HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Privacy and Security of Personal Wellness Data: CEA Releases New Private Sector Guidelines

Wearable technology has proved popular with consumers, yet numerous questions have been raised about the privacy and security of personal wellness data collected, stored and transmitted by the devices. The Consumer Electronics Association (CEA) is well aware of the potential benefits of the devices, and also the risks of the privacy of users of the devices being violated.
Currently the metrics recorded by the devices are limited, although there is considerable potential for devices to be developed that record a huge volume of data collected from consumers: Data that is actively recorded by the devices or entered in by users. Currently there are few privacy and security controls covering data privacy and security, and consequently, considerable variation in those implemented by device manufacturers. As the volume of data recorded grows, so too will the privacy risk.

Now is therefore the time to start building security and privacy controls into the devices, yet many manufacturers of wearable technology are unsure about how best to secure data and protect the privacy of users.

Consumer Electronics Association Issues Guidelines Covering the Privacy and Security of Personal Wellness Data

The new guidelines on privacy and security of personal wellness data that have been issued by the CEA should improve understanding of privacy and security matters. It is hoped they will set standards that can be adopted by private sector companies to ensure devices can be used safely by consumers.

The guidelines are not intended to supplant HIPAA Rules, instead they are hoped to serve as a set of best practices for manufacturers of the wearable devices to follow.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It should be noted that suppliers of wearable devices capable of recording, storing and transmitting data that falls under the category of Protected Health Information (PHI) and/or Personally Identifiable Information (PII) as defined by the Health Insurance Portability and Accountability Act (HIPAA), would be required to adhere to HIPAA Rules before the devices could be supplied to healthcare providers.

Summary of CEA Wearable Device Privacy and Security Guidelines

The guidelines have been broken down into 8 different “principles” each of which should be addressed by manufacturers.

Data Security

Measures should be implemented to ensure that any stored or transmitted data are subject to appropriate physical, technical and administrative safeguards. Those safeguards should reflect the degree of sensitivity of wellness data.

Policy and Practice

In order to make an informed decision about using a device, consumers must be advised how their data is collected, stored and transmitted. Policies must also reflect state and federal data privacy laws.

Concise Notice of Privacy Policies

Notices of privacy practices should be concise and easy to understand. Consumers must be made aware of how their data may be used, stored and transferred, including the formats that will be used in that regard.

Unaffiliated Third Party Data Transfers

It is important for manufacturers to be transparent about the organizations that may be supplied with consumers’ wellness data. Consumers must be given the right to stop the sharing of their data with any third party. If doing so will disable some of the functions of a device, they must be informed of this.


The recording of data has potential to result in prejudicial outcomes for consumers. Manufacturers of the devices should guard against the possible use of data to discriminate against individuals, in accordance with existing federal anti-discrimination laws.

Personal Data Review

Consumers should be allowed to edit or delete personal data that has been recorded by wearable devices.


Consumers should be given the ability to opt-out and stop their data from being used for advertising. Additionally, users of the devices must give their consent to the sharing of data with third parties that are likely to use them for advertising purposes.

Law Enforcement Response

Consumers have a right to know which law enforcement agencies will be permitted access to data recorded by wearable devices, and the circumstances under which that can happen.

The CEA Guiding Principles on the Privacy and Security of Personal Wellness Data can be downloaded here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.