HIPAA and Wearables: Protecting Personal Information, Privacy?

Today it is not uncommon to see many people sporting a digital device that collects data such as the number of steps walked that day, heart rate, sleeping patterns, and other personal metrics. These devices, known in the market as “wearables,” have become the new trend in America, aimed at encouraging healthy behaviors and tracking users’ progress.

The user’s information is collected, stored and interpreted daily, in accordance with the user’s desired fitness goals. The wearable industry has proliferated over the last several years, with the International Data Corporation projecting worldwide shipments of wearable devices to reach 110 million by the end of 2016. But how protected is the data that wearables are collecting?

According to Pam Dixon, executive director and founder of the World Privacy Forum (“WPF”), this information is not yet legally protected. Currently, there are no laws that bind digital health companies from using this data in any manner they choose. Many people assume that digital health companies are held to the same standards that health care organizations are held.

Wearables, Data and HIPAA Compliance

Wearable data is not protected by HIPAA, however, because it is not linked to patient information within a HIPAA-defined “covered entity,” i.e., a health care organization, clearing house, or provider. Unless the wearable is provided by the user’s physician or hospital, the HIPAA’s personal health information safeguards do not apply.

There has been a recent push by Dixon’s WPF and other parties to create laws that protect consumer information generated by wearable devices. Until then, a significant amount of consumer information ranging from health information to lifestyle indicators stored by wearables remains exposed with little regulatory recourse. A minority of wearable companies have voluntarily incorporated strong privacy policies to protect their customers’ information in order to better protect their customer’s information. However, until there are actual laws in place for all digital health companies to comply with, consumers should be aware that their information may be up for grabs.

Harper, Gretchen

Gretchen E. Harper is an associate attorney at Nixon Peabody, where she represents hospitals, health systems, nursing homes, assisted living providers, physician groups, accountable care organizations and other health care related industry clients. Read more Nixon Peabody blogs here.

Return Home



    Joshua Smith:

    But if my wearable was provided by my insurance company (www.hioscar.com – they give Amazon gift credits for reaching Daily Step goals) does it then fall under the auspices of HIPAA?

      Joe Panettieri:

      Hey Joshua: In that case I do believe the device falls under the HIPAA requirements but you should check in with the insurer, device provider and legal experts (how’s that for covering all bases?).

Leave a Reply

Your email address will not be published.