By: Laura Stavetski
Fitbit is among the top leading companies involved in producing consumer wearables. Consumer wearables are devices that can be worn on your actual person that have the capability to monitor and record physical activity such as heart rate, number of steps taken per day, and amount of calories burned. Additionally, these devices also have the capability to monitor your sleep patterns. Consumer wearables such as Fitbit can then be synced with health apps on your smartphone so you can monitor your fitness progress over time. Recent studies estimate that the consumer wearable market will be worth nearly 24 million dollars this year and will continue to grow in 2016. However, while the Fitbit craze shows no sign of weakening the concerns about what these companies do with our health data are growing rapidly.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted in order to protect the privacy of our personal health information. By limiting who can and cannot have access to personal health information, HIPAA temporarily put a stop to health data sharing in the medical field. However, in the era of consumer wearables the commercial sector has discovered a loophole in HIPAA that allows Fitbit and others to transmit personal health information to third parties. HIPPA’s jurisdiction does not extend to Fitbit and other consumer wearables because consumers are using these products for nonmedical purposes. HIPPA’s protection of personal health information only extends to covered entities, which include a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically. Because consumer wearables do not fall within any of the covered entities, Fitbit and others are free to transmit personal health information. As a result, third parties such as advertisers and health insurance providers can easily access personal health data that is collected by consumer wearables.
Although third party access to Fitbit information does not sound particularly dangerous on its face, in reality it may mean a serious invasion of privacy. A recent study conducted by the Federal Trade Commission observed twelve different health and fitness apps and found that these health apps transmitted the data collected to seventy-six different third parties. Additionally, this study revealed that in some instances names and addresses of individuals using the health apps were transmitted. Free access to information such as activity levels and health conditions could mean serious consequences for the general public. If health insurance providers have the ability to obtain this information there could be a significant change in insurance coverage for many individuals. With the current statutory scheme of personal health information protection, Fitbit and others can legally transmit extremely private information to third parties without the consent of the individual.
If the federal statutes governing health information privacy remain as they are currently written the privacy problems with consumer wearables will only continue to grow. One of two things need to be done in order to fix this problem before it spirals out of control and the damage becomes irreparable. Either the government needs to propose an amendment to HIPPA that will encompass the data collected by consumer wearables or new legislation needs to be written that specifically applies to the transmission of consumer health data in regards to consumer wearable devices. An amendment to the HIPAA legislation appears that it would be the most efficient way to protect the personal health information collected by consumer wearables. As the market for consumer wearable devices continues to grow it is important that appropriate privacy measures are put in place to protect our personal health information going forward.
Bio: Laura is a Staff Member of the Journal of High Technology Law. She is currently a 2L at Suffolk Law. She holds a B.A. in Economics from Roanoke College.