HIPAA Violations: Wearable Devices Carry High Risk

by | Feb 19, 2015

Recent progress in technology have allowed wearable devices to be developed to monitor health and fitness, and while these gadgets, monitors and sensors can significantly improve healthcare, they also carry a great danger of HIPAA violation.

Over the past year the number of wearable devices in use has grown at a staggering rate. In 2013 the market for wearable devices was thought to be worth $1.4 billion and by 2024, sales of wearable devices are expected to generate $70 billion per year.

These devices include fitness bands, such as those solf by Fitbit, which record detailed data during exercise and everyday living. In 2011, users of the devices found just how much personal information was saved, stored and unfortunately for many, also shared with the online community. Some found their exercise data had been indexed by Google and was also publicly available.

Not only was data from jogging, cycling and running sessions captured, but also much more personal information including other forms of “exercise”. These activities included kissing, cuddling and sexual activity, with the data including date, time, duration and effort put into the recorded activity. Fitbit addressed the issue and the data has been taken down from Google but not before a number of users had their data exposed.

It may be embarrassing to have ones evening activity statistics posted online, and certainly not as serious as having Social Security numbers or health data revealed, but the incident did emphasize just how simple it is for users to unwittingly share highly personal information.

Devices have also been developed to track and monitor health data of users, such as monitoring blood sugar to help sufferers of diabetes. One notable “data breach” happened when a worried father decided to remotely monitor his daughter’s blood sugar, and hacked into her fitness tracker and had the data sent to his Smartwatch. A clear breach of privacy, although the act was certainly carried out with the best intentions.

This was clearly not a HIPAA breach, as neither father or daughter were subject to HIPAA Privacy and Security Rules, but the data from wearable devices is being sent to doctors and care teams, who are covered under the legislation.

Patients may not be included under HIPAA legislation, but if healthcare data from the devices is shared with medical professionals, there is considerable risk for the devices to cause HIPAA violations.

Companies providing the devices to HIPAA covered entities – or medical professionals using the devices to track health information – must ensure that the devices offer the proper privacy protections as demanded by HIPAA Privacy and Security Rules.

Security controls must be adopted to protect any health information and personal identifiers that are recorded and transmitted by the devices, as any unpermitted disclosure of this information, intentional or otherwise, would breach HIPAA – and state data privacy and security rules – and could result in substantial penalties being issued.

Since the passing of the Omnibus Rule, any company providing the devices to a HIPAA –covered entity would be considered a Business Associate, and as such would be covered by HIPAA regulations.

The devices have the ability to greatly improve patient care, reduce treatment costs and prevent serious illness and injury, but patient privacy must be protected and the necessary steps taken to protect the data the devices hold and broadcast.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy