Medical App Wearables and HIPAA: New Guidelines Clear Up the Confusion

Medical App Wearables and HIPAA: New Guidelines Clear Up the Confusion

We’ve written a few posts about some of the privacy issues consumers face when interacting with their favorite health monitoring wearable or medical appware.

If you’re comfortable with personal and possibly very sensitive data ending up with third-parties, then by all means. Sure, there are real benefits with medical sensors collecting data about your every step and heartbeat. As always, read the Terms of Service agreement.

One question that often arises is whether HIPAA rules on sensitive data come into play for apps associated with the wearables?

In our own research on HIPAA compliance, we had a difficult time finding companies in this space that even acknowledge the HIPAA security rules, let alone follow them.

The Business Associate Clause

Here’s the thing: technically, many of them are not required to treat their data as protected health information or PHI.  The reason is that you have to be a “covered entity”— a health care provider, insurer, or clearinghouse—for the HIPAA rules to apply.

This should, in theory, exclude wearable companies.

There’s a catch.

If you’re a business associate of a covered entity, then you will fall under the rules. Back in 2012, we wrote about the then new business associate regulation, and that it was a big deal because it means HIPAA now extends to many companies that wouldn’t consider themselves directly in the healthcare business.

In the case of wearable appware developers, they’re a business associate of a covered entity if they create the software for or on behalf of a covered entity or one of its subcontractors. Besides having to follow HIPAA security safeguards, the wearable developer would also have to get explicit consent to transfer the data to other parties.

HIPAA Speaketh

It’s still a confusing matter. So much so that last week, the Department of Health and Human Services released a guidance document on this very subject. They worked out various scenarios and then explained why or why not the HIPAA rules apply.

You can read the guidelines for yourself, but I’ll attempt to summarize their conclusions.

Here goes.

If you download an app and use it to store PHI in the app’s online database, the app company isn’t covered by HIPAA. Reason:  the app service is not a covered entity.

What about if the data is then transferred from their database to a covered entity?

Now it gets tricky. For HIPAA to apply, the appware company has to have a formal relationship with the hospital, healthcare provider, or insurance company. For example, some healthcare entities have contracted with the wearable developer to help them collect health data. Therefore, they would fall under HIPAA’s business associate regulation.

This was case with one major wearable vendor that entered into relationships with insurers so that their device and software could be used in “corporate wellness” programs.

But if a healthware company doesn’t have an agreement, it can pass the data to the healthcare provider or insurer without itself being covered by HIPAA. And that could mean that the same healthware vendor may be under HIPAA for data it sends to one covered entity but not another if there isn’t an business associate agreement in place.

Overall, this wearable space is still largely unregulated. The difference now is that larger players who have expanded into wellness and other corporate health programs, where business contracts are a must, will indeed have to play by HIPAA’s rules.

Hey, take our free HIPAA class and get up to speed on the fine print of this complex regulation. 

Get the latest security news in your inbox.

Next Article

Podcast Episode #3 - DROWN Attack