As medicine moves from Physical, to Virtual, to Mobile, to Wearable, to Implantable, new privacy legal issues arise, bringing legislative attention.
New York Senator Schumer posted an attention-grabbing press release about the legal privacy perils of mobile medical apps, smartphone apps, and healthcare technology transmitting patient health data:
SCHUMER REVEALS: WITHOUT THEIR KNOWLEDGE, FITBIT BRACELETS & SMARTPHONE APPS ARE TRACKING USER’S MOVEMENTS AND HEALTH DATA THAT COULD BE SOLD TO THIRD PARTIES; CALLS FOR FTC TO REQUIRE MANDATORY “OPT-OUT” OPPORTUNITY BEFORE ANY PERSONAL DATA CAN BE SOLD.
Tracker Bracelets Gather Info on GPS Locations, Steps Per Day, Sleep Patterns – Data Is So Rich an Individual Can Be ID’ed Purely By Their Gait, But Trackers like ‘Fitbit’ Can Create ‘Privacy Nightmare’, According to Experts Schumer Warns that No Federal Privacy Law Prevents Fitness Bracelet & Tracker Companies From Selling A User’s Personal Health Data to Third Parties, Including Employers, Health Insurers & Others That Can Then Discriminate Based on That Info Schumer Asks FTC To Immediately Institute Rules That Would Require Fitness Bracelet, Phone Tracking App Companies To Alert Users They Are Being Tracked, and Give Them Opportunity To Opt- Out, Before Tracking Starts
U.S. Senator Charles E. Schumer revealed today that personal health and fitness data – so rich that an individual can be identified by their gait – is being gathered and stored by fitness bracelets like ‘FitBit’ and others like it, and can potentially be sold to third parties, like employers, insurance providers and other companies, without the users’ knowledge or consent. Schumer said that this creates a privacy nightmare, given that these fitness trackers gather highly personal information on steps per day, sleep patterns, calories burned, and GPS locations. Users often input private health information like blood pressure, weight and more. The data is then uploaded for analysis and feedback for the user. There are currently no federal protections to prevent those developers from then selling that data to a third party without the wearer’s consent. Schumer therefore urged the Federal Trade Commission (FTC) to push for fitness device and app companies to provide a clear and obvious opportunity to “opt-out” before any personal health data is provided to third parties, who could discriminate against the user based on that sensitive and private health information.
Many Americans have started wearing fitness trackers and bracelets, like Fitbit, to monitor and improve their health, and Schumer believes the technology is a positive and effective way to promote healthier and more active living. However, Schumer highlighted that there are insufficient federal protections in place to ensure that information submitted to and collected by these fitness trackers remains personal and private. Schumer drew contrast to a Finnish company called Polar Flow that is appropriately handling privacy by making it very clear in their terms and conditions that they will never sell personally identifiable data for advertising purposes. In his letter to the FTC, he said that the federal government should investigate the vague policies used by these companies that make it impossible for health-conscious consumers to make an informed choice about privacy, and to clarify that it is an unfair or deceptive trade practice when a company fails to state clearly to consumers whether personal data may be sold to third parties for advertising or other purposes.
“Personal fitness bracelets and the data they collect on your health, sleep, and location, should be just that – personal. The fact that private health data – rich enough to identify the user’s gait – is being gathered by applications like FitBit and can then be sold to third-parties without the user’s consent is a true privacy nightmare,” said Senator Schumer. “If companies of fitness devices have the ability to sell personal health data to insurers, employers and others, users should be alerted and given the opportunity to decline. The FTC should require fitness devices and app companies to adopt new privacy measures that will help conceal the identity of individuals and develop policies to protect consumer information in the event of a security breach.”
Schumer today called on the FTC to help fitness devices and app companies adopt new privacy measures. Schumer said that the FTC should help ensure that companies clearly explain to users how their data is being used and allow consumers to opt-out of data sharing. Schumer said such a policy would better protect consumers because companies would not be allowed to sell information about individual identities to third parties without their consent. Schumer also noted that these companies should adopt stronger policies that protect consumer information in the case of a breach. Schumer said that these measures will allow individuals to enjoy the many perks of their fitness devices without the increasing threats to their private health information.
Several points bear remembering when considering legal issues involving health data apps or online health (or telemedicine):
- In general, HIPAA technically only applies where health insurance claims are being submitted electronically.
- HIPAA legal obligations are onerous. It’s best if you don’t have to comply with HIPAA.
- Even where HIPAA does not apply, state privacy and security obligations can apply and require compliance. Consult HIPAA legal counsel where necessary.
- Other legal rules come into play, such as FTC policies prohibiting false and misleading advertising, and FTC and FDA guidelines on mobile medical apps.
- FDA’s reach over mobile medical apps is broad, and the line between mobile medical apps and medical devices, and applications that simply collect health data without more, is blurry.
- Fee-splitting and anti-kickback arrangements, telemedicine licensing rules, and other areas of law can apply to the healthcare venture that takes control over one’s health online or onto the smartphone.
Get solid legal advice from experienced healthcare counsel familiar with legal issues applicable to mobile and wearable health data projects and applications.