Can Wearables Be HIPAA Compliant?

Approved in 1996, the Health Insurance Portability and Accountability Act (HIPAA) establishes a set of rules within the United States for the protection of certain health information.

HIPAA establishes and enforces safety and privacy standards for healthcare organizations such as pharmacies, hospitals, and health plans on patient data. This law has also been amended to include the HITECH Act (Health Information Technology for Economic and Clinical Health), a requirement to apply the necessary protections in storing the backup and transfer of this data.

Two major sets of rules are at the heart of the Health Insurance Portability and Accountability Act: HIPAA Privacy Rules that ensure the protection of the confidentiality of patient medical data, and the HIPAA Safety Rules that ensure the safety, confidentiality, and availability of medical data.

Failing to comply with HIPAA rules can lead to huge fines and penalties, but there is an industry that is currently occupying a “shadow zone” when it comes to HIPAA compliance: wearable gadgets. Do they need to comply with HIPAA? If so, can that really be achieved?

According to a US Government report from 2016, this Act has failed to keep up with the latest technology trends, including wearable fitness trackers, mobile health apps and online patient communities, which leaves a relevant hole in the scope of this legislation.

As mentioned above, only entities like hospitals and other health-related ones need to comply with HIPAA. This leaves out tech companies, which nowadays also have access to and handle health-related data – especially the ones operating on the wearable market.

One would think that, because these companies are focused on tech, they would take good care of their customer’s personal data, but that is not always the case. Back in 2016, a cybersecurity consultant discovered that the customer private data from a genetic testing company was easily accessible.

Five years earlier, the popular fitness app Fitbit was found to make data about its user’s sexual activity and its intensity, which was supposed to only be used for the calculation of the burned calories, was accessible to anyone on the user’s profile.

These are just two examples of how bad the new tech-health related companies can be at storing and protecting the information of their customers and users. With this in mind, it becomes more or less clear that some legislation should be put in place to cover the activities and the procedures of these companies – an update to HIPAA, for example.

But the question still remains: can wearables be HIPAA compliant? It is clear that they do not have to comply with this Act, but that can still happen, for sure. At the end of the day, it all comes down to the way data is transmitted and stored.

Another report from 2013 showed that many health-related apps were sending user data to third-party websites without the user’s knowledge or consent, and they were doing so in unencrypted channels – all of which is a great recipe for disaster, and clearly outside of HIPAA’s regulations.

In an effort to try and remediate the solution, the (now called) Consumer Technology Association has launched a set of “Guiding Principles on the Privacy and Security of Personal Wellness Data” but, also according to this entity, adoption was scarce.

For all those wanting to make their wearable devices compliant with HIPAA, the key is to store and transmit their user information in a secure way. While this is easier said than done, there are a few strategies to make it work – for example, going for a web hosting partner that is HIPAA certified and possesses the right knowledge to help customers with HIPAA compliance

This is a guest post written by Adnan Raja, on behalf of Atlantic.Net