Are wearables violating HIPAA?
With the development of wearable technologies such as the Nike Fuel Band, Fitbit, and Apple Watch, consumers suddenly have more options to monitor their fitness performance than ever before. These devices are also making inroads into medicine as physicians begin to experiment with using Google Glass to connect ER doctors to specialists in order to reduce patients’ wait times.
Whether it’s for the weight room or the emergency room, manufacturers and software developers are collaborating to draw health further into the digital realm.
And the way these devices capture data poses serious privacy and security issues to individually-identifiable health information that must be addressed.
Real world privacy concerns
The central challenge devices such as Google Glass and Jawbone UP pose stems from the fact that they employ cloud-based data storage. By purchasing these products, customers agree to a company’s Terms of Service, and in some cases, these terms can be fairly permissive in what they allow companies to do with that data.
According to Google Glass’s current Terms of Sale, for instance, the product falls under the company’s general Terms of Service. Although these grant the user intellectual property rights over data they store on Google servers, the company can still reproduce, modify, publicly display, distribute, and generally use this data to promote and enhance existing products and create new ones. Thus, although users may not be relinquishing ownership of their IP rights, it is clear that they are giving up a substantial degree of control over their data.
Google’s shift to a unified privacy policy in March 2012 further bolstered its ability to improve services through the collection and analysis of customer data. This new policy enabled the company to consolidate data on individual users from across its product portfolio and create unique user profiles, giving Google a fuller picture of individuals’ preferences and activities.
All personal health data is not created equal
Not all personal data is equal in the eyes of the law. That is the central issue when applying these practices to health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits the analysis and sharing of individually-identifiable health information when directly related to patient care, but it is more restrictive. The law permits health information to be used in assessments of physician and hospital performance, but allows patients to request that their data not be shared with third parties. HIPAA also requires consent before a healthcare provider uses health information for advertising purposes.
In a medical context that means: mining individually-identifiable health information could constitute a breach of patient privacy if the analysis falls outside of the scope of HIPAA. It is not clear whether using patient data to improve products, as opposed to health outcomes, is allowed under this law. And an even more concerning scenario could take shape if health information were combined with other personal, non-medical data for the purposes of user profiling.
HIPAA and wearables: What’s next?
If wearable device manufacturers want to store health information in the cloud, they must bring their Terms of Service and privacy policies in line with HIPAA privacy and security requirements.
The vendors making wearables should take several steps to achieve this goal.
- Analyzing health data: Where privacy is concerned, companies must only analyze health data within the confines of what is permissible under HIPAA. If companies want to mine customer data for other purposes, they should keep health information separate from non-medical data.
- Sharing health data: Companies would also need to grant patients and consumers greater transparency into how their data is being used as well as who has access to it. HIPAA would also require obtaining a patient’s consent before using their health information in any part of the advertising process.
- Securing health data: When it comes to HIPAA-mandated security controls, companies should also protect health information with baseline access control and encryption measures, in addition to maintaining an “audit trail” of who has edited a patient’s information and when.
These measures would make the manufacturers of wearable health tech more accountable to the patients and consumers that their products serve — and it follows that any consumers, doctors and healthcare organizations using wearables in any capacity should seek out vendors will to adhere to those tenets moving forward.
Julie Anderson is a SafeGov expert in government and organizational transformation. She previously served as the senior policy official at the Department of Veterans Affairs as the VA implemented new health care technologies. Prior to that, Julie worked at IBM where she focused on enabling technologies for health care regulators and providers.
Also by Julie Anderson:
A booster shot for cloud privacy standards?
Commentary: Healthcare must embrace new ISO cloud privacy standard