Protecting Medical Privacy on Your Wrist

Scholar argues for greater privacy protections of personal medical data collected by wearable health technologies.

A few years ago, computer scientist Axelle Apvrille demonstrated how to hack a Fitbit bracelet that was 15 feet away from her—and to do so in 10 seconds.

Popular wearable technologies such as Fitbits and Apple Watches present consumers with benefits in terms of individual health management, but they also bring with them costs to personal privacy. In a recent article, Kenny Gutierrez, a former fellow at the Electronic Frontier Foundation, analyzes regulatory efforts to protect the security of wearable technology users’ information.

Wearable technologies—often just called “wearables”—include smartwatches, wristbands, and even “hearable” tools attached to the ear. For example, researchers at the Massachusetts General Hospital are testing a wearable that can detect tremors in children with a rare motor disorder. Gutierrez explains that the rise of wearables coincides with the rise of precision medicine.

Modern medicine has until recently applied a “one-size-fits-all” approach, but precision medicine allows health care providers to tailor disease prevention and treatment to an individual patient’s lifestyles, genes, and other personal factors. A Stanford University study used the Apple Watch’s heart-rate sensor, for example, to identify signs of atrial fibrillation, a type of heart complication.

Researchers can also apply the data from wearables to craft more precise clinical technologies that medical providers can use in practice, explains Gutierrez. In this way, wearables offer two benefits: They enhance individual treatment, and they help make clinical technologies more accurate and useful for future patients.

But in the process, wearables collect a significant amount of user data, including geolocation, exercise habits, and online purchases. Gutierrez observes that data collection by wearables outpaces data collection by mobile health applications on smartphones. After all, individuals are more likely to use their wearables for more hours per day and more consistently than their smart phones.

Gutierrez claims that wearable companies’ data collection practices pose cybersecurity and privacy risks to users. Specifically, wearable technology makers can sell customers’ data to data brokers, and digital platforms can then buy this data to deliver more targeted advertising to users. Health data are even more valuable than personal financial information to these consumer data markets, Gutierrez reports.

For users of wearables, a data breach can be devastating, given the amount of data a device typically stores. Gutierrez argues that existing privacy laws do not adequately address the privacy challenges that the growing use of modern wearable health tools poses.

The Health Insurance Portability and Accountability Act (HIPAA), which safeguards some health information, covers only some uses of health technology tools. For example, some wearable devices allow users to upload health data directly to their electronic medical records, but HIPAA rules do not necessarily apply to the makers of digital health applications.

Rather, HIPAA protections only extend to personal health data that the user transmits to a medical provider, Gutierrez explains. For this reason, special rules that the U.S. Department of Health and Human Services has adopted to protect the confidentiality of patient health data under HIPAA do not apply to most wearables, according to Gutierrez.

He observes that federal regulators are currently working to issue new rules requiring medical providers to transmit patient information to health record applications. He contends that if providers send this information to the application—with patient consent—then HIPAA would protect the information stored in it, including the data that the patient transmits from their wearable to the application.

Gutierrez also recommends that the U.S. Food and Drug Administration issue regulations that remove wearable applications that lack safe and proven treatments from the market.

Wearables users can also try to protect their private health information under the Stored Communications Act (SCA), Gutierrez notes. The SCA prohibits the interception of the “contents” of messages shared over digital platforms without a warrant.

But the SCA does not limit the collection of “records,” which are pieces of data that convey “metadata,” such as the identities of the author and recipient of a message. Gutierrez argues that the current definition of “records” likely covers most of the information that companies collect from wearables.

Gutierrez proposes that the U.S. Congress should expand the definition of “contents” to include wearable health data or otherwise enhance the protection of “records” under the SCA. Such a legislative amendment to the SCA would limit the sharing of health data with non-governmental entities, Gutierrez argues.

The Federal Trade Commission (FTC) also has broad authority to regulate privacy and cybersecurity issues in the wearables market, Gutierrez notes. But the FTC’s current regulatory framework places the burden of identifying issues in a company’s data-collection procedures on the consumer, he explains.

Gutierrez suggests that a stronger FTC enforcement strategy would be in line with the FTC’s previous actions against non-health care companies for deceptive privacy practices that led to large breaches and security vulnerabilities for customers. In those cases, the FTC required companies to notify consumers about new product privacy issues, offer free customer support, and help users uninstall the problematic security features. Gutierrez predicts that similar enforcement actions would prompt wearables makers to develop their data collection practices with users’ information cybersecurity in mind.

Gutierrez acknowledges that wearables are pushing the frontiers of precision medicine, but he concludes that a more tailored regulatory approach would better protect users’ privacy during the current period of rapid innovation and beyond.