How wearables could put doctors in HIPAA hot water

By Physician Sense, for MDLinx
Published March 28, 2019

Key Takeaways

When a patient gives data from a wearable, like an Apple Watch, to a doctor, who is legally responsible for protecting the privacy of the data?

Amid manufactured Apple hype, the tech giant made headlines in September with the latest iteration of the Apple Watch. CEO Tim Cook boasted of the watch’s fall detection capability, automatic workout tracking, and a heart sensor with ECG capability.

Recently, Apple-sponsored studies of earlier watches might have served as a cold shower for Apple fanboys and quantified-self enthusiasts. It seems that watch generations 1-3 are only 34 percent accurate in detecting atrial fibrillation, the study shows.

How Wearables Could Become a Part of Your Practice

Despite the poor PR, it looks like Apple will continue to expand into healthcare and the business of health data. Recently, Cook said in a CNBC interview that Apple’s health-related work will be its “greatest contribution to mankind.”

A recent Becker’s Hospital Review article describes how this may be simply the tip of the iceberg for Apple, which may see the healthcare industry as ripe for disruption. This comes at a time when Apple’s iPhone sales are slumping in China. This may be forcing the company to pursue other revenue streams sooner rather than later.

The elephant in the room is the inevitability of a data breach. User data from the popular fitness and nutrition tracking app MyFitnessPal was breached in 2018, exposing names, email addresses, and passwords of 150 million people. The same year, the fitness app Strava revealed the locations of U.S. military personnel on secret bases. The black market value of EHR data makes the Apple Watch and any similar products prime targets.

All of this affects practicing physicians. Perhaps foremost among the questions it raises should be, what are the HIPAA implications? The Apple watch — and likely other innovations — excel at capturing personal health data in a way that empowers healthcare consumers. This data is also valuable to healthcare providers. How, then, do doctors and patients hand off the data in a HIPAA-compliant manner? What would be the extent of a doctor’s culpability in the event of a breach?

Who’s Responsible for Wearable Data?

We turned to Linda A. Malek, chair of the healthcare practice and the privacy and cybersecurity practice at the legal firm Moses & Singer LLP, for some insights. Keep in mind, Malek is one (albeit well-informed and sharp) attorney. This isn't legal advice. If you’re mulling incorporating wearable data into your practice, you should consult with your own legal counsel.

According to Malek, doctors who have partnered with wearable companies are  responsible for protecting the privacy of patient data.

“If the physician is the one who recommends the wearable to the patient, or is facilitating or interfacing with the wearable company and is accessing the health data generated by the wearable, there is a HIPAA implication,” she says.

The legal implications differ when a patient is independently choosing to give data from their wearable to a doctor.

Continue reading on Physician Sense

Share with emailShare to FacebookShare to LinkedInShare to Twitter