Since 2016, healthcare has been a key emerging user of big data, attributable to the rise of consumer wearable device products by companies like Fitbit and Apple, which provide researchers access to large volumes of biometric data, which can then be used to test hypotheses on nutrition, fitness, disease progression, and treatment success, to name a few. The wearable technology industry is a fast-expanding industry projected to generate $34 billion by 2020.
Why consumer-generated health data collected by wearables should be protected
Wearables have social benefits for both users and companies. They benefit users because wearable devices and accompanying apps and programs entice users to share health information and to actively engage in managing their personal health and wellness. Wearables benefit companies because they present opportunities for advancing business interests. For example, recent advances enabled measurement of a person’s health and biological reaction to environmental stimuli, allowing more accurate inferences about a person’s emotional condition. In turn, this data could be used for business applications, like emotional marketing.
Second, some consumers are skeptical of wearables, fearing they could harm their interests. For example, the rise in integration of wearables with other technology such as digital assistants, smart home devices and even automobiles represents a level of increased connectivity that gives hackers more portals from which to harvest enormous amounts of personal data. The security of consumer-generated health data from wearables is important because identifying the individual to whom the data belongs, either by a single piece of information or by triangulation and combination of information through intentional or erroneous disclosure, risks consumer interests. For example, insurance providers might use data from wearables to price insurance or to infer the user’s suitability for credit or employment (e.g., a conscientious exerciser is a good credit risk or will make a good employee).
Third, unauthorized, unintentional or overreaching use and dissemination of personal information creates potential regulatory liabilities for manufacturers and developers of wearables. For example, in the U.S. alone, wearable device companies could be subject to federal and state regulations.
Balancing the potential for using consumer-generated data from wearables to benefit society, widespread consumer concerns about the privacy and security of data in wearables, and the risk of exposure to liability under different regulatory frameworks, data protection should be a key consideration for manufacturers and developers of wearable technology.
Wearables and U.S. regulatory frameworks
Relevant regularity frameworks for the wearable technology industry are in flux. Even so, wearable device companies should still consider current federal and state regulatory frameworks pertinent to health data. At the federal level, companies should consider the FD&C Act, HIPAA, and the FTC Act, among others. At the state level, regulation could vary per jurisdiction.
The Federal Food, Drug, and Cosmetic Act doesn't likely apply
Historically, because consumer wearables pose a “low risk” to consumer safety and generally do not collect information for the purpose of “treating” a patient, consumer wearables have largely gone unregulated by the FDA.
The FD&C Act protects consumers against unlawful medical devices, defining a “device” as an “instrument ... intended for use in the diagnosis of disease or other conditions, or in the ... treatment, or prevention of disease.” Ultimately, whether something is a medical device turns on whether the manufacturer intends it to be used for a medical purpose not “achieved through chemical action or by being metabolized by the body.” The FDA does not classify wearables as a medical device within the FD&C Act, referring to wearables in a 2016 guidance document as low-risk general wellness products that the FDA does not intend to actively regulate. Hence, it is unlikely wearables will have to comply with the FD&C Act’s premarket review and post-market regulatory requirements. Also, though medical devices that can be used much like a consumer wearable may be regulated for safety and efficiency by the FDA, it does not set privacy standards.
Wearable technology companies likely have minimal liability exposure under HIPAA
HIPAA, or the Health Insurance Portability and Accountability Act, which gives individuals rights over their health information, provides limited protections for the data harvested by wearable device companies that collect, analyze and share health data, which are treated as non-covered entities outside the scope of HIPAA. Wearable technology companies are unlikely covered by HIPAA, which impacts covered entities and business associates, given wearables directly engage with consumers without providing healthcare services or reimbursement for healthcare services.
Second, wearable technology companies are also unlikely implicated under secondary use of health data, which, unlike primary use, is the use of personal health information beyond direct healthcare delivery (e.g., research and health promotion). PHI is “individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or medium.” Because data collected by wearables is consumer-generated and not from covered entities or business associates, it likely does not qualify as secondary use of health data.
Under the FTC Act: Wearable technology companies likely have greater liability exposure
The FTC Act, enforced by the Federal Trade Commission, pursuant to its Section 5 authority, prohibits companies from engaging in deceptive or unfair acts or practices, including failing to comply with an entity’s own privacy policy, among others. This authority extends to HIPAA and non-HIPAA covered entities, making the FTC Act the primary federal statute applicable to the privacy and security practices of non-covered entities collecting health information.
The FTC brings legal actions against organizations that violated consumers’ privacy rights or misled consumers by failing to maintain security for sensitive information. Thus, wearable device companies should keep consumers abreast on how it treats consumers’ information. For example, most wearables require user log-in credentials to access apps or online platforms on multiple devices to manage a customer’s data. This cross-device tracking associates multiple devices with the same user by linking a user’s recorded activities across various electronic devices (e.g., smartphones, laptops). Yet, in 2017 the FTC reported “[c]ompanies do not appear to be explicitly discussing cross-device tracking practices in their privacy policies,” finding only three out of 100 policies explicitly mentioned enabling third-party cross-device tracking. Because most wearables involve cross-device tracking, manufacturers and developers should be cognizant of data privacy and security representations they make for both the wearable device itself and any accompanying apps and programs.
In sum, wearable technology companies likely have greater liability exposure under the FTC Act and should refrain from misleading or deceiving consumers about how consumers’ health data is being utilized and shared. The FTC recommends that, at minimum, entities should be transparent about data collection and use practices; provide choice mechanisms that give consumers control over their data; provide heightened protections for sensitive, including health, information; and maintain reasonable security of collected data.
State regulation: Wearable technology regulation could vary per jurisdiction
Though most wearable devices fall outside federal regulatory frameworks, they could still be subject to state consumer protection laws and other state-level regulatory frameworks, which vary per jurisdiction. For example, though HIPAA sets a baseline for protecting health data, states are empowered to enact stricter health privacy laws that provide privacy and security beyond what is protected or required by HIPAA. California, for one, attaches HIPAA-like data protection responsibilities to “health data custodians who are not health care providers.” Accordingly, though most wearable device companies have limited exposure under HIPAA, the same may not be true under pertinent state laws. Thus, wearable device companies should be cognizant of state laws that apply to their products and operations.