Wearable Devices, Wellness Programs, And Health Apps: The Fringes Of HIPAA

Fox Rothschild LLP

Fox Rothschild LLPWith the explosion of health data sifting through cutting-edge companies, industry stakeholders are left to wonder how wearable devices, wellness programs, health applications, and the like should be regulated.

Despite current belief, the Health Insurance Portability and Accountability Act (“HIPAA”) does not regulate all health information. HIPAA regulates health information collected and retained by covered entities and imposes downstream obligations on entities called business associates. HIPAA began with a limited purpose and was not created to cover all health information held by all entities. Created in 1996, HIPAA was originally designed to address the exchange of electronic health information and portability, so that an employee could maintain health insurance between employers.

Today’s perceived gaps in HIPAA, therefore, seem plausible, given its history and the realization that when HIPAA was created 23 years ago, the health landscape was without today’s innovative health companies collecting and aggregating health data in new ways for new purposes and the accompanying geometric increase in the complexity and types of risk. While newer health tech companies may find themselves outside the HIPAA regime, a recent Senate Bill hopes to expand HIPAA to include health information collected by fitness trackers, health-focused social media sites, and direct to consumer genetic testing companies. Though the Senate Bill has stayed stagnate, companies have seen enforcement beyond the HIPAA regime.

In March 2017, New York Attorney General announced a settlement with developers of three health apps and alleged the creators used misleading claims and had irresponsible privacy practices with unclear and inconsistent statements about how they collected and shared users’ personal information with third parties. The Attorney General alleged violations to New York’s Consumer Protection Act and False Advertising laws.

So what is the moral of the story? Just because your health company does not fit squarely within the HIPAA regime, you aren’t excluded from being regulated. Keep in mind applicable state laws like a state’s Consumer Fraud Act. Consider obligations to federal regulators like the FTC regarding deceptive consumer practices and FDA’s oversight over medical devices, for example.

Have a good understanding of what your company is (and what it isn’t). If you’re a covered entity or business associate, your obligation to comply with HIPAA is clear. However, consider wearable devices, like Fitbit and smartwatches that track users’ heart rate and sync their health data to smartphone apps. Consider wearable biosensors that monitor patients’ vital signs, temperature, and body posture. A deeper analysis on when health information shifts from HIPAA protected to non-HIPAA protected, can be found on a separate Alert by Elizabeth Litten.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.