Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...Read More by Author
Are Wearable Devices a Privacy Nightmare?
Wearable devices, such as fitness trackers and smart watches, have taken the United States technology industry by storm. In the past three years, there has been a 500% increase in the number of fitness bands and activity trackers sold. The research firm Market and Market predicts that the industry will continue to grow at unprecedented rates and will reach $11.61 billion by the end of 2020. However, there are divisive legal issues associated with the rapid growth and increasing popularity of these wearable devices. Questions concerning how to protect the data collected from these devices and how to ensure that the data is only being used for authorized purposes have plagued the industry.
Notably, the U.S. Food and Drug Administration (“FDA”) has taken a hands-off approach to the regulation of wearable devices. Earlier this year, the FDA released its draft guidance entitled “General Wellness: Policy for Low Risk Devices.” In its draft guidance, the FDA clarified that general wellness products, including products related to weight management, physical fitness, or sleep management, do not fall under the regulatory regime of the Food, Drug, and Cosmetic Act of 1938. The FDA stated that general wellness products are those products that: (1) relate to maintaining or encouraging a general state of health or a healthy activity, and (2) do not present inherent risks to a user’s safety. Consequently, as long as wearable devices target overall health and do not claim to treat specific ailments and diseases, like obesity, anorexia, and muscle atrophy, they will be unregulated by the FDA.
Just as wearable devices generally fall outside the realm of FDA regulation, developers of wearable devices similarly are not typically subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Unless a wearable device is transmitting or maintaining an individual’s health information on behalf of a health care provider or health plan, it is not subject to HIPAA and its implementing regulations.
While wearable devices generally fall outside the scope of the FDA and HIPAA, the data collection activities associated with wearable devices could be governed by state privacy and security laws. As reported in an article entitled “Wearable Health Information Technology: Legal Issues Now at Your Finger Tips” in the monthly magazine AHLA Connections, state laws often expand the HIPAA definition of “business associate” or directly prohibit the disclosure of personal health information and personally identifiable information. Furthermore, the Federal Trade Commission has been active in oversight regarding the privacy and security of personal information.
However, as reported by USA Today, Symantec Corporation, a technology security company, analyzed a variety of wearables and found that one in five tracking applications transmit user generated data, such as names, email addresses, and passwords, without encryption. Consequently, wearable device users could be putting themselves at risk for profiling, stalking, identity theft, extortion, and misuse. While the possibility that a burglar could use an individual’s sleep cycle or location for sinister purposes is an extreme example, issues pertaining to data ownership and the use of the data collected are increasingly pertinent. Concerns about what user data is being collected and sold to third parties, such as employers, insurance providers, and other companies, have gained traction. In fact, last year, Senator Charles Schumer (D-NY) addressed these concerns, calling activity trackers a “privacy nightmare.”
While producers of wearable devices, like Fitbit, have responded to these claims by explaining that their privacy policies prohibit the selling of user data, many policies permit the sharing of aggregated and de-identified data. Consequently, data usage and sharing issues are complicated by whether the data is in an identified or de-identified form, structured or unstructured, image or verbal text, or aggregated.
As technology continues to develop faster than laws and regulations can, we are left with a number of issues pertaining to wearable devices and the data they produce. The Health Law Gurus™ will continue to monitor these issues and the agency guidance surrounding the regulation of wearable devices. Please check back with us for updates.