Wearables raising possible policy concerns over privacy and security

Dave Pearson | | Health Exec | Cybersecurity

Wearable fitness-monitoring devices are not only motivating Americans to exercise more. When combined with providers’ use of wearable computers and cloud-based storage, they’re also pushing the healthcare system to ask whether HIPAA lines are being crossed.

A former policy and planning official at the VA under the Obama administration took up the question in Government Health IT, a publication of HIMSS Media.

“It is not clear whether using patient data to improve products, as opposed to health outcomes, is allowed under this law (HIPAA),” wrote Julie Anderson, who now works as a consultant. “An even more concerning scenario could take shape if health information were combined with other personal, non-medical data for the purposes of user profiling.”

If wearable device manufacturers want to store health information in the cloud, they must bring their terms of service and privacy policies in line with HIPAA privacy and security requirements, argued Anderson.

Vendors supplying wearables, she added, should take several steps to guide the securing, sharing and analyzing of health data.

When it comes to HIPAA-mandated security controls, companies must protect health information with baseline access control and encryption measures, in addition to maintaining an “audit trail” of who has edited a patient’s information and when, wrote Anderson.

Meanwhile, companies need to grant patients and consumers greater transparency with regard to how their data is being used. “HIPAA would also require obtaining a patient’s consent before using their health information in any part of the advertising process,” Anderson pointed out.

Where privacy is concerned, companies must only analyze health data within the confines of what is permissible under HIPAA. “If companies want to mine customer data for other purposes, they should keep health information separate from non-medical data,” she wrote.

“[A]ny consumers, doctors and healthcare organizations using wearables in any capacity,” concluded Anderson, “should seek out vendors [who] will adhere to these tenets moving forward.” 

Dave Pearson
Dave Pearson

Dave P. has worked in journalism, marketing and public relations for more than 30 years, frequently concentrating on hospitals, healthcare technology and Catholic communications. He has also specialized in fundraising communications, ghostwriting for CEOs of local, national and global charities, nonprofits and foundations.

Related Content

Healthcare hacker sentenced to 10 years in prison
Ransomware group deploys ticking clock to threaten Georgia hospital
Hackers were inside an Iowa hospital’s network for two weeks
Microsoft: Ransomware hit nearly 400 healthcare entities this year—a 300% rise since 2015
Feds make it official: Change data breach was the largest in healthcare history, impacting 100M
CMS contractor takes $1.2M loss after data breach, DOJ lawsuit

Around the web

Cardiovascular Business
Q&A: MedAxiom CEO explores key trends in cardiologist, cardiovascular surgeon compensation

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”