Fitbit Agrees to Sign Business Associate Agreements and Take on HIPAA Compliance

Faegre Drinker Biddle & Reath LLP

Is your Fitbit data covered by HIPAA?  It depends upon where you got it (kind of).  If you go to the store and pick up a Fitbit on your own, the data it generates is governed by the user agreement that you click through (which I’m sure everyone read carefully).  If your health plan or employer, through its self-funded health plan, provided you with the fitbit and will receive the data from the device, then it’s subject to HIPAA.

I said “kind of” earlier because you could technically buy your own device and then share the data with the health plan, which would trigger HIPAA compliance.  For a number of years, Fitbit avoided HIPAA compliance by not engaging in data sharing with health plans or healthcare providers.  In a turn of events this week, Fitbit announced it will enter into HIPAA business associate agreements with covered entity health plans and self-insured employers that will offer Fitbit’s wellness platform to employees and insured individuals.

This means that Fitbit will have to implement the security controls required by the HIPAA Security Rule, but only with respect to data it is receiving from or collecting on behalf of covered entity health plans or healthcare providers.  Although Fitbit’s announcement did not focus on healthcare providers, healthcare providers may be more willing to work with Fitbit to obtain data on their patients knowing that Fitbit will sign business associate agreements and implement HIPAA Security Rule controls.

This development feels a bit like what the world witnessed with cloud-based computing providers, who long fought off business associate agreements, but have since changed their tune and recognized that HIPAA compliance is a requirement if you want to do business in the healthcare space.  We may see more wearable and personal medical device manufacturers move towards HIPAA compliance to fully capture the value of their devices.  Stay tuned.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.