August 12, 2015
When it comes to the issue of compliance, perhaps the most obvious circumstance is that of HIPAA compliance of wearable devices in the Medical Sector. In other industries, however – especially in the more hazardous industries such as Oil & Gas, Manufacturing, and Construction – there are standards that have to be met, certain requirements and expectations for products and equipment utilized at the shipyard, job site, or oilrig. In this article, however, we will focus on the challenge of compliance as it pertains to healthcare.
While doctors have been some of the most enthusiastic proponents of wearable technology; medical institutions – perhaps more so than any other enterprise organization – face significant privacy obstacles when it comes to implementing wearables, most obviously the Health Insurance Portability and Accountability Act or HIPAA. In theory, in order to utilize a wearable device with live-streaming capabilities such as Google Glass in a medical setting in compliance with this act, the device would have to be run over a healthcare-specific, password-protected, encrypted network. This is no easy feat, the alternatives being to strip the technology of certain features such as Internet connectivity (which might defeat the purpose of adopting the tech in the first place) or else – and the more unlikely – to substantially alter HIPAA laws to accommodate wearable tech.
So what is HIPAA and why does it matter? Well, one of the main purposes of this act is to ensure the confidentiality of all healthcare information. What developers in the medical/health wearables space should understand are the privacy requirements of these laws, and how information or data transmitted by a wearable device or application to an entity such as a doctor or insurance provider is potentially covered by HIPAA.
Certain health information is considered protected under HIPAA, while other data collected by wearables may or may not fall under the act. Metrics such as number of heartbeats, steps taken, or sleep history are technically not considered protected; however, as soon as this information is shared with a doctor, hospital or third-party organization in the course of providing a healthcare service, then it becomes part of a patient’s health record and therefore covered by HIPAA. What we have just described is a scenario in which the data in question stems originally from a consumer’s personal wearable device; but there are other scenarios where HIPAA comes into play, including instances of wearables being used in hospital settings to monitor patients as well as to provide doctors with access to patient records, and especially in cases of telemedicine, teleconsultation, and telementoring (where visual recording takes place).
At this stage, most wearable technology does not acknowledge HIPAA or any other laws – federal or state – covering personal medical data. Yet the demand to utilize data from wearables in patient healthcare certainly exists; and doctors have found ways “around” HIPAA in order to safely use smart glasses in hospital environments. Inevitably, the “legal gap” between health-related data collected for consumers’ personal use and that exchanged with HIPAA-covered entities (healthcare professionals and institutions) will be thoroughly tested, navigated, and defined.
The FDA & the EEOC
You’ve probably read about Google’s patent for smart contact lenses. The concept is rather sci-fi to some, for others a cause for concern. Ingestibles, embeddables, hearables, smart clothing, and the like constitute an area of “close” wearable technology that could be exposed to regulatory factors, unbeknownst to many developers/innovators in the space. You see, as soon as you have devices interacting with the human body in a direct and continuous manner, you are in the realm of technology that will likely require FDA approval. Other government agencies come into play when you consider the potential for consumer wearable devices to interfere with traditional medical devices such as pacemakers.
Indeed, the U.S. government is already considering wearables, at least those used as part of corporate wellness programs. In June, the Equal Employment Opportunity Commission issued a proposed rule amending parts of the Americans with Disabilities Act as it relates to those wellness programs in place at more than half a million U.S. companies. At issue is the data collected by wearables, and whether it qualifies as simple health data (ex. number of steps taken) or medical data (ex. heart rate), with the latter potentially held to higher levels of privacy.
When it comes to wearable technology in healthcare, it seems the nature of the collected data is a matter for address. As new and increasingly advanced sensor technology comes about, providing us with more and more personal health metrics, those metrics capable of being measured by wearable devices will have to be categorized somehow, and defined as either protected (and under what laws) or unprotected and perhaps subject to some kind of consent.
Despite all the challenges, from battery life to data security (and there are certainly additional challenges we have overlooked in this blog series), many companies across the industry spectrum are managing to reap the benefits of wearable technology. As the technical, cultural, and organizational challenges of wearables are addressed, resolved, fixed, overcome and put to rest, wearables will undoubtedly gain even more traction in the workplace.