Wearables Fall Under Regulatory Gray Area

April 10, 2017

Fitbits and other wearables have become more and more popular, but does using this data fall under HIPAA or not?

Some uses of health data fall into gray areas of federal regulation, notes David Harlow, a Newton, Mass.-based attorney and consultant focused on healthcare privacy and security. Speaking during a March 21 webinar. Harlow said data from wearable devices such as a Fitbit could be covered by HIPAA in some use cases and not in others.

"You could be using the same Fitbit on your wrist, but depending on how it ended up there, it could be governed by different regulatory structures," he explained.

"If I buy [the Fitbit] myself and connect it to my smartphone, that is my personal health record information that may be stored by a smartphone app I am using." That would not be covered by HIPAA. "But if the wearable is provided to me by my health plan, a wellness program, by my doctor's office, or insurance company, that is governed by HIPAA," he explains.

Any time an individual's data is being fed into their health record and correlated with other clinical information, HIPAA applies. The wearable manufacturers may be involved in research projects, and use data from individuals. In that case, Federal Trade Commission rules around privacy and fair practices apply.


MORE: With new technology in medicine, the privacy lines are often blurred. Here are some things to keep in mind regarding HIPAA compliance.