Recent progress in technology have allowed wearable devices to be developed to monitor health and fitness, and while these gadgets, monitors and sensors can significantly improve healthcare, they also carry a great danger of HIPAA violation.
Over the past year the number of wearable devices in use has grown at a staggering rate. In 2013 the market for wearable devices was thought to be worth $1.4 billion and by 2024, sales of wearable devices are expected to generate $70 billion per year.
These devices include fitness bands, such as those solf by Fitbit, which record detailed data during exercise and everyday living. In 2011, users of the devices found just how much personal information was saved, stored and unfortunately for many, also shared with the online community. Some found their exercise data had been indexed by Google and was also publicly available.
Not only was data from jogging, cycling and running sessions captured, but also much more personal information including other forms of “exercise”. These activities included kissing, cuddling and sexual activity, with the data including date, time, duration and effort put into the recorded activity. Fitbit addressed the issue and the data has been taken down from Google but not before a number of users had their data exposed.
It may be embarrassing to have ones evening activity statistics posted online, and certainly not as serious as having Social Security numbers or health data revealed, but the incident did emphasize just how simple it is for users to unwittingly share highly personal information.
Devices have also been developed to track and monitor health data of users, such as monitoring blood sugar to help sufferers of diabetes. One notable “data breach” happened when a worried father decided to remotely monitor his daughter’s blood sugar, and hacked into her fitness tracker and had the data sent to his Smartwatch. A clear breach of privacy, although the act was certainly carried out with the best intentions.
This was clearly not a HIPAA breach, as neither father or daughter were subject to HIPAA Privacy and Security Rules, but the data from wearable devices is being sent to doctors and care teams, who are covered under the legislation.
Patients may not be included under HIPAA legislation, but if healthcare data from the devices is shared with medical professionals, there is considerable risk for the devices to cause HIPAA violations.
Companies providing the devices to HIPAA covered entities – or medical professionals using the devices to track health information – must ensure that the devices offer the proper privacy protections as demanded by HIPAA Privacy and Security Rules.
Security controls must be adopted to protect any health information and personal identifiers that are recorded and transmitted by the devices, as any unpermitted disclosure of this information, intentional or otherwise, would breach HIPAA – and state data privacy and security rules – and could result in substantial penalties being issued.
Since the passing of the Omnibus Rule, any company providing the devices to a HIPAA –covered entity would be considered a Business Associate, and as such would be covered by HIPAA regulations.
The devices have the ability to greatly improve patient care, reduce treatment costs and prevent serious illness and injury, but patient privacy must be protected and the necessary steps taken to protect the data the devices hold and broadcast.