Is your Fitbit data covered by HIPAA? It depends upon where you got it (kind of). If you go to the store and pick up a Fitbit on your own, the data it generates is governed by the user agreement that you click through (which I’m sure everyone read carefully). If your health plan or employer, through its self-funded health plan, provided you with the fitbit and will receive the data from the device, then it’s subject to HIPAA.
I said “kind of” earlier because you could technically buy your own device and then share the data with the health plan, which would trigger HIPAA compliance. For a number of years, Fitbit avoided HIPAA compliance by not engaging in data sharing with health plans or healthcare providers. In a turn of events this week, Fitbit announced it will enter into HIPAA business associate agreements with covered entity health plans and self-insured employers that will offer Fitbit’s wellness platform to employees and insured individuals.
This means that Fitbit will have to implement the security controls required by the HIPAA Security Rule, but only with respect to data it is receiving from or collecting on behalf of covered entity health plans or healthcare providers. Although Fitbit’s announcement did not focus on healthcare providers, healthcare providers may be more willing to work with Fitbit to obtain data on their patients knowing that Fitbit will sign business associate agreements and implement HIPAA Security Rule controls.
This development feels a bit like what the world witnessed with cloud-based computing providers, who long fought off business associate agreements, but have since changed their tune and recognized that HIPAA compliance is a requirement if you want to do business in the healthcare space. We may see more wearable and personal medical device manufacturers move towards HIPAA compliance to fully capture the value of their devices. Stay tuned.