Wearable health technology like the Fitbit is causing a major gray area to emerge in terms of health information that may or may not be protected by HIPAA. These pieces of wearable health technology are known for tracking and collecting health information; but what many don’t know is that while you might assume that this information is protected by HIPAA, it may very well not be.
David Reis, Ph.D., vice president of information services and chief information security officer at Lahey Hospital and Medical Center in Burlington, Massachusetts, recently weighed in on the issue: “The things you think are healthcare data may not actually be so. And the things that are healthcare data [under HIPAA] you probably don't expect are.”
The Fitbit stands as a prime example. Fitbit is not itself a HIPAA covered entity, and therefore if you were to go out and buy a Fitbit device, the information that is tracked and collected on that device is not bound or protected under HIPAA. The situation becomes more complicated, however, because if a hospital or doctor were to give you that device, then the protected health data (PHI) that is tracked and collected on that device would be protected under HIPAA.
One important thing to note here is that not all information tracked and collected with wearable health technology dispensed by a covered entity is protected—only PHI would be protected.
What, then, does HIPAA define as PHI? Research carried out at the University of California, San Francisco, has laid out 18 criteria that define PHI under HIPAA. These criteria include identifiers such as name, geographical location, phone numbers, mailing addresses, medical record numbers, biometric identifiers, and full face photographic images. David Reis offered additional clarification about these identifiers: “...name is likely a HIPAA-protected data element, but blood pressure alone is likely not, unless it is linked to a patient.” He continued, “HIPAA in and of itself generally...is not worried so much about anything other than identifying the patient.” So while a blood pressure reading might inherently seem like protected health information, HIPAA is really more concerned about ensuring that that reading cannot be linked to the patient.
In short, advancements in technology are definitely stimulating discussion in terms of how HIPAA regulations are to be applied to new technologies. For the time being, non-covered entities that sell wearable health technology can essentially do whatever they want with the data they collect—including sharing and selling that data—as long as it’s specified in the terms and conditions. Only time will tell whether updates will be made in terms of privacy laws protecting health information gathered by wearable technology.