wearable health technology

How Does HIPAA Apply to Wearable Health Technology?

This is a guest post provided by Rahul Varshneya of Arkenea.

Wearable technology offers the healthcare industry important benefits, including providing appointment reminders and a way to track patient vitals and activity levels. They also have cost-reducing benefits, such as reducing in-office visits.

While wearable technology shipments are expected to grow at an annual compound growth rate of 18.4 percent by 2021 and home healthcare is expected to boost use among medical wearable devices, it also brings along data security and privacy concerns.

When protected health information (PHI) is involved, the devices must comply with HIPAA law. So, it’s important to understand how HIPAA plays a part in wearable health technology. Here are a few key points to consider:


  1. If You Require Patient Data, You Are Required to Maintain HIPAA Compliance

If the wearable device your company makes requires that patients provide PHI, then your device should be HIPAA-compliant. Patients can voluntarily provide their personal information to wearable devices to track their activity levels, such as providing their age and weight to provide accurate readings on a blood pressure monitor wearable device.

However, once the healthcare provider of the wearable requires that information, HIPAA takes effect. This is because sensitive patient data integrates with electronic health records (EHRs), enterprise cloud storage and other systems doctors’ offices and healthcare insurance plans and healthcare providers use.

By law, these providers must follow the Privacy Rule under HIPAA, which requires safeguarding patient information.


  1. You’ll Need to Inform Patients

Protecting patient data also requires providing them with information that makes them aware of the fact that their information is being collected. HIPAA requires that providers inform patients of their data collection policies.

This includes expressing how data is collected and stored, how it will be used and why it’s being used. That means if your healthcare facility collects data from wearable devices, such as collecting the sleep patterns reported from an Apple Watch app, then you’ll need to ensure users of that device understand and are aware of your privacy and security practices and policies.


  1. Providing Patients With Wearables Requires HIPAA Compliance

To stay competitive, sometimes health providers and insurance companies offer discounts to consumers or partners in exchange for data.

Insurance provider John Hancock started offering a 15 percent discount off of its insurance plans to patients who voluntarily shared their personal data from FitBit devices back in 2015. This later evolved into a complete change of the insurance provider’s business model where it now only sells interactive insurance policies that draw healthcare information from wearables, such as the Apple Watch or Fitbit.

These shifts of preferences to using wearables as healthcare data resources likely will lead to more healthcare providers using wearables and extend the need for more HIPAA-compliant devices. That means if your company is providing wearable devices to patients or engaging third-party healthcare application developers to build the software, you’ll need to ensure the software is HIPAA-compliant.

That’s because providing patients with wearable technology falls under HIPAA’s Security Rule. Thus, specific security measures are required otherwise your business could face fines. Apple’s HealthKit platform is one example of how today’s technology providers can help safeguard patient data.

With HealthKit, Apple enhances the security of Apple mobile devices by using differential privacy to help safeguard user data before it’s transmitted to third parties, such as healthcare providers. With differential privacy, “noise” intercepts the data so that the third-party only receives the required information.

This makes it more appealing to healthcare providers and insurance companies to use these devices since they have HIPAA compliance as a part of their practices.


  1. You May Require a Separate Collection Setup

Research firm Scripps conducted a study via a clinical trial that suggested that wearable electrocardiogram (ECG) patches applied at home by individuals who have a high risk of atrial fibrillation (AFib) were more effective at diagnosing AFib than the delayed monitoring provided at healthcare facilities.

The study revealed that the home-based wearable ECG patches helped identify AFib four months earlier than monitoring in a healthcare facility. While this study demonstrates the benefit of speed and convenience that wearable technology brings for healthcare informatics, it also draws attention to the need for a separate data collection setup.

Because wearable technology will likely handle PHI, it’s important to ensure the data being shared with healthcare provider systems is compliant with HIPAA, especially if that information is going directly to their systems. As an alternative, a separate collection space may be necessary to encrypt the data the patients provide and summarize this information before it is transferred to the healthcare provider’s systems. 

Moreover, the amount of data that may be transmitted to healthcare provider systems can easily grow. Thus, it’s critical to have a storage system to handle this process, such as a robust cloud storage or other storage architecture. Solutions, such as the Dash Platform, make it easy for organizations to manage HIPAA compliance in AWS.


  1. Your Wearable May Require Too Much Information

Another important part of HIPAA compliance is following The Privacy Rule’s minimum necessary requirement. As part of this rule, healthcare providers need to only limit the information they get and the requests for PHI to only what is needed to accomplish the intended purpose of the wearable device.

For example, if the wearable device your company is distributing is intended to track and monitor your patient’s progress as they exercise, the information your firm collects needs to be limited to only that information. That means your company should not be requesting information, such as the user’s location, to track the progress of exercise if the geographical location is not necessary to get the job done.

Dash provides automated HIPAA compliance solutions for digital health, healthtech companies, and healthcare providers.

Co-founder of Arkenea, a custom software development company that helps entrepreneurs and businesses build experience-rich mobile and web apps. Rahul has been featured as a business technology thought leader in numerous media channels such as Bloomberg TV, Forbes, HuffPost, Inc, among others.
Leave a comment