With the explosion of health data sifting through cutting-edge companies, industry stakeholders are left to wonder how wearable devices, wellness programs, health applications, and the like should be regulated.
Despite current belief, the Health Insurance Portability and Accountability Act (“HIPAA”) does not regulate all health information. HIPAA regulates health information collected and retained by covered entities and imposes downstream obligations on entities called business associates. HIPAA began with a limited purpose and was not created to cover all health information held by all entities. Created in 1996, HIPAA was originally designed to address the exchange of electronic health information and portability, so that an employee could maintain health insurance between employers.
Today’s perceived gaps in HIPAA, therefore, seem plausible, given its history and the realization that when HIPAA was created 23 years ago, the health landscape was without today’s innovative health companies collecting and aggregating health data in new ways for new purposes and the accompanying geometric increase in the complexity and types of risk. While newer health tech companies may find themselves outside the HIPAA regime, a recent Senate Bill hopes to expand HIPAA to include health information collected by fitness trackers, health-focused social media sites, and direct to consumer genetic testing companies. Though the Senate Bill has stayed stagnate, companies have seen enforcement beyond the HIPAA regime.
In March 2017, New York Attorney General announced a settlement with developers of three health apps and alleged the creators used misleading claims and had irresponsible privacy practices with unclear and inconsistent statements about how they collected and shared users’ personal information with third parties. The Attorney General alleged violations to New York’s Consumer Protection Act and False Advertising laws.
So what is the moral of the story? Just because your health company does not fit squarely within the HIPAA regime, you aren’t excluded from being regulated. Keep in mind applicable state laws like a state’s Consumer Fraud Act. Consider obligations to federal regulators like the FTC regarding deceptive consumer practices and FDA’s oversight over medical devices, for example.
Have a good understanding of what your company is (and what it isn’t). If you’re a covered entity or business associate, your obligation to comply with HIPAA is clear. However, consider wearable devices, like Fitbit and smartwatches that track users’ heart rate and sync their health data to smartphone apps. Consider wearable biosensors that monitor patients’ vital signs, temperature, and body posture. A deeper analysis on when health information shifts from HIPAA protected to non-HIPAA protected, can be found on a separate Alert by Elizabeth Litten.