Wearables and HIPAA Rules: Are the Devices Covered?

There is some confusion about wearables and HIPAA Rules. HIPAA covers much of the data collected by wearable devices, such as heart rate information and other fitness metrics as well as personal identifiers. The devices should, in many people’s eyes, be covered by HIPAA. However, the Health Insurance Portability and Accountability Act only applies to healthcare providers, health insurers, healthcare clearinghouses and a limited number of other entities. Those entities do not include the manufacturers of hardware, or developers of software, that measure, record and transmit data that falls under the HIPAA definition of Protected Health Information (PHI).

Wearables and HIPAA Rules for Covered Entities

Fitness trackers such as Fitbit, when bought for personal use, would not be covered under HIPAA, and the data recorded by that device could potentially, and quite legally, be shared with third parties. The same is true for all wearable devices that record user data. How that data is used or shared must be detailed in the terms and conditions of the device. Provided the information is stated there, using the device would be deemed to be acceptance of those terms and conditions.

Wearables would be covered by HIPAA Rules if they are provided to a patient by a HIPAA covered-entity. That could be a healthcare provider providing a device to monitor vital signs of a patient, or a fitness tracker provided by a health insurer in exchange for a reduction in premiums. Both covered entities would need a Business Associate Agreement in place, and those devices, and the data they store and transmit, would need to be protected to HIPAA standards.

Definition of PHI under HIPAA

The HIPAA definition of Protected Health Information – PHI – includes 18 separate identifiers which must be safeguarded. A breach is defined as the disclosure of any PHI element along that can be tied to an individual.

The 18 identifiers are:

1. Names
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers

8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

In the Event of a Data Breach

If a wearable device is provided to a patient, and some of the data is exposed (based on the above definition), there is a requirement to report the breach to the HHS and state bodies. A HIPAA covered entity has up to 60 days to report the breach to the Office for Civil Rights and notify patients. A media announcement must also be made if the breach exposed the PHI of more than 500 individuals – a network of devices, for example. Data breaches affecting fewer victims must be reported to the OCR annually, the deadline being 60 days after Dec 31.

Individual states have introduced data breach laws covering all businesses holding protected information of patients and consumers, and the definitions of personally identifiable information and protected health information may include more data elements. State laws may also have different reporting requirements, and different thresholds for reporting.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news