Basically, any given health record is covered by HIPAA if it 1) includes personal health information, 2) includes personally identifiable information, and 3) is used by a Covered Entity or Business Associate for some health care purpose. Just being "data with health-related information in it" doesn't make it covered by HIPAA; it has to actually be used by a specific set of organizations for a purpose related to health care.
If Fitbit just stored your personal fitbit data in a data lake in the cloud, that's not covered by HIPAA. But if it then shared that data with a service that made suggestions about your health, now it's covered by HIPAA. But if Fitbit allowed your smartphone to download your data, and gave you an app that allowed you personally to see health-related information about that data, that is (afaik) not covered by HIPAA, because you and your phone alone are not a Covered Entity or Business Associate.
Fitbit has a "health solutions" department which seems dedicated to healthcare solutions based on Fitbit data: https://healthsolutions.fitbit.com/ My guess is anything HIPAA-related is solely done through that arm of the company. Example: https://healthsolutions.fitbit.com/healthsystems/ I take this as them saying, "Hey Covered Entities, sign a Business Associate contract with us, and you can hoover up Fitbit data directly from us". By writing some glue code and doing the HIPAA hokey-pokey, they make a tidy profit.
If Fitbit just stored your personal fitbit data in a data lake in the cloud, that's not covered by HIPAA. But if it then shared that data with a service that made suggestions about your health, now it's covered by HIPAA. But if Fitbit allowed your smartphone to download your data, and gave you an app that allowed you personally to see health-related information about that data, that is (afaik) not covered by HIPAA, because you and your phone alone are not a Covered Entity or Business Associate.
Fitbit has a "health solutions" department which seems dedicated to healthcare solutions based on Fitbit data: https://healthsolutions.fitbit.com/ My guess is anything HIPAA-related is solely done through that arm of the company. Example: https://healthsolutions.fitbit.com/healthsystems/ I take this as them saying, "Hey Covered Entities, sign a Business Associate contract with us, and you can hoover up Fitbit data directly from us". By writing some glue code and doing the HIPAA hokey-pokey, they make a tidy profit.