Are wearable makers violating HIPAA? | HIPAA Compliance for Medical Practices |

It’s a question that has been asked before: With the wearables craze, is all that patient data really safe? The answer is complicated - and might not even exist within the law.

“The way these devices capture data poses serious privacy and security issues to individually identifiable health information that must be addressed,” asserted Julie Anderson, a SafeGov expert. “The central challenge devices such as Google Glass and Jawbone UP pose stems from the fact that they employ cloud-based data storage.”

Anderson explains how it gets thorny: Simply by buying one of these wearables, a customer agrees to the vendor's terms of service, which can be “fairly permissive” in what can and cannot be done with the data.

“Mining individually identifiable health information could constitute a breach of patient privacy if the analysis falls outside of the scope of HIPAA,” Anderson wrote in an article on mHealth News sister site Government Health IT. “It is not clear whether using patient data to improve products, as opposed to health outcomes, is allowed under this law. And an even more concerning scenario could take shape if health information were combined with other personal, non-medical data for the purposes of user profiling.”

Anderson recommends that vendors analyze, secure and share data in ways that increase their understanding of baseline access and enable an audit trail to identify who has edited a patient’s information.

The fact that many of these vendors are not experienced HIPAA-covered entities will no doubt complicate matters even more.