Health and Fitness Wearables Leave a Lot of Our Data Unprotected. What Can We Do About It?

Christine Bannan and Andi Wilson Thompson wrote for Tech Policy Press about the proliferation of health and fitness IoT devices (which produce data which are largely not protected by U.S. health information privacy law) and how privacy legislation could fill this gap and protect consumers. They also offer advice for making informed privacy decisions when choosing health and fitness devices and apps.

There is a widespread misconception that the federal law that protects medical records—the Health Insurance Portability and Accountability Act (HIPAA)—protects all health information. However, the law only applies to health insurers, healthcare providers, and related entities. Although the information your fitness tracker collects to monitor COVID symptoms may be the same type of data your doctor would collect, what matters for determining whether the law applies is who collects the data, not the type of data collected. And because the United States lacks a comprehensive federal privacy law, there are few legal restrictions on what a company can do with the data of U.S. users. For example, the same wearable temperature sensor used at RVA virtual in Australia also markets a clinician-facing mobile app for use by U.S. medical providers. The clinician app is HIPAA-compliant, and the temperature sensor is cleared by an FDA certification process, but only when used by doctors. Consumers can buy the exact same sensor for home use, but that data isn’t subject to the same privacy protections, nor is the data collected by many other consumer-directed health wearables.

Unfortunately, the United States still lacks a consumer privacy law that would protect personal data regardless of whether it is collected by a healthcare provider or an app. At present, consumers are left to make judgments about privacy on their own. The FTC recommends comparing privacy options and taking control of your sensitive information when choosing a fitness tracker. However, without any legal requirements for companies to follow, there are limitations on both the privacy-protective options available to consumers and the access consumers have to privacy information.