Note: Addressing the HIPAA-potamus Sized Gap in Wearable Technology Regulation
By Paige Papandrea. Full Text.
Wearable technology is wildly popular. It is also wildly unregulated. Millions of consumers buy and use these devices, which can constantly track and transmit a variety of users’ health information. Although this health information is similar to, and in many cases more abundant than, information collected by doctors and health insurers, it generally has no privacy or security protections under federal law. This leaves most wearable technology companies free to sell or share their users’ health information without liability and leaves consumers without a remedy when their health information is compromised by a data breach.
The types of information collected, stored, and transmitted by these wearable devices could be considered “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, HIPAA only applies to the PHI created, held, and transmitted by “covered entities,” such as doctors and health insurers, and their “business associates.” This means that if a HIPAA covered entity, such as an insurer, provides a wearable technology device to its policyholders, then the data from said device falls under HIPAA’s purview. But if the same devices are purchased directly by the consumer, they are not protected by HIPAA despite collecting and transmitting the same amounts and types of highly sensitive information.
This Note advocates for equal regulation and protection of personal health information, regardless of how that information is initially collected. It proposes an expanded definition of “covered entities” to draw wearable technology companies into HIPAA’s regulatory purview, reflecting the modern reality that personal health information is created, collected, stored, and transmitted by devices far removed from the traditional health care system.