HIPAA only applies to protected healthcare information disclosed to a statutorily defined health care provider. I doubt Samsung or your carrier qualify.
The issue you raise is important, however.
Most of us have traded away much of our privacy, sometimes for services (gmail), sometimes by happenstance (nytimes.com), so that I doubt heart rate information will matter much.
But if we are entering a techno-dystopian future, and as our phones become more capable of registering our biological condition, it becomes easier for the shepherds to corral us according to their algorithms, and ensure the red-bloods don't mix with the blue's.
Perhaps it is my age, but I have to admit this kind of really personal data gathering makes me a little uncomfortable. Ignorance is more comfortable, too. I noticed that the terms of my health insurance coverage require my consent to let my provider turn over HIPAA data to various third parties, with no stated requirement that my provider ensure HIPAA awareness (let alone compliance) of said third parties. I figure if I am not going to go "dark," (which at my age, I'm too slow to pull off), I best learn to accept the death of privacy. Old age is the ultimate indignity . . .