Share this article on:
Advances in technology have allowed wearable devices to be developed to monitor health and fitness, and while these gadgets, monitors and sensors have potential to greatly improve healthcare, they also carry a high risk of a causing a HIPAA violation.
Over the past 12 months the number of devices in use has grown at a tremendous rate. In 2013 the market for wearable devices was estimated to be worth $1.4 billion and by 2024, sales of wearable devices are expected to generate $70 billion per year.
High Risk of Data Exposure
Wearable devices include fitness bands, such as those developed by Fitbit, which record detailed data during exercise and everyday living. In 2011, users of the devices discovered just how much personal information was saved, stored and unfortunately for many, also shared with the online community. Some discovered their exercise data had been indexed by Google and was publicly available.
Not only was data from jogging, cycling and running sessions recorded, but also much more personal information including other forms of “exercise”. This included kissing, cuddling and sexual activity, with the data including date, time, duration and effort put into the activity. Fitbit addressed the issue and the data has been removed from Google but not before a number of users had their data exposed.
It may be embarrassing – or perhaps not – to have ones nocturnal activity statistics posted online, and certainly not as serious as having Social Security numbers or health data exposed, but the incident did highlight just how easy it is for users to unwittingly share highly personal information.
Devices are Being Used to Record Health Data
Devices have been developed to record and monitor health data of users, such as monitoring blood sugar to help sufferers of diabetes. One notable “data breach” occurred when a concerned father decided to remotely monitor his daughter’s blood sugar, and hacked into her fitness tracker and had the data transmitted to his Smartwatch. A clear breach of privacy, although the act was certainly committed with the best intentions.
This was clearly not a HIPAA breach, as neither father or daughter were covered under HIPAA Privacy and Security Rules, but the data from wearable devices is being transmitted to doctors and care teams, who are covered under the legislation.
Patients may not be covered under HIPAA legislation, but if healthcare data from the devices is shared with medical professionals, there is considerable potential for the devices to cause HIPAA violations.
Companies supplying the devices to HIPAA covered entities – or medical professionals using the devices to monitor health information – must ensure that the devices offer the appropriate privacy protections as demanded by HIPAA Privacy and Security Rules.
Security measures must be adopted to protect any health information and personal identifiers that are recorded and transmitted by the devices, as any unauthorized disclosure of this information, intentional or otherwise, would violate HIPAA – and state data privacy and security rules – and could result in substantial penalties being issued.
Since the introduction of the Omnibus Rule, any company supplying the devices to a HIPAA –covered entity would be considered a Business Associate, and as such would be covered by HIPAA regulations.
The devices have potential to greatly improve patient care, reduce treatment costs and prevent serious illness and injury, but patient privacy must be considered and the necessary steps taken to protect the data the devices hold and transmit.