Computers, Privacy & the Constitution

Protecting Health Data in the Age of Wearable Devices

-- By ElenaMcCormick - 29 Feb 2020


Health data is a form of personal data which is supposed to be strictly confidential: healthcare providers must follow HIPAA to ensure that their patients’ data is not readily available to any other individuals. Even as electronic health record management systems grow, allowing for ease of access to health records between different medical offices, providers are reminded that their jobs are at stake if they violate HIPAA by searching for health records of someone not currently in their care. But as our world becomes more interconnected and providers try to integrate technology so that patients can more easily be involved in their own health, we risk inadvertently exposing health data to insurance companies, employers, and others if personal health devices are not secured.

Medical Devices to Manage Health

Devices such as FitBits? , Apple Watches, and others are sold as an aspirational way for consumers to measure their own health. In addition to counting steps, tracking heart rates during workouts, and even tracking miles covered during a workout, Apple now claims that its Watch can detect irregular heartbeat rhythms. It promises to alert the wearer to cardiac conditions that the wearer may not have even known they have.

Consumers use these devices to not only monitor their own health, but to share data with family or friends as a method of comparing or competing in exercise challenges, gaining badges, or closing rings on the Apple Watch home screen. The watch has turned from a device which tells time, to a device which can record every movement of its wearer and uploads the information to the connected smartphone. While consumers may report feeling inspired to work out with their fancy new device, studies have pointed out that many wearers of these devices do not ultimately sustain a change in exercise habits. Perhaps this is due to notification fatigue—the idea that being notified to stand up 12 times per day, each hour, may be less effective as the wearer learns to dismiss each notification rather than even reading it—or perhaps it is due to the power of inertia. When one is not accustomed to exercising, they are not likely to substantially change their lifestyle or habits just because they bought a new watch, even if that watch is “smart”.

Most medical professionals such as cardiologists and internal medicine physicians know that lifestyle behaviors account for roughly 40% of health outcomes, and they can set expectations for their patients. This means that approximately 40% of patients with systemic disease due to lack of exercise or poor nutrition, for example, will not be helped by medication or any sort of treatment that can be offered by a healthcare provider. As those in the healthcare field have watched wearable technology become increasingly popular, some have attempted to use apps to help patients change their lifestyle behaviors. For example, a patient with cardiovascular disease may share their exercise data from wearable tech to their smartphone, add their nutrition data into an app, and send it to a physician for review. While these types of systems may benefit both the patient and the physician in their plan for lifestyle adjustment for disease control, the manufacturers of wearable technology and their connected apps are not bound by the same types of HIPAA regulations that may bind an in-person conversation regarding health and nutrition between a physician and their patient.

What Wearable Technology Reveals

Some have already begun to sound the alarm about the risks of sharing health data inadvertently with health insurance companies or employers. Employers who offer employer-sponsored insurance (ESI) may reward employees for using wearable tech, but this is often under the guise of collecting this information to better determine who is a “good” employee--who will cost less under the ESI. Additionally, with access to this data, health, life, and death insurance companies may discriminate against policy-seekers by using their personal health data against them.

As we have seen with the rise of smartphones and social media, consumers are excited about something shiny and new and do not necessarily care about their lack of data privacy because, they claim, they have nothing to hide. While we can all probably agree that having nothing to hide does not mean one is eager for a complete lack of privacy in their life, the issue of health data is still considered slightly different compared to text messages or other location data that technology collects about us every day. As all this health data is uploaded to a cloud owned by Microsoft or Apple or another company, it sits at risk of being analyzed, sold, or redistributed to companies or governments without the wearer realizing it. Unfortunately, although healthcare providers are responsible for protecting the personal health information of their patients, they cannot protect what is freely given by the patients.


Wearable tech and secure-messaging apps on smartphones and laptops appear to be a benefit to medicine if they facilitate improved patient-doctor relationships and communication. However, as is the case in many industries, the medical field’s understanding of technology and lack of security is a major risk to patient data. How can we build technology that adequately secures patient data? Some medical professionals utilize wearable technology in their patients which requires the data to be downloaded at each appointment, rather than transferred over a cloud. This can help maintain the health privacy of patients who are enrolled in clinical trials or who are undergoing specific lifestyle interventions, but what about patients who are eager to participate in health data sharing without understanding the risks? I worry about the false notion of patient privacy in these cases; while the electronic health records may be secure, 40% of the health outcomes of patients is currently left unprotected by existing wearable technology.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r2 - 13 Mar 2020 - 20:17:56 - ElenaMcCormick
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM