The views expressed by contributors are their own and not the view of The Hill

HIPAA guidelines should evolve with wearable technology

by Pamela Greenstone, opinion contributor - 03/14/18 5:00 PM ET

With Fitbit’s recent announcement of its plans to purchase Twine Health, a HIPAA-compliant, cloud-based health management platform, applications of wearable technology in health care are poised to expand substantially within the next few years

Already, consumer products like the Apple Watch could potentially detect diabetes with its heart rate sensor and step counter. But the tech giant’s foray into the digital health market extends even further with its Health app, which allows users to download and view parts of their medical records.

{mosads}Today, wearable devices on the market offer a plethora of tracking capabilities, that include measuring the heart rate, number of steps taken, and glucose and activity levels. The decisions made by the physician and patient after obtaining such sensitive data could potentially have life-changing effects.

The future of health care could see remote surgeries, wearable scanners, and 5G ambulances — as described by Nokia’s CEO Rajeev Suri — become the norm and revolutionize the way health-care providers diagnose diseases and provide treatment. With such troves of data collected by wearable devices, tech companies are set to continue inventing new applications and improving the capabilities of current devices.

However, due to health data security concerns, patient data that is collected by wearables and shared with physicians will create an additional burden on health-care organizations. It will be the job of health information management (HIM) personnel to make sure the databases storing wearable data are HIPAA compliant.

According to HIPAA guidelines, any third party that conducts business with a HIPAA-covered entity must have a contract in place that details their responsibilities and requires HIPAA compliance. Regarding wearables, HIPAA does not apply if the tech company does not share the health data with health-care providers. But the patient data collected by a doctor-provided wearable device will be covered under HIPAA.

Vendors might consider providing a warning label informing the consumer if the device is HIPAA compliant or not. However, consumers today seem to be more interested in the health benefits of wearable devices, rather than privacy. In fact, Fitbit was not a HIPAA-compliant device until September 2015, even though the company sold nearly 11 million devices in 2014.

Fortunately, some of the largest tech companies have made a dedicated effort to ensure their devices are HIPAA-compliant. Today, Samsung wearable devices meet HIPAA compliance with its built-in Knox security platform and the Apple Watch uses HealthKit to ensure a user’s data is shared securely.

But ultimately HIM departments will have to make sure the ways in which data is shared with providers are truly HIPAA compliant.

Providers should consider having a separate network for wearable devices that aren’t controlled by the IT department.

HIM and IT departments will be responsible for monitoring and making sure doctor-provided wearable Bluetooth receptors don’t and are unable to make random connections with other devices by utilizing appropriate security tools.

But of course the most critical protective measure is to fully understand the capabilities of each wearable device and implement appropriate security rules.

With wearable devices creating opportunities in preventative care, consumers are widely unaware of how their health data can be shared and how they can keep control of it. In the waiting room patients are given a form to sign that briefly outlines their rights under HIPAA, but little — if anything — is mentioned about HIPAA-compliant wearable devices.

There are a number of ways health-care organizations can lead the way in educating wearable tech consumers. For example, Health Information Managers can create campaigns to help raise awareness of the privacy risks posed by wearable devices and the safeguards being created by health-care providers.

If patients are choosing to release health data collected by their wearable devices to their provider, then they should know the rights they have. In addition, rather than choosing to share health data just to obtain discounts on health insurance, patients should be informed of the full implications of their decision — the benefits and the risks.

Health information managers also play the role of patient advocate — ensuring doctor-provided wearable devices are compliant with HIPAA policies and guidelines. Furthermore, they should be constantly evaluating HIPAA standards in light of new technology and making sure the organization’s policies are keeping up.

As technology evolves, so should the responsibilities of health-care organizations and the roles of health information managers, not just to maintain HIPAA compliance, but also to keep the best interests of the patient at heart.

Pamela Greenstone is the program director for the online Health Information Management program in the College of Allied Health at the University of Cincinnati.