Privacy Protections for Consumer Health Data to be Enhanced by Smartwatch Data Act

Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada) have introduced the Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act. This new legislation will ensure that health data gathered through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent.

The Health Insurance Portability and Accountability Act (HIPAA) applies to health data gathered, received, stored, maintained, or shared by HIPAA-covered entities and their business associates. Some of the same information is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. That information can be used, shared, or sold, without authorization. Consumers have no management over who can access their health data. The new legislation is focused on addressing that privacy gap.

The bill forbids the transfer, sale, sharing, or access to any non-anonymized consumer health information or other individually identifiable health information that is gathered, recorded, or derived from personal consumer devices to domestic information traders, other domestic entities, or entities based outside the United States unless consent has been obtained from the consumer.

Consumer devices are “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”

The Smartwatch Data Act applies to information about the health status of a person, personal biometric information, and kinesthetic information collected directly through sensors or inputted manually into apps by consumers. The Smartwatch Data Act would treat all health data gathered by through apps, wearable devices, and trackers as protected health information.

There have been calls for the scope of HIPAA to be widened to cover app developers and wearable device manufacturers that collect, store, maintain, process, or share consumer health information. The Smartwatch Data Act does not extend HIPAA to cover these companies, instead the legislation applies to the data itself. The bill proposes the HHS’ Office for Civil Rights, the main enforcer of compliance with HIPAA, would also be charged with enforcing compliance with the Smartwatch Data Act. The penalties for noncompliance with the Smartwatch Data Act would be the same as the fines for HIPAA violations.

Sen. Rosen said: “The introduction of technology to our healthcare system in the form of apps and wearable health devices has brought up a number of important questions regarding data collection and privacy. This commonsense, bipartisan legislation will extend existing health care privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent.”

The legislation was enacted following the news that Google has partnered with Ascension, the second largest healthcare supplier the United States, and has been given access to the health information of 50 million Americans. That partnership has led to a number of questions about the privacy of health information.

The Ascension data handed over to Google is covered by HIPAA, but currently fitness tracker data is not. Google intends to acquire fitness tracker manufacturer Fitbit in 2020 and concern has been noted about how Google will use personal health data gathered using through Fitbit devices. The Smartwatch Data Act would help to ensure that consumers are given a say in how their health data is accessed.

Author: Maria Perez