Weak and fragmented healthcare privacy regulations are failing to provide adequate federal laws to protect personal health information collected by wearable devices that are increasingly popular with consumers.
That’s the conclusion of researchers from the American University in Washington, D.C., and the Center for Digital Democracy, who analyzed the privacy and security risks of wearable technology and the big data they generate that are part of a growing connected health ecosystem.
“Biosensors will routinely be able to capture not only an individual’s heart rate, body temperature and movement, but also brain activity, moods and emotions. These data can, in turn, be combined with personal information from other sources—including healthcare providers and drug companies—raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches,” states the new 122-page report.
The problem is an inadequate regulatory environment, according to researchers. While individuals and organizations that meet the definition of “covered entities” must comply with the HIPAA privacy and security rules such health plans, healthcare clearinghouses and providers, wearable and mobile app developers do not fall into that category under HIPAA.
Overall, U.S. privacy laws governing health information are limited and fragmented, with significant gaps in coverage,” states the report. “Although there have been efforts over the years to pass broader consumer-privacy regulations in the U.S., none has been successful.
According to Jeff Chester, co-author of the report and executive director of the Center for Digital Democracy, the privacy of a large variety of consumer health data is not protected and is open to use by third parties. As a result, he says the researchers are sounding the alarm about the need for regulations,
“Americans now face a growing loss of their most sensitive information, as their health data are collected and analyzed on a continuous basis, combined with information about their finances, ethnicity, location and online and off-line behaviors,” says Chester. “Policy makers must act decisively to protect consumers in today’s big data era.”
Unfortunately, Chester contends that most U.S. consumers wrongfully believe that HIPAA covers their health data generated by wearable technology. However, he makes the case that wearables aren’t covered by HIPAA and the marketing that goes on has no protections.
Chester points to a Department of Health and Human Services report issued in June that warned consumers “may incorrectly think HIPAA provides standards for privacy and security in all contexts where their health information is collected, shared, or used.” In the report, HHS expressed concerns that new types of entities that collect, share and use health data are not regulated by HIPAA—non-covered entities or (NCEs)—and individuals may inadvertently consent to unanticipated types of information sharing and use by NCEs collecting their health information.
“Although the conduct may be regulated by the FTC’s consumer protection oversight, which does not depend on whether the conduct is subject to HIPAA, this oversight does not provide the same type or level of protection as HIPAA,” according to HHS. “In short, consumers may not be equipped to evaluate the privacy and security implications that attach to the NCEs with which they interact every day.”
The HHS Office for Civil Rights was not immediately available for comment.
To help safeguard consumers, Chester and his colleagues make several recommendations on how government, industry, nonprofit organizations, and academic institutions can work together to develop a comprehensive approach to health privacy and consumer protection, including:
All data collected from a health or wellness wearable device should be considered sensitive, and thus require an affirmative and effective consent process before they can be collected and used.
Clear, enforceable standards should be established for both the collection and use of information on wearables and other Internet-connected devices, with allowances for consumers to place limits on the data collected by and about them.
Companies should be required to explain fully and in clear language what their data practices are, and there should be standardization of terminology so that comparisons are possible. They should also be required to make public disclosures about the operations of their data-analytic systems, including how they conceptualize and utilize algorithms. Wearable and other connected-health companies should not share user information with any third parties where advertising, marketing, or the promotion of other services are involved.
Companies should comply with requests for a person’s data as soon as possible and at the lowest cost.
The metrics used to determine how de-identification is most effectively accomplished should be disclosed and subject to independent verification.
In order to ensure that consumers are truly informed, wearable devices and apps should be tested to determine that consumers will be able to understand their privacy choices and terms of services.
Self-regulatory organizations should develop standards that apply to all sectors of the consumer connected-health industry, along with a process for independent auditing.
The various participants in the digital health sector, including the wearable and mobile apps industry, should develop a set of fair marketing practices for using health-related data.
“In the absence of adequate safeguards, consumers and patients could face serious risks to their privacy and security, and also be subjected to discrimination and other harms,” concludes the report.
Consequently, Chester believes that there need to be new policies put in place that provide appropriate consumer protections.