A recent study estimates that 19% percent of US citizens claim they currently use a wearable fitness tracker, with the same percentage saying they currently use a mobile health app. Combining present use with the percentages of Americans saying they have used each of these devices in the past, about one in three Americans report at some point having worn a fitness tracker such as a Fitbit or smartwatch (34%) or having tracked their health statistics on a phone or tablet app (32%).
Wearable technology offers the healthcare industry important benefits, including providing appointment reminders and a way to track patient vitals and activity levels. They also have cost-reducing benefits, such as reducing in-office visits. While wearable technology shipments are expected to grow at an annual compound growth rate of 18.4 percent by 2021 and home healthcare is expected to boost use among medical wearable devices, it also brings along data security and privacy concerns.
When protected health information (PHI) is involved, the devices must comply with HIPAA law. So, it’s important to understand how HIPAA plays a part in wearable health technology. With constantly evolving health technology and constantly increasing patient generated data, it is important to understand where HIPAA policy comes in and where it doesn’t.
This policy brief aims at discussing HIPAA’s impact and effects on wearable technology and related patient data. HIPPA comprises of various rules and the rule that pertains to the effects of wearable technology is the privacy act since there is a large amount of patient generated data that needs to be secure and has to comply with HIPAA. This brief attempts to discuss the effects and impacts of wearable technology generated PHI and its role in clinical data management. Here, we also attempt to discuss the impact of wearable technology on patients, payers and providers through the lens of HIPAA compliance norms in order to possibly establish guidelines and more robust policies such that patient data is secure and effective healthcare administration can evolve alongside fast evolving technology.
History and Background
HIPPA stands for Healthcare Insurance Portability and Accountability Act. It was brought forward mainly for employees between jobs. Other objectives of the Act were to combat waste, fraud and abuse in health insurance and healthcare delivery. The Act also contained passages to promote the use of medical savings accounts by introducing tax breaks, provides coverage for employees with pre-existing medical conditions and simplifies the administration of health insurance. HIPAA therefore improved the portability and accountability of health insurance coverage.
The Privacy rule:
In addition to the original purpose of HIPAA, which is to protect covered entities. The way in which it is implemented is constantly changing to accommodate advances in technology and changes to working practices – both of which have resulted in new threats to patient privacy and the security of PHI. The Privacy Rule dictates how, when and under what circumstances PHI can be used and disclosed. Brought about for the first time in 2003, it applies to all healthcare organizations, clearinghouses and entities that provide health plans. Since 2013, it has been extended to include Business Associates.1
The Privacy Rule sets limits regarding the use of patient information when no prior authorization has been given by the patient. Additionally, it mandates patients and their representatives have the right to obtain a copy of their health records and request corrections to errors.2
Advent of wearable technology
With constant development in technology over the years, humans have not only mastered the art of developing compact and portable devices that can monitor health but have also linked it with the ever growing fashion industry therefore creating a market resonance, as a result of which, self-care using technological products is not only something people are taking up as a health choice but also as a fashion choice.
Figure 1, Percentage of US adults who were willing to wear technology that tracks select health statistics as of 2018.
This sudden and immense disruption in the healthcare sector has brought forward a new realm where patients are generating their own data and this data needs to be regulated and put to good use and has to be integrated with the current healthcare system in order to ensure patient privacy, data misuse and optimize care.
Various types of wearables have come into existence and even more are in the making, let’s take a look at the types of wearable technology people are using on order to monitor their health. Figure 1, with the help of an infographic illustrates the types of wearable devices and their uses.
Figure 2, Smart Insights. “Wearable Technology Statistics and Trends 2018,” November 15, 2017. 3
Health Data and its implications
Health Data may be defined as any data that describes the physical or mental condition, identity and treatment history of an individual. Before the advent of patient generated data, healthcare professionals and healthcare organizations were the generators and managers of such data but after people began gaining access to wearable health technology, an immense amount of data began being generated and circulated for a plethora of purposes. For present purposes, the world of health data falls into two categories. Protected health information (PHI) defined by and subject to HIPAA falls in one category. The second category includes health data that does not enjoy the protections of HIPAA. For ease of reference, the two categories are identified at times here as regulated (subject to HIPAA) and unregulated (not subject to HIPAA). Data in the unregulated category, for the most part, is not subject to any specific statutory regulation for privacy4.
A large portion of unregulated data involves organizations that rely on health data as an element of a commercial activity, including data brokers, advertisers, websites, marketers, genetic testing companies, and others. The unregulated data includes some governmental and non-profit activities as well. The size of the unregulated world of health data is unknown, but Kristen Ostherr from rice university, in a 2017 article, said that in 2016, there were more than 165,000 health and wellness apps available through the Apple App Store alone.5 Those apps represent a small fraction of the unregulated health data sphere.
Under HIPAA, PHI remains subject to controls in the hands of covered entities.
When disclosed outside the HIPAA domain of covered entities, HIPAA data is no longer subject to HIPAA controls, although some disclosed data may occasionally fall under the scope of another privacy law. In general, however, the data disclosed by a HIPAA covered entity passes into the second category of unregulated data.
As a result of the growing use of wearable technology, users are creating large amounts of self-generated data and patients are now playing a more active role in their healthcare. This phenomenon is known as patient-generated health data (PGHD), which the US Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) defines as “health-related data created, recorded, or gathered by or from patients (or family members or caregivers) to help address a health concern.”
Associated risks and HIPAA compliance
As patient-generated data overload happens due to millions of users of various health devices, the risk of data leakage and privacy breach is a very real possibility and the very body that is supposed to prevent the misuse and illegal monetization of PHI i.e, HIPAA and its privacy rule, is not up to date regarding the handling of such data. For example, if a patient generates data for his personal use Unregulated data that passes from an unregulated actor to a HIPAA covered entity becomes PHI in the hands of the covered entity while remaining unregulated in the hands of the originator. PHI that passes out of the regulated world generally becomes unregulated data in the hands of a recipient who is not a HIPAA covered entity. Data can pass back and forth between the two institutions.
Impact on Patients
The advent of wearable technology brings about a drastic change as far as patients are concerned, it gives a massive amount of control in the hands of the patient. For example, before health technology came around, patients had to see physicians and utilize healthcare equipment in order to monitor things like heart rate and blood sugar levels, therefore driving up healthcare costs and insurance premiums per patient.
As far as wearable technology is concerned, it has made people more aware of their health and made people more engaged and informed towards personal care therefore improving general population health.
The problem arises when this patient generated data is used by device manufacturers and associated healthcare provider companies for monetary benefits through targeted marketing and for other research purposes. This is where HIPAA is supposed to come in HIPAA regulations only apply to covered entities and business associates. This grouping includes clearinghouses, health plans, and providers.
There aren’t very cut and dry HIPAA regulations related to wearable technology at this point. However, once a provider becomes involved with receiving data from a piece of wearable technology, that exchange is subjected to HIPAA regulations.
Impact on Payers
Insurance companies use patient generated data to improve risk assessments and drive customer quality of life and life value. One study shows that wearables can encourage healthier behavior associated with a 30% reduction in risk of cardiovascular events and death.
Insurance companies may be in danger of not being HIPAA compliant because HIPAA rules are not well defined regarding wearable technology
Impact on Providers
Wearable technology proves to be an efficiency improvement tool for healthcare providers and for improvement in preventive care and expansion of EHS. leading to early detection of chronic diseases and early intervention of doctors.
HIPAA regulation regarding data reaching physicians is unclear Unclear physician responsibilities for collecting, monitoring, and protecting data: HIPAA applies to patient data collected by physicians, but differing state laws mean that a physician’s specific responsibilities for monitoring and protecting patient data vary by location.
- Rights (OCR), Office for Civil. “Privacy.” Text. HHS.gov, May 7, 2008. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
- HIPAA Guide. “HIPAA for Dummies.” Accessed February 18, 2020. https://www.hipaaguide.net/hipaa-for-dummies/.
- Smart Insights. “Wearable Technology Statistics and Trends 2018,” November 15, 2017. https://www.smartinsights.com/digital-marketing-strategy/wearables-statistics-2017/.
- “Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges,” n.d., 68.
- “Rice Expert: Be Concerned about How Apps Collect, Share Health Data.” Accessed February 18, 2020. http://news.rice.edu/2017/10/19/rice-expert-be-concerned-about-how-apps-collect-share-health-data/.