Tuesday, July 28, 2015

Fitbit vs HIPAA

As who's actually subject to HIPAA restrictions becomes ever murkier, technology continues to pile on. And it's not just Electronic Health Records (EHR). As we noted a few months ago, John Hancock is tapping into the FitBit craze, offering policyholders the chance to trade laps around the track for dollars off their premiums.

It seems pretty obvious that buying and using a FitBit for oneself doesn't entail HIPAA issues (although it could cause problems for would-be criminals). But what if it's tech that was prescribed (and/or provided) by a medical provider?

We've posted about who actually owns the data in these kinds of cases, but not really addressed HIPAA considerations (if any). Over at SearchHealthIT, David Reis, Ph.D., vice president of information services and chief information security officer at Lahey Hospital and Medical Center in Burlington, MA (there's a mouthful!) notes:

"[I]f a person receives a wearable device through their hospital or doctor, the healthcare data that device collects is covered by HIPAA. At least, the data HIPAA defines as protected healthcare information (PHI) is safeguarded."

So what does HIPAA consider as "healthcare data?" Well, ostensibly that could be anything from your latest MRI but probably not your BP (if not linked to you specifically).

But is that really the case?

Security litigation specialist Kirk Nahra is skeptical. He thinks that wearables may fall outside HIPAA's authority (well, CMS's authority to enforce the regs).

Here's the problem, though: he posits this example to bolster his position:

"If a person is in a car accident, both the health insurer and auto insurer receive that person's medical bills. The health insurer protects that person's health data under HIPAA, while the auto insurer does not."

That struck me as unlikely, so I contacted a claims supervisor for a major P&C company to confirm whether or not this was the case.

In a word: No.

Any medical info that the auto insurer receives is absolutely subject to HIPAA confidentiality rules. Still, Mr Nahra's basic point, that 1996-era (when it was written) tech couldn't realistically predict the explosion of so much new technology and its ramifications is sound.

In the event, the key question remains: How, if at all, does HIPAA apply to "wearables?"

Part of the problem is that one doesn't necessarily know exactly where one's data is going to end up:

"[The] U.S. Federal Trade Commission recently tested 12 mHealth and fitness applications and discovered these apps sent consumer data to 76 third-party companies."

Did users agree to this? Well, one presumes that the info was disclosed in the EULA (and, of course, we all read those religiously). So there's that.

The sticking point seems to be: what happens to the data when it hits the end-vendor? Well, that seems to depend on whether that vendor has some kind of relationship with a "HIPAA covered entity" (basically, one that deals with personal health info, such as a provider or insurer).

I've reached out to FoIB David Williams, who's written extensively on wearables and health care, for his insights on this.

Meantime, something to think about while you're walking up and down the stairs.

[Hat Tip: FoIB Holly R]
blog comments powered by Disqus