How Does HIPAA Apply to Wearable Health Technology?

July 24, 2018 - The use of wearable health technology is expected to expand substantially within the next few years.

Wearable devices offer many health tracking capabilities, including measuring heart rate, number of steps taken per day, and glucose and activity levels.

That means these wearable devices are likely to be handling PHI. But do HIPAA security and privacy protections apply to wearables and the data they collect and store?

That depends, said Pamela Greenstone, program director for the online health information management program at the University of Cincinnati’s College of Allied Health.

In an interview with HealthITSecurity.com, Greenstone stressed that the use of wearables in healthcare is a “gray area” when it comes to HIPAA compliance.

When consumers are collecting health data for their own use, HIPAA doesn’t come into play. So, when you wear your Fitbit to track the number of steps you’ve taken in a day or monitor your heart rate, that doesn’t come under HIPAA, she said.

Even so, wearable makers like Fitbit, Samsung, and Apple are working to ensure their devices are HIPAA compliant. Samsung has launched its Knox security platform and Apple its HealthKit platform to improve the security of their mobile devices.

Back in 2015, Fitbit announced that it “supports HIPAA compliance, enabling Fitbit Wellness to more effectively integrate with HIPAA-covered entities, including corporate wellness partners, health plans and self-insured employers.” Fitbit Wellness is Fitbit’s business-to-business offering that provides software and services for corporate wellness programs.

“By allowing a greater level of integration with HIPAA-covered entities, Fitbit Wellness can better serve our clients and partners, and their members and employees,” said FitbitWellness Vice President and General Manager Amy McDonough at the time.

But when a healthcare provider asks consumers to supply it with the health data collected by their wearables, then HIPAA would likely apply.

“All wearables, once they are interfacing with your healthcare organization’s information, your physician practice EHR, that’s where HIPAA applies,” Greenstone said. 

“When your healthcare providers are now asking you to send all wearables data to them to monitor chronic conditions and to help you live a healthy lifestyle, it becomes a bigger onus for the healthcare organizations to make sure that data is protected and stored in a HIPAA-compliant way,” she said.

An example of how wearables could be used in this way was highlighted by a Scripps study to evaluate the use of a wearable to detect atrial fibrillation (AFib). The Scripps Translational Science Institute recently released the results of its mHealth Screening to Prevent Strokes study, which found that a wearable was three times more effective in identifying atrial fibrillation than the traditional tests done in the doctor's office. The study followed more than 5,000 participants over one year.

By catching AFib people who are at risk but might have gone undiagnosed, the wearable devices resulted in more people receiving critical preventive therapies, the study found.

Healthcare organizations might need to set up a protected space to handle the wearables data coming in from this type of program. “Healthcare organization may need to set up a separate space where the data comes in, is encrypted, summarized, and then is moved into the EHR,” said Greenstone.

“There is going to be a lot of data from wearables. If you wear your Fitbit every day, can you imagine if you have 300 patients in your practice, let’s say 75 percent of them are sending you this data; that is a lot of data coming into your EHR from a lot of places. How do you manage all of that data?” she asked.

Patient-generated data will likely make up a larger portion of a patient’s health record in the future, according to a survey of 35 large US health systems conducted by the Pittsburgh-based Center for Connected Medicine in partnership with the Health Management Academy. The respondents included chief informatics officers, chief medical informatics officers, or chief nursing informatics officers

Twenty-one percent of respondents said they expect mobile health apps to be a patient-generated data source and 17 percent reported that wearables will be a source for patient-generated data.

Overall, a majority of health systems plan to increase technology spending to improve their healthcare cybersecurity measures next year, the survey found.

What happens when healthcare professionals use wearables, such as a surgeon using Google Glass or a physician using a wearable scanner?

“That opens a whole other door,” said Greenstone. “The patient needs to be informed that the information is being collected in that way. Medical professionals should realize that if you use wearables in the context of patient care, you can’t share those videos or scans wherever you want.”

“You need to make sure you are covering that under your releases and that the patient understands where the information will be collected and stored and what it will be utilized for,” she said.

There is no doubt that the use of wearables for healthcare will continue to grow. A recent study by MarketsandMarkets predicted that the wearable and external medical device segment would register the highest compound annual growth rate among medical device security market segments through 2023.

The growth will be spurred by the demand for home healthcare because of the prevalence of chronic diseases and the growing need to reduce healthcare costs. These factors are increasing the demand and uptake of wearable and external medical devices for remote patient monitoring, the report noted.

“The information we collect from wearables will enhance patient care. It just has to be used in a safe, secure environment and treated like any other PHI created within a healthcare organization,” Greenstone concluded.