HIPAA compliance in wearable devices

Wearable devices are electronic devices worn on the body, typically as accessories or clothing. They are equipped with various sensors and technologies that enable them to collect and track user health and fitness data. HIPAA compliance must be considered when accessing protected health information (PHI). 

Wearable devices and HIPAA compliance

Not all wearable devices are used in contexts covered by HIPAA. Devices used for general wellness or fitness purposes, without collecting or storing PHI or being used by covered entities or business associates, may not need to be HIPAA compliant. However, the determination of whether a specific wearable device is subject to HIPAA requirements depends on factors such as its use case, the type of data collected, and the entities involved. 

Related: How to ensure HIPAA compliance when using RPM devices

When used by Covered Entities

If a wearable device is used by healthcare providers, health plans, or other covered entities as part of their operations, it must comply with HIPAA regulations.

Example: A hospital provides wearable fitness trackers to cardiac rehabilitation patients to monitor their heart rate and physical activity levels during recovery. 

When used by Business Associates

If a wearable device manufacturer or developer enters into a business associate relationship with a covered entity, they become subject to certain HIPAA obligations.

Example: A wearable device manufacturer partners with a healthcare provider to develop a smartwatch that tracks vital signs and securely transmits the data to the provider's electronic health record (EHR) system.

When collecting or transmitting PHI:

If a wearable device collects, stores, or transmits health data that qualifies as PHI, it becomes subject to HIPAA regulations. 

Example: A fitness tracker app allows users to input their medication schedules, and the app sends reminders to take medications based on the data collected from the wearable device.

Related: HIPAA compliance when using mobile apps with your patients

Who is responsible for HIPAA compliance?

The responsibility for HIPAA compliance is a shared one, and the specific responsibilities and obligations can vary based on the relationships and agreements between the parties involved. The individual entities responsible are

1. Covered entities: Covered entities, such as healthcare providers (e.g., hospitals, clinics) and health plans (e.g., insurance companies), have primary responsibility for ensuring HIPAA compliance when using wearable devices. They must handle PHI by HIPAA regulations.
2. Business associates: Business associates are entities or individuals that perform certain functions or services involving PHI on behalf of a covered entity. Examples can include app developers or data analytics companies. 
3. App developers: If an app is developed to collect, store, or transmit PHI from wearable devices and is used in connection with healthcare services or by covered entities, the app developer may be considered a business associate and would be responsible for HIPAA compliance.
4. Cloud service providers: If a wearable device's data is stored or processed in the cloud, the cloud service provider may be considered a business associate and must meet HIPAA requirements when handling PHI.
5. Wearable device manufacturers: While the primary responsibility for HIPAA compliance lies with covered entities and business associates, wearable device manufacturers can play a role in supporting compliance efforts. They may be expected to implement appropriate security measures and privacy features in their devices to facilitate HIPAA compliance by covered entities and business associates.

Best practices for HIPAA compliant wearable devices

1. User authentication: This may include PIN codes, biometric authentication (such as fingerprint or iris scanning), or secure pairing with authorized devices.
2. Secure data storage on the device: Use secure storage mechanisms and encryption techniques to safeguard data in case of device loss or theft.
3. Secure data transmission: Establish secure communication channels between the wearable device and healthcare systems. 
4. Device security and anti-tampering measures: This may include secure boot processes, device integrity checks, firmware updates with digital signatures, and mechanisms to detect and respond to potential security breaches.
5. Access controls and user permissions: Implement access controls on the wearable device to ensure only authorized users can access and view PHI. 
6. Data minimization: Avoid unnecessary data collection to reduce the risk of exposure or unauthorized access.
7. Secure data synchronization: If the wearable device synchronizes data with external systems or apps, ensure the synchronization process is secure and compliant with HIPAA requirements. 

Related: HIPAA Compliant Email: The Definitive Guide

Wearable devices and third-party apps accessing data 

When wearables are used by third-party apps or integrated with external systems, it introduces additional considerations for HIPAA compliance. This includes establishing clear guidelines and requirements for third-party app developers to adhere to HIPAA regulations. The manufacturer should perform due diligence to ensure these apps or systems have implemented appropriate security measures. 

If the manufacturer is a covered entity, or a covered entity is making use of an already established wearable technology, a business associates agreement is necessary.