When a patient gives data from a wearable, like an Apple Watch, to a doctor, who is legally responsible for protecting the privacy of the data?
Amid manufactured Apple hype, the tech giant made headlines in September with the latest iteration of the Apple Watch. CEO Tim Cook boasted of the watch’s fall detection capability, automatic workout tracking, and a heart sensor with ECG capability.
Recently, Apple-sponsored studies of earlier watches might have served as a cold shower for Apple fanboys and quantified-self enthusiasts. It seems that watch generations 1-3 are only 34 percent accurate in detecting atrial fibrillation, the study shows.
How Wearables Could Become a Part of Your Practice
Despite the poor PR, it looks like Apple will continue to expand into healthcare and the business of health data. Recently, Cook said in a CNBC interview that Apple’s health-related work will be its “greatest contribution to mankind.”
A recent Becker’s Hospital Review article describes how this may be simply the tip of the iceberg for Apple, which may see the healthcare industry as ripe for disruption. This comes at a time when Apple’s iPhone sales are slumping in China. This may be forcing the company to pursue other revenue streams sooner rather than later.
The elephant in the room is the inevitability of a data breach. User data from the popular fitness and nutrition tracking app MyFitnessPal was breached in 2018, exposing names, email addresses, and passwords of 150 million people. The same year, the fitness app Strava revealed the locations of U.S. military personnel on secret bases. The black market value of EHR data makes the Apple Watch and any similar products prime targets.
All of this affects practicing physicians. Perhaps foremost among the questions it raises should be, what are the HIPAA implications? The Apple watch — and likely other innovations — excel at capturing personal health data in a way that empowers healthcare consumers. This data is also valuable to healthcare providers. How, then, do doctors and patients hand off the data in a HIPAA-compliant manner? What would be the extent of a doctor’s culpability in the event of a breach?
Who’s Responsible for Wearable Data?
We turned to Linda A. Malek, chair of the healthcare practice and the privacy and cybersecurity practice at the legal firm Moses & Singer LLP, for some insights. Keep in mind, Malek is one (albeit well-informed and sharp) attorney. This isn’t legal advice. If you’re mulling incorporating wearable data into your practice, you should consult with your own legal counsel.
According to Malek, doctors who have partnered with wearable companies are responsible for protecting the privacy of patient data.
“If the physician is the one who recommends the wearable to the patient, or is facilitating or interfacing with the wearable company and is accessing the health data generated by the wearable, there is a HIPAA implication,” she says.
The legal implications differ when a patient is independently choosing to give data from their wearable to a doctor.
“Here, the HIPAA implication may be different because the patient is offering her own health data to her doctor, presumably to assist in her treatment,” Malek says. “It may be a safer course for the provider to ask the patient to sign a HIPAA authorization form to allow for the information exchange if the situation is unclear.”
However, HIPAA isn’t the only legal hurdle doctors have to clear in this latter situation, Malek says. Each state has its own set of laws that may govern patient data exchanges such as this.
“The safer course in a situation like that is to get [written] consent — it may or may not be required,” Malek says. “This is not an area where there’s always a bright line that says you must get a HIPAA authorization or you must get a consent to comply with state law.”
Doctors would do well to make sure all of their legal bases are covered. The American University Center for Digital Democracy issued this report in 2016, which explains how woefully exposed wearables users are. A news release from American University described the report as concluding that “the weak and fragmented health-privacy regulatory system fails to provide adequate federal laws to safeguard personal health information collected by wearables.”
Ready or not, today’s and tomorrow’s doctors will need to prepare themselves for the legal implications of wearables. A recent report from AppleInsider speculates that Apple’s moves in the healthcare sector could affect doctors in two ways. The first, by building in more biomarker tracking, Apple empowers physicians to keep patients healthier and theoretically increase profitability. The second, Apple could offer troves of data to doctors at a cost much lower than if doctors had gathered the data themselves.
While both are exciting, the prospect of a HIPAA violation, or breaking state law, is not. As medicine moves into this data-driven world, doctors will have to keep their patient data close, and their legal counsel closer.