The data tracked and collected by wearable health technology that many people think should be covered by HIPAA may, in fact, not be.
"The things you think are healthcare data may not actually be so," said David Reis, Ph.D., vice president of information services and chief information security officer at Lahey Hospital and Medical Center in Burlington, Mass. "And the things that are healthcare data [under HIPAA] you probably don't expect are."
If someone simply goes to the store and buys a wearable device, a Fitbit for example, Fitbit is not a HIPAA covered entity, therefore the data the company and their devices collect is not bound by or protected under HIPAA.
However, if a person receives a wearable device through their hospital or doctor, the healthcare data that device collects is covered by HIPAA. At least, the data HIPAA defines as protected healthcare information (PHI) is safeguarded.
What HIPAA defines as healthcare data
The best place to start is with the notion that organizations governed by HIPAA are called covered entities, Reis said.
"Then within a covered entity, only certain data that covered entity has falls within HIPAA, and the HIPAA Security Rule applies to a subset therein," said he added.
David ReisLahey Hospital and Medical Center
While the HIPAA Privacy Rule covers a broader range of information, the HIPAA Security Rule is what hones in on information in electronic format, Reis said.
The HIPAA Security Rule is concerned with PHI and, according to the Human Research Protection Program at the University of California, San Francisco, there are 18 criteria defining what PHI is under HIPAA includes information such as the patient's name, address, phone number and Social Security number.
"So name is likely a HIPAA-protected data element, but blood pressure alone is likely not, unless it is linked to a patient," Reis said. Although a blood pressure reading is something many people associate as sensitive health information, "HIPAA in and of itself generally … is not worried so much about anything other than identifying the patient."
To Reis, that's the key. Blood pressure data or sleep data alone means nothing to hackers if they don't know to whom that data belongs. HIPAA and covered entities are more concerned with protecting personally identifying data and making sure that information, such as a blood pressure reading, isn't and can't be linked to the patient.
The 18 criteria defining healthcare data covered by HIPAA via the Human Research Project Program at the University of California San Francisco:
- All geographical subdivisions smaller than a state, including street address, city, county, precinct and zip code
- All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date and date of death
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate and license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP address numbers
- Biometric identifiers, including fingerprints and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic or code
A conflict seen with HIPAA
Although Reis doesn't see many, if any, issues with what HIPAA covers, Kirk Nahra -- an attorney at Wiley Rein LLP who specializes in privacy and information security litigation as well as a variety of healthcare, insurance fraud and compliance issues -- takes issue with what HIPAA protects when it comes to health data collected by wearable health technology.
Nahra uses an example involving health and auto insurance. If a person is in a car accident, both the health insurer and auto insurer receive that person's medical bills. The health insurer protects that person's health data under HIPAA, while the auto insurer does not.
"That's a weird result," Nahra said. To be fair, Nahra said back in 1996 when lawmakers were drafting HIPAA regulations, they probably weren't thinking about mobile and wearable health technology.
"What's happened in the last, say, decade is we've got more … situations where health-related information is being created and developed in that gap," he said. And wearable companies not bound by HIPAA fall into that gap.
Wearables from non-HIPAA covered entities
Non-covered entities can often do whatever they want with someone's data as long as those potential actions are included in the terms and conditions -- which are rarely ever read by users-- including sharing and selling data.
A report co-authored by Eric Topol, M.D., professor of genomics at the Scripps Research Institute, found the U.S. Federal Trade Commission recently tested 12 mHealth and fitness applications and discovered these apps sent consumer data to 76 third-party companies. Furthermore, the report found the shared data included the phone's unique device identifier, the owner's running routes, dietary habits and sleep patterns. A separate report by Privacy Rights Clearinghouse also indicated that 40% of 43 fitness apps collected high-risk data, including addresses, financial information, full name, health information, location and date of birth. The report also found 55% of those 43 apps shared data with third-party analytical services that could potentially link data from the fitness and health apps to other apps, potentially linking health data to other identifying information about the user.
The only way data collected by a wearables company like Fitbit would be covered by HIPAA is if Fitbit partnered with a HIPAA covered entity. Such a partnership, Reis said, is unlikely to happen because many companies don't want to deal with the complexities of HIPAA.
"I think it would be safe to say that companies like Fitbit would have to think very carefully and have a clear objective on why they would want to enter into agreements with covered entities to store that data because of regulations like HIPAA," Reis said.
In fact, about a year ago at the annual Khosla Ventures CEO Summit Google's co-founders, Sergey Brin and Larry Page, spoke about this issue. Brin said because the healthcare industry is so heavily regulated, it's a painful business to be in and not worth it.
"It's just not necessarily how I want to spend my time," Brin said. "I think the regulatory burden in the U.S. is so high that I think it would dissuade a lot of entrepreneurs."
A lawyer's perspective: Three possible solutions
With health data being generated via non-covered entities and HIPAA only covering personally identifiable information from covered entities, Nahra said he sees three possible solutions to fill that gap and ensure better protection of health data:
- Have a law that regulates the currently unprotected information.
- Have one law that covers all health information.
- Completely redefine what is considered healthcare information.
"Then the third step is sort of an extension of [the second option], which is you're seeing more and more situations where companies, even in the healthcare industry, are taking information that nobody would think of as health information -- like your income or the number of cars you have or your marital status," Nahra said. "[Healthcare providers] are using that to develop modeling on the healthcare side. So if that's true, how do you define what healthcare information is?"
Learn more about wearable health technology:
Wearable technology enters corporate America
The key to wearable devices in healthcare taking off? Physicians
Success of telehealth technology and apps driven by patients