September 27, 2018

Regulating Wearable Devices in the Healthcare Sector

Nina Kostyukovsky, Debevoise & Plimpton, LLP, Washington, DC

AuthorAs of October 2014, at least one in five Americans owned an activity-tracking wearable device,1 such as a Fitbit or Jawbone, and more than 80 percent of consumers listed eating healthier, exercising smarter and accessing more convenient healthcare as important benefits of wearable technology.2  While wearable devices have been around for some time, manufacturers are constantly innovating the products, and many of the current models are so sophisticated that they can record a person’s physical activity, heart rate, geographic location, and even sleep hygiene from the wearer’s wrist 24 hours a day.3  As the data that wearable devices collect becomes more personal, entrepreneurs and regulators will face several challenges in trying to strike a balance between on the one hand encouraging the public to make healthy choices and on the other protecting their privacy and safety.  The Office for Civil Rights (OCR) and Food and Drug Administration (FDA), working under the U.S. Department for Health and Human Services (HHS), will play a major role in deciding how wearable devices can be used in the healthcare sector.4  

I.  Using HIPAA to protect the privacy of health data generated by wearable devices
OCR enforces privacy and security standards for health information set by the Health Insurance Portability and Accountability Act5 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act6 (HITECH Act).  The rules that implement these laws apply to health plans, health care clearinghouses, and healthcare providers, collectively referred to as “Covered Entities” working with protected health information (PHI)—individually identifiable health information  that a Covered Entity creates or receives.  

Wearable device manufacturers are not ordinarily exposed to HIPAA liability, because they are not Covered Entities, and their products and services work directly with the consumer, keeping Covered Entities out of the loop.7  Nevertheless, as fitness trackers continue to gain in popularity, technology companies looking to cash in on the trend may find themselves navigating an unfamiliar regime of complex regulation.

Ordinarily, businesses are free to make their own rules for handling information that falls outside the scope of HIPAA.8  Many companies have privacy policies, but only California9and Connecticut10 actually require companies to publish them.  

In contrast, PHI is subject to the HIPAA Privacy Rule,11 which prohibits a Covered Entity from using or disclosing the PHI except in a few narrow circumstances.12  Covered Entities cannot simply force patients to sign all of their privacy rights away and be done; they must obtain express authorization from the patient for each non-conforming use or disclosure,13 which may be revoked at any time,14 cannot be made a condition of treatment,15 and must be presented to the patient in a separate document for each separate use or disclosure requiring authorization.16  Alternatively, the Covered Entity can remove identifying data from the PHI before disclosing it, but the HIPAA Privacy Rule sets a high burden for what constitutes “de-identification.”17  Covered Entities must also comply with the HIPAA Security Rule,18 which imposes administrative,19 physical,20 and technical21 safeguard requirements for electronic PHI.

While most developers of wearable devices make general promises about privacy and security, none of the major consumer fitness trackers make any claims about HIPAA compliance.  Some have even been known to include social networking features that allow users to share their fitness data with friends, which in some cases, have been set to public by default.22 Since misuse of PHI is subject to strict liability standard,23 developers wanting to bridge wearable devices with Covered Entities should tread lightly.  Two recent developments in health law may amplify this concern.

The first is the HITECH Act, which changed how HIPAA applies to a Covered Entity’s “Business Associates.”  A Business Associate is someone that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity.24  Prior to the HITECH Act, HIPAA’s Privacy and Security Rules only applied to Business Associates indirectly, by requiring Covered Entities to sign a contract with their Business Associates that mirrored the requirements of the Privacy and Security Rules.25  The HITECH Act extended the HIPAA Security Rule26 and portions of the HIPAA Privacy Rule27 to apply to Business Associates, making them directly liable for violations.  

This means that OCR can directly penalize developers who, if serving as Business Associates, mishandle PHI when providing fitness tracker interfaces for Covered Entities.28   The rule also extends to subcontractors of the Covered Entity or Business Associate that create, receive, maintain, or transmit PHI on their behalf.29  This could also be problematic, as many developers opt for renting computing power from bigger companies, rather than investing in their own servers.  Fortunately, several major cloud computing providers serving as these subcontractors responded by providing HIPAA compliance as an add-on feature, and will even sign Business Associate contracts as part of the deal.30

The other development is the implementation of new regulations under the Patient Protection and Affordable Care Act (PPACA).  Prior to PPACA, group health plans were prohibited from discriminating against individual participants, with an exception for rewards to individuals who complete wellness programs.31  PPACA extended the nondiscrimination rule and its wellness program exception to the individual market,32 and raised the maximum reward for health-contingent wellness programs from 20 percent to 30 percent.33  A health-contingent wellness program is one that “is based on an individual satisfying a standard that is related to a health status factor.”34  

Wearable devices provide a novel way of running these programs.  A recent example is self-insured BP plc, which offered free Fitbit devices to its 14,000 employees, and rewarded those who walked at least one million steps in a year with insurance premium discounts.35 As another example, a health insurance startup in New York offered wearable fitness trackers to its 17,000 members and sent them daily fitness goals, adding a dollar toward an Amazon gift card for each met goal.36  

If PPACA’s new incentives prove to be effective, the technology industry may see significant demand from health plans looking for ways to integrate fitness trackers into their wellness programs.  Nevertheless, developers who want to start writing applications for Covered Entities will need to be sensitive to this issue.

II.  The FDA’s approach for regulating wearable devices and health applications

In addition to privacy and security concerns, health application developers and wearable device makers will need to take steps to ensure that their products are safe and reliable in order to avoid the FDA’s strict regulation under the Food, Drug, and Cosmetic Act of 1938 (FD&C Act).37   In January 2015, the FDA issued draft guidance to help industry and FDA staff determine whether an app or wearable device falls under the scrutiny of the FD&C Act.38  Although the FDA has not yet provided a timetable for officially recommending this guidance, the comment period recently ended on April 20, 2015.39  Like other FDA guidance documents, this guidance “do[es] not establish legally enforceable responsibilities,” but instead, “describe[s] the Agency's current thinking on a topic and should be viewed only as recommendations.”40  According to the guidance, the FDA does not intend to apply its premarket review and post-market regulatory requirements to “low risk general wellness products.”41 The FDA’s Center for Devices and Radiological Health (CDRH) will apply a two-part test to determine whether a product is a low risk general wellness product:  (1) the product must make only general wellness claims, and (2) the product must not present inherent risks to a user’s safety.42

The latter prong is fairly clear cut: products that penetrate the skin, require special quality controls (e.g., lasers or tanning beds), raise novel questions of usability (e.g., pregnancy tests), or raise a question of biocompatibility present an inherent risk to a user’s safety, and therefore fail the test.43  Where manufacturers of wearable devices are more likely to get into trouble is the first prong, i.e., the “general wellness” test.  A “general wellness” product cannot make claims that go beyond sustaining or offering general improvement to a general state of health.44  This means that the product is not allowed to reference specific diseases or conditions, unless “it is well understood that healthy lifestyle choices may reduce the risk or impact of the disease or condition.”45   Even then, the product should be limited to promoting, tracking, or encouraging choices which, as part of a healthy lifestyle “may help reduce the risk of” or “may help living well with” the disease or condition.46  For example, it is acceptable for the makers of the Fitbit to advertise that its default goal of 10,000 steps per day will help users decrease their risk of heart disease,47 because this level of physical activity is generally understood to improve cardiovascular health.

Wearable device manufacturers can still get the point across by choosing their words carefully.  Rather than referring to a disease, the product may refer to symptoms (e.g., “managing stress” rather than “treating anxiety”), or to an organ associated with the disease (e.g., “improving brain health” rather than “preventing Alzheimer’s disease”).48  In either case, device manufacturers may find that it is a good idea to check for medical research that supports their claims ahead of time as a backup plan, should the FDA find that that their marketing crosses a line.

III.  Conclusion
Technology companies have shown they are not afraid of disrupting heavily regulated industries.  But as wearable devices begin to enter the healthcare sector, time will tell whether they can thrive in one of the most heavily regulated industries in the country.

***

Nina Kostyukovsky is an associate in the Washington, D.C. office of Debevoise & Plimpton LLP.  She focuses on regulatory defense, internal investigations, and complex class actions.  Ms. Kostyukovsky received her J.D. from The University of Chicago Law School and her B.S. in Finance and Accounting from the University of Maryland.  She may be reached at nkostyukovsky@debevoise.com.

1

PricewaterhouseCoopers, Consumer Intelligence Series – The Wearable Future 19 (2014), available at http://www.pwc.com/us/en/industry/entertainment-media/publications/consumer-intelligence-series/assets/PWC-CIS-Wearable-future.pdf.

2

Id. at 37.

3

Wearable Activity Devices Comparison Chart, http://www.wellocracy.com/wearable-activity-trackers/wearable-activity-tracker-chart/ (last visited Apr. 10, 2015).

4 These devices are also subject to state privacy and product safety laws, which are outside the scope of this article.
5

42 U.S.C. § 300gg et seq., 29 U.S.C. § 1181 et seq., and 42 U.S.C. § 1320d et seq.

6

Pub. L. No. 111-5, 123 Stat. 115, 226 (codified as amended at 42 U.S.C. § 201 et seq.)

7

U.S. Dep’t of Health and Human Serv., Office for Civil Rights, Business Associates, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html (last visited Apr. 10, 2015).  Similarly, Google, Apple, and the cellular carriers that provide the Internet connection to Android and the iPhone would not liable under HIPAA because their software acts merely as a conduit for PHI.

8

Although other industry-specific state and federal privacy laws exist (e.g. for financial information or young children), there is no general privacy statute in federal or state law.  Computer Law: A Guide to Cyberlaw and Data Privacy Law (Volume 5) § 28.04[2][a].

9

See California Business & Professional Code § 22575 et seq.

10

See Conn. Gen. Stat. § 42-471 (but note that this statute only applies to “[a]ny person who collects Social Security numbers in the course of business”).

11

45 C.F.R., Part 164, Subparts A and E.

12

For example, disclosures to the individual, for health care treatment, payment, or operations, or when otherwise required by law.  45 C.F.R. § 164.502(a).

13

45 C.F.R. § 164.508(a)(1).

14

45 C.F.R. § 164.508(b)(5).

15

45 C.F.R. § 164.508(b)(4).

16

45 C.F.R. § 164.508(b)(3).

17

For example, geographical information may only be as specific as the name of a state or the first three digits of a zip code, but only if more than 20,000 people live in the zip codes that share those first three digits.  See generally, 45 C.F.R. § 164.514.

18

45 C.F.R., Part 164, Subpart C.

19

45 C.F.R. § 164.308.

20

45 C.F.R. § 164.310.

21

45 C.F.R. § 164.312.

22

In 2011, Fitbit users were shocked to learn that their pedometers not only tracked sexual activity, but also made this information searchable on Google.  The problem has since been fixed.  Zee M. Kane, Fitbit users are unwittingly sharing details of their sex lives with the world, The Next Web, Jul. 3, 2011, http://thenextweb.com/insider/2011/07/03/fitbit-users-are-inadvertently-sharing-details-of-their-sex-lives-with-the-world/ (last accessed Apr. 10, 2015).

23

42 U.S.C. §§ 1320d–5(a)(1)(A) and (a)(3)(A).

24

45 C.F.R. § 160.103(i).

25

45 U.S.C. § 164.504(e).

26

42 U.S.C. § 17931.

27

42 U.S.C. § 17934.

28

42 U.S.C. §§ 1320d–5(a)(1)(A) and (a)(3)(A).

29

45 C.F.R. § 160.103; see also U.S. Dep’t of Health and Human Serv., Office for Civil Rights, Business Associate Contracts, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html (last visited Apr. 10, 2015).

30

See, e.g., AWS HIPAA Compliance FAQs, http://aws.amazon.com/compliance/hipaa-compliance/ (last visited Apr. 30, 2015); Google Cloud Platform provides support for HIPAA Covered Entities, http://googlecloudplatform.blogspot.com/2014/02/google-cloud-platform-provides-support-for-hipaa-covered-entities.html (last updated Feb. 5 2014); Microsoft Azure Trust Center – Compliance, http://azure.microsoft.com/en-us/support/trust-center/compliance/ (last updated April 2015).

31

Incentives for Nondiscriminatory Wellness Programs in Group Health Plans, 77 Fed. Reg. 70620 (Nov. 2012).

32

Id. at 70621 (discussing the change now codified at 42 U.S.C. § 300gg).

33

Id. at 70620 (discussing the change now codified at 42 U.S.C. § 300gg–4(j)(3)(A)).

34

42 U.S.C. § 300gg-4(j)(3).

35

Parmy Olson, Wearable Tech Is Plugging Into Health Insurance, Forbes, Jun. 19, 2014, http://www.forbes.com/sites/parmyolson/2014/06/19/wearable-tech-health-insurance.

36

Michael Frank, Your Fitbit Can Lower Your Insurance Premium, Outside, Dec. 19, 2014, http://www.outsideonline.com/1930056/your-fitbit-can-lower-your-insurance-premium.

37

21 U.S.C. § 301 et seq.

38

U.S. Dep’t of Health and Human Serv., Food and Drug Admin., Docket ID no. FDA-2014-N-1039, General Wellness: Policy for Low Risk Devices (Jan. 20, 2015) (“Low Risk Device Policy”).

39

General Wellness: Policy for Low Risk Devices; Draft Guidance for Industry and Food and Drug Administration Staff; Availability, 80 Fed. Reg. 2712, 2713 (Jan. 20, 2015). 

40

Low Risk Device Policy at p. 1.

41

Id. at p. 2.  Premarket approval is the FDA’s process for requiring businesses to prove certain higher-risk devices are safe before allowing them to be sold or marketed to consumers.  See generally, 21 U.S.C. § 360e.  After granting premarket approval, the FDA can require manufacturers to conduct postmarket surveillance on higher risk devices according to a plan, which the FDA must also first approve.  See 21 U.S.C. § 360l.

42

Id. at p. 8.

43

Id. at p. 5.

44

Id. at p. 3.

45

Id. at p. 4.

46

Id.

47

Amy McDonough, The Magic of 10,000 Steps, Jun. 22, 2010, http://blog.fitbit.com/the-magic-of-10000-steps/ (last visited Apr. 10, 2015).

48

See Low Risk Device Policy, p. 6.

 

Nina Kostyukovsky, Debevoise & Plimpton, LLP, Washington, DC