate / neither decision tree Privacy Policy generatorPlain-language privacy policy for a consumer device Terms of Service generatorClickwrap terms with what the product is not HIPAA BAA generatorBAA starter, for when you are a business associate Washington MHMDA hubConsumer health data outside HIPAA

What it costs to work with me

Flat fees. A written opinion on where your deployment lands, or the full launch document stack if you are building.

Written opinion

Written Attorney Consultation

$240 written response

Send your product, the communities you sell to, and your sensor or app data flows. I send back a written attorney view on your likely HIPAA status and the non-HIPAA laws to plan for. Not a full document build.

Full launch tier

Healthcare SaaS Legal Package

$2,500 flat

MSA and order form, HIPAA BAA where you are a business associate (with a 42 CFR Part 2 or CMIA schedule where needed), Terms of Service, Privacy Policy, a DPA framework, and a compliance gap memo across your sensor and vendor stack. One revision round.

Request this package · $2,500

Cheapest entry

Minimum pilot scope

Scoped by email

Running a small or free pilot in one or two communities and want the cheapest defensible footing: resident and family consent, a product disclaimer and terms, and a short privacy notice. See the minimum pilot scope page, then email me to scope it.

See minimum pilot scope Email me to scope it

The $2,500 Healthcare SaaS Legal Package is the confirmed flat-fee launch tier. The minimum pilot scope is quoted by email because the right entry scope depends on your facts. Overflow on unusually large matters bills at $240 per hour.

Is a vendor to an independent-living community a HIPAA business associate?

Usually not. An independent-living community that provides housing and lifestyle services and does not furnish billed health care or submit electronic claims is usually not a HIPAA covered entity, so a technology vendor to it is usually not a business associate. That does not end the analysis, because consumer-health-data laws, CMIA-type laws, and the FTC Health Breach Notification Rule can still reach the resident data the vendor collects.

When does HIPAA actually attach for a senior-living technology vendor?

When the community you serve is itself a covered entity, such as a skilled-nursing facility or a billing assisted-living operator, and it hires you to handle protected health information on its behalf. If identifiable resident health information flows to you in that relationship, you are usually a business associate, a BAA is required, and you are directly liable to the HHS Office for Civil Rights. The trigger is the covered-entity relationship plus the PHI flow, not the senior-living label.

Is passive sensor data from a fall or motion sensor protected health information?

It depends on who holds it and why. Passive motion, bed-occupancy, or fall signals are not PHI just because they relate to a person. They become PHI when a covered entity or its business associate holds them in the covered relationship. When a hardware vendor collects the same signals directly through its own device cloud and is not acting for a covered entity, the data is generally not PHI, but it can be consumer health data under state laws such as Washington MHMDA and medical information under CMIA-type laws.

If HIPAA does not apply to my senior-living product, what law does?

State consumer-health-data laws such as Washington's My Health My Data Act (RCW 19.373) reach consumer health data with consent, sale, and privacy-policy duties and a private right of action. California's CMIA can treat a wellness-software vendor as a provider of health care under Cal. Civ. Code 56.06. The FTC Health Breach Notification Rule (16 CFR Part 318) applies to vendors of personal health records not covered by HIPAA. Several comprehensive state privacy laws also apply to the company even where they exempt HIPAA data. The set depends on where your residents and users are located.