I hope that's true. I suspect that if it is, it only is until one or two teams does it successfully and monetizes that outcome. Then it's open season.
That's a trend in computing. It's forever too hard, until all of a sudden it isn't for a very select few and they do amazing things[1]. Then a year or two later everyone is doing it.
1: Amazing is relative, and in this case may be less about customers getting something amazing and more about to the execs looking at amazing profit reports...
It's scary because HIPAA puts a lot of restrictions on what it can be used for and also puts a bunch of requirements in place for its safekeeping. My point is that once it's been shown that those issues can be dealt with profitably, others will see that as a new growth sector and follow.
Regulations are often implemented as a set of specific hard rules based on specific values (so it's easy to rule about them). The systems they regulate are almost always never so clear, and are based on competing gradients. Where these rules interact with natural systems (such as a free market) are often some of the most lucrative places for companies to develop new strategies.
Where some people see rules that prevent or kill existing businesses, other people see an opportunity for a new type of business. The whole financial sector is rife with companies that do just this. A simple example of how it could happen in this case is that there may be some non HIPAA covered data (that people may or may not think of as health data at this point in time) mixed in with the HIPAA data, and very carefully harvesting and monetizing that could be lucrative. Maybe later laws are updated to change this, or maybe it becomes the new normal.
Basically, any given health record is covered by HIPAA if it 1) includes personal health information, 2) includes personally identifiable information, and 3) is used by a Covered Entity or Business Associate for some health care purpose. Just being "data with health-related information in it" doesn't make it covered by HIPAA; it has to actually be used by a specific set of organizations for a purpose related to health care.
If Fitbit just stored your personal fitbit data in a data lake in the cloud, that's not covered by HIPAA. But if it then shared that data with a service that made suggestions about your health, now it's covered by HIPAA. But if Fitbit allowed your smartphone to download your data, and gave you an app that allowed you personally to see health-related information about that data, that is (afaik) not covered by HIPAA, because you and your phone alone are not a Covered Entity or Business Associate.
Fitbit has a "health solutions" department which seems dedicated to healthcare solutions based on Fitbit data: https://healthsolutions.fitbit.com/ My guess is anything HIPAA-related is solely done through that arm of the company. Example: https://healthsolutions.fitbit.com/healthsystems/ I take this as them saying, "Hey Covered Entities, sign a Business Associate contract with us, and you can hoover up Fitbit data directly from us". By writing some glue code and doing the HIPAA hokey-pokey, they make a tidy profit.
That's a trend in computing. It's forever too hard, until all of a sudden it isn't for a very select few and they do amazing things[1]. Then a year or two later everyone is doing it.
1: Amazing is relative, and in this case may be less about customers getting something amazing and more about to the execs looking at amazing profit reports...