Wearables and mHealth: A Privacy Crisis Waiting to Happen?

Wearable technology usage has increased 500 percent during the past three years. Researchers from MarketsandMarkets expect this explosive growth to continue through 2020 as the wearable market reaches $31.27 billion. These devices range from smart watches and fitness trackers to Bluetooth communicators. Once considered luxury items and toys for techies, wearables are now being used in the corporate sector to improve productivity, flexibility, collaboration and customer service.

In the healthcare sector, use of mHealth technology for the remote monitoring of patients increased 51 percent in 2015 and is expected to grow 48.9 percent each year by 2020, according to Berg Insights. A key component of the trend toward preventive healthcare, mHealth uses mobile technology such as implantable cardiac devices and sleep therapy devices to gather and share real-time information between patients and medical professionals. Through 24×7 monitoring and on-demand analysis, mHealth is capable of not only improving patient outcomes and response times when health problems occur, but also reducing insurance premiums as a result of fewer doctor’s appointments, prescriptions and tests.

While wearable and mHealth technology can deliver a number of corporate and health-related benefits, organizations need to address the privacy and compliance issues that can arise. The Food and Drug Administration (FDA) has been regulating mHealth applications and telehealth software since the FDA Safety and Innovation Act was passed in 2012. Medical devices and software that transmit information to providers must meet FDA requirements for registration, listing and approval, manufacturing best practices, and post-market surveillance. mHealth devices and apps that collect, store or transmit protected health information are also regulated by the Health Insurance Portability and Accountability Act (HIPAA).

Unlike mHealth, wearable devices for “general wellness” are largely unregulated by the FDA and HIPAA. “General wellness” refers to products that relate to maintaining or encouraging a healthy lifestyle and present no health or safety risk to the user. In other words, if the product focuses on general health and doesn’t claim to treat certain conditions, it is not regulated by the FDA. Similarly, a wearable device is only subject to HIPAA regulations if it maintains or shares a person’s data on behalf of a healthcare provider.

However, data collection could be subject to data privacy laws on the state level, which may not allow the disclosure of personally identifiable information or health-related data that is collected and exchanged through various types of activity trackers. Consumers and legislators have raised concerns about the sale of data to third parties, regardless of whether that data is aggregated and anonymous.

Every time new technology is introduced, new vulnerabilities and threats to privacy are introduced. All hardware-based devices are trackable, and one in five transmit data without encryption, according to Symantec, increasing the risk of identity theft, profiling, stalking, and inappropriately monitoring employee activity. Could a burglar use data from a sleep monitoring app to plan a break-in when a homeowners is in the deepest state of sleep? Could health data that shows high risk result in higher insurance premiums or cancellation of a policy? In the coming months, increased regulations involving wearable device data will likely be debated.

Organizations would be well-served to review and update their privacy policies to account for wearables. What data are you collecting? How is that data being used? How long is that data being stored? Is that data being shared? If so, with whom? What steps can be taken to ensure that data isn’t misused or compromised? Before you adopt wearable technology in the workplace, make it a priority to ensure that all data being collected and shared remains private and secure, and be aware of regulations being discussed at both the state and federal level.