You’ve just started using a new wearable health device and have been tracking your daily steps, calorie intake, monitoring your blood pressure, heart rate and sleep using your smart phone app. You have a new resolve to get fit and you’re winning the race this week for the most steps amongst your friends. But wait – what’s that ad on your Facebook page for a low calorie diet and fitness clothes? Isn’t your health and medical data protected by HIPAA?
HIPAA protects health information when used or created by “covered entities” or “business associates”. Covered entities include health plans and healthcare providers while business associates are entities that handle, use, or create PHI (Personal Health Information). Any information that’s related to providing healthcare services must be HIPAA compliant.
Mobile apps that simply track data, like the number of steps you take per day, are not covered under HIPAA regulations. However, the Federal Food and Drug Administration (FDA) now regulates a new category of mobile apps known as “mobile medical apps”. Mobile medical apps that collect, store, or share PHI with covered entities must be HIPAA compliant. An example of a mobile medical app would be one that uses an attachment to the mobile device to measure blood glucose levels. This information could be stored to the cloud where a covered entity would have access. So the first step in determining if your data is protected under HIPAA is to ask if your information will be shared with a covered entity. At this point in time the vast majority of wearable health devices are not sharing their data with covered entities but changes are on the horizon.
Now that we’ve determined that your wearable health device and apps are not always required to be HIPAA compliant, is the health data on your smart phone protected? Many companies selling wearable technology claim that your health data IS protected. But protected from who and who owns this health data? Can your data be sold to marketing companies? If hackers can post nude selfies of celebrities accessed from the cloud, they can certainly access private information about your health conditions.
I attended a recent digital health conference in San Francisco and the single biggest topic was how to monetize the data captured through wearables. A wearable health device is a one-time sale but if you can monetize the data captured, it creates a never-ending revenue stream for the company. There was even talk of giving devices away and creating free websites for users because many of the developers feel there is significantly more money to made as a data broker then retailer of devices. This all sounds great for wearable developers but where does that leave the consumer?
No only are App developers unclear about healthcare privacy regulations, your healthcare provider may still be struggling with a clear understanding of HIPAA regulations as well. Just last week an acquaintance told me the story of her experience collecting her personal medical records from her physician’s office. She had called ahead to have the records copied and ready for her husband to pick up the next day. The office receptionist told her that it would be $15. When her husband arrived, the receptionist asked for the $15 and handed over the file. When questioned about providing a release or identification, the receptionist said, “That’s not necessary. I just need the $15.” If the physician’s office is unable to operationalize HIPAA and the basic federal privacy requirements, it is questionable whether wearable and app creators will be any better at keeping your electronic health data secure.
If you are working on a new wearable and are part of the wave of technology that is deconstructing healthcare, consider making a knowledgeable HIPAA/Security attorney part of your development team. It is not a question of if, but when, the regulations are expanded to include wearable devices and the data they capture and you don’t want your product on the wrong side of public sentiment.
Until then, it is the Wild West in this new field and it is every user and developer for themselves. Proceed with caution.
Siddel works with many digital health companies, if you would like more information on how
Disclaimer: This article discusses general legal issues, but it does not constitute legal advice. No reader should act or refrain from acting on the basis of any information presented herein without seeking the advice of counsel in the relevant jurisdiction. Siddel Law expressly disclaims all liability in respect of any actions taken or not taken based on any contents of this article.