Sep 23 2020

3 Reasons Why Wearables Bring New Complications for HIPAA Compliance

The devices play an increasingly central role in monitoring and supporting healthful habits, but they also pose data privacy risks for users.

The capabilities of health and fitness wearables continue to grow, as does the amount of data they generate. About 20 percent of U.S. adults report owning a wearable or smartwatch, according to a January report from the Pew Research Center, and those users will produce millions of health-related data points in their lifetimes.

But how — and to what extent — do private companies secure that data?

The simplicity and intelligence of wearables, despite their benefits in maintaining good health, could leave consumers vulnerable, notes a recent report from Manatt and the Robert Wood Johnson Foundation.

Wearables, mobile apps and even Facebook are collecting health-related data on users. Without an expansion of HIPAA laws to include these new technologies, consumers can be misinformed about how their data is being used, the report says.

This poses several data challenges that private companies and healthcare organizations need to manage, says Aloha McBride, a global health leader at EY.

“Even when health information is in a de-identified format, it can often be reidentified with low effort using machine learning or artificial intelligence approaches,” she says.

Here are three reasons why data security can be problematic for consumer health technologies as they become more popular and essential:

1. HIPAA Protection Does Not Extend to Wearables and Apps

Although HIPAA is the most far-reaching health privacy law in the United States, it covers only information created, received or maintained by or on behalf of healthcare providers and health plans. User data generated by or uploaded to health apps or wearables is not subject to HIPAA rules, the foundation’s report notes.

Once that data is transferred to a consumer’s mobile device, or if it is generated by the device itself, there is no nationwide governance that can protect the data.

Some states, however, are expanding their definitions of personal protected data to include medical or health data, but a nationwide expansion of the definition has yet to exist, says Sara Jodka, a partner with Dickinson Wright who is co-leader of the firm’s U.S. cybersecurity practice and chair of the firm’s Healthcare Information Privacy and Security Task Force.

Although policy-savvy patients might think their self-generated medical information automatically triggers HIPAA protection, “in the case of wearables and limited application of HIPAA outside the actual healthcare context, HIPAA rarely applies,” Jodka says.

READ MORE: Can wearable tech spot COVID-19 symptoms?

2. Private Companies Aren’t Required to Be Protective and Transparent

Many third-party apps do not provide users with clear terms of data usage; 81 percent of apps for depression and smoking cessation share data for marketing and advertising purposes, according to a 2019 report in JAMA Network Open.

Private companies could be using consumer health data to develop new products, to inform advertising or even to sell it to third parties, the foundation’s report finds. Consumers’ lack of awareness can make them overly trusting in what they share with apps and related devices.

“Personal information, including health data, is being collected by internet service providers and third-party analytics companies to be sold to marketing agencies,” McBride says. “Moreover, a culture of social media and data sharing has encouraged people to share personal information on internet forums not regulated under HIPAA.”

3. No Uniform Data Privacy Policy Exists for Apps and Wearables

A need and opportunity exist for private companies to adopt a health privacy framework that provides accountability for the handling of health data that falls outside the bounds of HIPAA, the report notes.

A self-regulatory model that includes company-specific policies for health data collection and security could exist alongside an expansion of HIPAA, McBride says.

“Tech companies should have a clearly defined and transparent privacy policy that tells customers and patients how they treat their information,” McBride says. “Clear parameters for consumer-friendly and revocable consent should be specified for any use or disclosure of data beyond the permitted categories.”

Jodka predicts that compliance will continue to grow on a state level, but a nationwide expansion of HIPAA could be further away.

“The government uses private companies to gather the majority of its information,” she says. “I think there will be more and more state laws on the issue causing companies to engage in multiple types of compliance, but I don’t see there being a limit.”

filadendron/Getty Images