New Privacy Regs Coming for Fitness Devices, Health Apps

A federal law that protects patient privacy must be extended to cover smartphones, devices, fitness wearables, health apps and even websites that patients visit to discuss health concerns, a new report from the Dept. of Health & Human Services, a federal government agency, suggests.

Continue Reading Below

That means the tech companies that make these devices and apps—including Apple, Google, Fitbit—would have to abide by the federal law to ensure patient privacy is protected.

The 1996 law, the Health Insurance Portability and Accountability Act, or HIPAA, has a huge hole in regulations that Congress must fill, the government report says.

“To ensure privacy, security, and access by consumers to health data, and to create a predictable business environment for health data collectors, developers, and entrepreneurs to foster innovation, the gaps in oversight identified in this report should be filled,” the report advised, noting, “Some policymakers have noticed the gaps in oversight.”

The HIPAA law only covers hospitals, clinics, health insurers and health plans.

Not covered: Apple Watches that track health information; wearables like Fitbit that take into account things like sleep interruptions or steps walked; items such as at-home pregnancy tests; or social media sites where patients discuss health issues, among other things.

The new government report comes as consumer use of mobile health apps to track personal health and fitness statistics and medical conditions is on the rise.

Researchers at IMS Health found there are more than 165,000 health apps, and a Pew survey says more than two-thirds of Americans now own a smartphone, which means many likely have uploaded fitness and health apps to their phones.

There’s reason for concern. Many apps share your private health information, and you may not be aware that they do.

For example, last March, the Journal of the American Medical Association published a study of 211 diabetes apps conducted by the Illinois Institute of Technology Chicago-Kent College of Law.

The study found that many of the diabetes apps convey sensitive medical information, such as disease updates and drug compliance, to third parties, including advertisers and marketers.

Specifically, the researchers analyzed 211 apps available for download in Google Play, the online marketplace for the Android operating system that is in about 83% of smartphones worldwide. The study found more than 80% of the apps collected and stored consumer health data and nearly half shared the data. The majority, 80%, had no consumer privacy policies.

The HHS report warns that the rise of fitness apps and devices has opened up a vast amount of personal health information on the Internet that is not covered by federal privacy law.

“New types of entities that collect, share, and use health information are not regulated by HIPAA,” the report explains. “Health information is increasingly collected, shared, or used by new types of organizations beyond the traditional health care organizations currently covered by HIPAA, such as peer health communities, online health management tools, and websites used to generate information for research, any of which might be accessed on computers or smart phones and other mobile devices.”