Is Wearing a Smartwatch a Violation of the “HIPAA” Law?

HIPAA compliance law

The smartwatches segment was revolutionized way back in 2015. It was during that time when Apple introduced the Apple Watch. Since then, the popularity of these devices kept on increasing. It is estimated that the global smartwatch market size will grow by a Compound Annual Growth Rate (CAGR) of over eighteen in the next five years.

One of the reasons for the increasing popularity of smart watches can be attributed to health and fitness tracking features. These features have advanced significantly in the last few years. Who knew it would one day be possible to measure blood oxygen levels and even take an ECG with a watch!

But, with these massive features comes an equally concerning issue: patient data privacy and HIPAA law compliance.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. The HIPAA law was enacted in 1996. It was created to protect sensitive patient health information from being disclosed without the patient’s knowledge or consent.

Furthermore, the HIPAA privacy rule was implemented by the U.S. Department of Health and Human Services. The HIPAA privacy rule concerns the use and disclosure of protected health information by entities subject to it. It also contains the standards for individuals’ rights to understand their health information and control how it is being used.

The HIPAA privacy laws cover the following entities:

  • Healthcare providers
  • Healthcare plan providers
  • Healthcare clearinghouses
  • Business associates

Smartwatches and HIPAA Compliance

Undoubtedly, smartwatches have simplified looking after our health. Sensors, artificial intelligence, cloud computing, and other technologies have helped in this aspect. However, with simplicity comes data privacy concerns. Smartwatches can leave users vulnerable.

Wearables and mHealth apps are constantly gathering user health data, even while we are sleeping, and so, these devices need to be covered under HIPAA laws to make sure that users know how their data is being used.

Unfortunately, HIPAA rules don’t extend to wearables. The HIPAA compliance law is a federal law and the most powerful health data privacy law. It is limited to the entities mentioned above. It does not cover or apply to the data generated by or uploaded to wearables and mHealth apps by users.

There is no nationwide law, even other than HIPAA, that can govern and protect user data generated or transferred by a smart wearable, including smartwatches.

So, in a nutshell, wearing a smartwatch is not a violation of the HIPAA law.

Lack of Transparency by App Developers

Many third-party mHealth apps are not completely clear with the user regarding the terms of usage. According to research, about twenty-eight percent of health-related apps did not provide any privacy information on Google Play Store. This includes user health data collection, storage, and sharing with other parties.

It is a fact that user data is harvested and then sold to other parties. According to research, user-sensitive data related to quitting smoking and depression are shared with marketers and advertisers. An astonishing eighty-one percent of related apps were found to be doing this.

This can result in unwanted consequences to the user as well as users with the same behavioral patterns. A consumers’ lack of awareness can be held responsible for this. But, sadly, the user can’t do anything as they have agreed to the terms of service of such apps.

Need for a Data Privacy Policy for Wearables

Since wearables are outside the scope of HIPAA laws, there arises a need for a data privacy policy that specifically covers these gadgets. While companies such as Apple value data privacy, the same cannot be said for every organization.

Theoretically, companies that are involved in collecting health data, including OEMs and mHealth app developers, can work towards ensuring that user data privacy is maintained.

However, in practicality, most businesses earn revenue by sharing such data. And it is unlikely that they will give up on this easy way of generating income.

Lawmakers realized the need to implement a stronger data protection law to fill the gap left by the HIPAA act. Hence, the SMARTWATCH Data Act was born.

The SMARTWATCH Data Act

The SMARTWATCH (Stop Marketing And Revealing The Wearables And Trackers Consumer Health) Data Act was introduced in 2019. It was aimed at protecting the health data of users stored on wearables, including smartwatches, in the same manner in which HIPAA protects patient health information shared in person with a medical professional.

This bill was introduced by Senators Bill Cassidy M.D. (R-Louisiana) and Jacky Rosen (D-Nevada).

Senator Rosen said, “The introduction of technology to our health care system in the form of apps and wearable health devices has brought up several important questions regarding data collection and privacy. This common sense, bipartisan legislation will extend existing health care privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent.”

The act restricts the commercial use of identifiable personal health information derived from a smartwatch or similar wearable devices. As per the bill, there is a prohibition on:

  • Transfer
  • Sale
  • Sharing
  • Access,

to any de-identified consumer health information or other individually identifiable health information.

It covers data collected, recorded, or derived from personal consumer devices. The entities covered under the bill to whom the prohibition applies to, include:

  • Domestic information brokers
  • Other domestic entities
  • Entities based outside the United States

The restrictions apply if the data is used for commercial purposes and generating profits. User consent is required to share the data with these entities.

Moreover, any health information from such devices and received by health care providers, health plans, or their business associates are considered protected health information. They are subject to applicable federal privacy standards.

The Office of Civil Rights (OCR), functioning under the Department of Health and Human Services, is responsible for enforcing this act. Entities that do not comply with the SMARTWATCH Data Act will be penalized in the same manner as HIPAA violation fines.

Parting Thoughts

There is no harm in using a smartwatch or other wearable. In fact, they have helped simplify our health care and monitoring and even saved lives in certain cases. That being said, it is important that user data is protected and privacy is maintained.

It is good that the SMARTWATCH Data Act was conceptualized as the HIPPA law failed to protect consumer health data. And again, NO, wearing a smartwatch is not a violation of the HIPAA law.