Fitness “wearables,” such as Fitbit, as well as health monitoring websites and mobile applications, have become immensely popular. As a result, personal health information, which had previously fallen under the privacy and security restrictions of HIPAA for the most part, is now stored in less-secure devices or software. Which has raised a new question: should wearable health and fitness technology be HIPAA compliant? In most cases, the answer appears to be “no”, at least for the time being. However, the U.S. Department of Health and Human Services recently published a report, detailing the gaps existing between data protected from disclosure by HIPAA and the information not typically included in HIPAA’s coverage, such as health-related mobile apps, websites, and fitness wearables:
“Individuals who share their health information with [non-covered entities] might not fully understand where the protections afforded by HIPAA begin and end…. In short, consumers may not be equipped to evaluate the privacy and security implications that attach to the [non-Covered Entities] with which they interact every day.”
HIPAA’s privacy and security rules apply to health plans, healthcare clearinghouses, and healthcare providers collectively referred to as “Covered Entities” who handle “protected health information” or individually identifiable health information created or received by the Covered Entity. Healthcare apps offered by Covered Entities, or their “Business Associates”, do of course fall within the scope of HIPAA protections. However, many health-tracking devices or software does not fall under the security and privacy protections of HIPAA, because they usually work directly with the consumer and are therefore not considered to be Covered Entities or Business Associates.
Applications that track, store and share healthcare information with Covered Entities are considered to be Business Associates and are required to be HIPAA compliant and meet HIPAA security standards, which includes administrative, technical and physical safeguard requirements for health-related data. Software developers of software or devices that share information with Covered Entities should be aware that these interactions do fall under HIPAA requirements! Once information is potentially part of an exchange with a doctor or other healthcare provider, the data, on the device, stored as part of your application fall under HIPAA regulations and you must ensure that the devices offer the appropriate privacy protections as demanded by HIPAA Privacy and Security Rules. The unauthorized disclosure of this sensitive health information, intentional or otherwise, would violate HIPAA and could result in substantial penalties.
If you have any questions concerning HIPAA Safety and Privacy Rules, contact an attorney at Sparks Law. We would be happy to advise you on protecting your business against regulatory sanctions.