Q&A: HIPAA for wearable devices
Q: Do companies such as FitBit (and others that sell wearable devices that track and store health information) need to abide by HIPAA regulations? Should I be concerned with how these companies are viewing and sharing my health information?
A: Only covered entities (CE), established under the law, are required to comply with HIPAA regulations. These are:
- Health plans.
- Healthcare clearinghouses.
- Healthcare providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Department of Health and Human Services (HHS) under HIPAA, such as electronic billing.
The law does not give HHS the authority to regulate other types of private businesses or public agencies through HIPAA.
Companies like FitBit are not CEs, so they have no obligation to comply with HIPAA regulations. Consumers should know this and limit the amount of personal information they share with such companies. In addition, FitBit was recently acquired by Google, so it is likely that Google will use the information FitBit collects for other purposes.
Editor’s note: Mary Brandt, MBA, RHIA, CHE, CHPS is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to editor Kevin Duffy at kduffy@hcpro.com.