Are Wearable Fitness Devices Covered by HIPAA? HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesThe short answer is “maybe.” But before we get into that area, let’s talk about what these fitness devices are and what they do.

Many of you wear such a device. My Vice-President, Alice McCart, and I each have a Fitbit and have an ongoing contest to see whose heart rate is lower (although it could certainly get too low!). Fitbit has become a helpful tracking device that can tell you how long and how well you slept, how many calories you expended, how far you walked, how many stairs you climbed, and your heart rate, among others, depending on the model that you have. Many Fitbits also keep track of information that you input yourself, such as food and number of cups of water consumed.

Fitbit, however, is far from the only health tracking tool. Although Fitbit has probably captured peoples’ attention more than other and often later devices, with its trim, colored plastic wristbands, there certainly are others. Perhaps Apple™ with its Apple Watch, which is also a lifestyle computer, is the most well-known, but wearable fitness devices are also made by Garmin, Google, and others. A jewelry company, Swarovski, even offers a bejeweled Shine! fitness device (Sales pitch: “Looking good while feeling fine!). Although the sales figures for 2015 are not in, the industry report of the Consumer Electronics Association projected more than 10 million units would be produced that year. More than 25 percent of U.S. Consumers use fitness apps. And stand-alone devices do not constitute the entire universe of fitness devices. Smartphones may contain apps, such as Runkeeper, Fit Star Personal Trainer, Nike+ Training Club, and Fitnet, all of which allow consumers to determine their fitness goals. Fitnet even permits users to have the smartphone’s camera determine whether they are exercising the correct way. Source, Sarah Kellogg, “Every Breath You Take,: Data Privacy and Your Wearable Fitness Device,” Journal of the Missouri Bar, Vol. 72, No. 2, p. 76-77.

Besides these devices that are for purely personal use, some in the health care industry want patients to be able to use these devices to exchange health information with their doctors. ABI Research, a company that reports global technical trends, expects 100 million wearable patient monitoring devices, such as pulse oximeters, blood pressure monitors, and the like, within four years. These patient monitoring devices will obviously have HIPAA implications.

Health information, believe it or not, is more at risk than credit cards. If an identity thief obtains a credit card, issuers can quickly cancel cards and issue new ones to consumers, who can be held liable for only $50 of fraudulent activity, although most issuers don’t charge anything. But if health information is improperly accessed, it may contain not only Social Security numbers, but also Medicare and private insurance information, as well as health conditions. No cap on fraudulent activity exists for this data, and you can’t mitigate the harm by merely cancelling a credit card.

A Fox Business article illustrates this point well:
It might come as a surprise to learn that medical data are actually worth more to cyber thieves than financial records. “On the black market, health information is more valuable than credit or debit card information,” according to Larry Ponemon, chairman of the Ponemon Institute. That’s because it includes a lot more than just details about your medical condition. For instance, by knowing your weight, height, eye color and other physical characteristics, “bad guys like Al Qaeda can create fake identities.”
There’s No Taking It Back
If a thief steals your financial information, you have to go through the hassle of closing credit cards, changing passwords on bank accounts, notifying lenders and the three major credit bureaus, and so forth. Granted, it’s a pain in the neck, but once you open new accounts, your financial data is again private.
However, if your medical identity is stolen, you don’t have the opportunity for a clean start.
“If it leaks out, it’s out forever,” says Ponemon. If there’s a negative stigma associated with your health data, you can’t undo it. Imagine the potential consequences if your medical records indicate that you were once treated for a sexually-transmitted disease or had an abortion or underwent a sex change or have a slow-growing cancer or a body mass index (“BMI”) that indicates that you are excessively obese.
Even worse, the consequences of having your medical information fall into the hands of unscrupulous individuals can literally be life threatening. “In addition to the financial impact, there can be a medical impact,” says Lisa Schifferle, an attorney in the Federal Trade Commission’s Division of Privacy and Identity Theft Protection. When a thief uses your identity to get medical care, the imposter’s information could end up on “your” medical record. If you are in an accident and rushed to the emergency room, doctors retrieving your electronic record could see the wrong blood type or not know that you are allergic to certain medications, or that you have a pre-existing condition. This misinformation could lead to misdiagnosis or mistreatment, with potentially deadly consequences.
Gail Buckner, “Scammers Want Your Medical Records . . . . Here’s Why,” FOX BUSINESS, April 14, 2014, at http://www.foxbusiness.com/features/2014/04/14/scammers-want-your-medical-recordshere-why.html.
In my opinion, three types of uses and disclosures from these devices have different
HIPAA implications:
1. The health practitioner or health plan did not issue it, but rather the user purchased the device or received it as a gift and does not use the device to transmit any individually identifiable health information to a health care provider or a health plan. This scenario is what I do with my Fitbit that I received as a gift, and HIPAA is not implicated. If I verbally tell my physician that my heart rate was 88 and he documents it in my chart, what’s in the chart is protected by HIPAA, but the data on the device or transmitted to my cell phone or computer is not. Note, however, that other government laws and regulations, aside from HIPAA, may require a degree of protection, such as those administered by the Federal Trade Commission (“FTC”), the Food and Drug Administration (“FDA”), and state regulatory agencies.
2. The patient acquires the device by purchase or gift but links it to the practitioner or health plan. In that event, the HIPAA applicability is more unclear, but certainly once the practitioner or health plan acquires protected health information (“PHI”), HIPAA applies. It would not seem that the covered entity would be responsible for security of the PHI during the transmission to the covered entity, but to minimize potential liability, the covered entity should obtain an informed consent to the transmission and use by the covered entity.
3. The covered entity provides the device. One can hardly imagine a scenario in which HIPAA would not apply to the transmission of data to and from the device and the maintenance and use of the PHI by the covered entity. Whether a loss or theft of the device while within the control of the patient would result in any liability for the covered entity is problematical, but again, I recommend an informed consent to the use of the device that contains a clear admonition that the patient is responsible for the physical security of the device and that the covered entity is not liable for disclosures that the patient makes outside of the treatment/health insurance relationship.

As with any other change in the acquisition, use, maintenance, or disclosure of PHI, you must conduct a risk analysis of each of these devices unless it falls into category one, above, and select reasonable and appropriate security measures.

For our Premium Members, I will shortly provide a sample informed consent to the use of these devices. If you are a Premium Member and have forgotten your password or otherwise are having trouble getting into the Premium Member section of our Veterans Press website at www.veteranspress.com, please contact our IT/order department at brent@wccit.com or maggy@wccit.com.

seo by: k.c. seo