On September 16th, FitBit announced that they were adding HIPAA compliance safeguards to their Wellness platform. This marks a subtle but important shift in the behaviour of the leading fitness wearable. For the first time, FitBit will create Business Associate Agreements with Covered Entities and better integrate their data into broader wellness programs.
Why is this Big News?
The wearables market continues to expand and with the proliferation of smartwatches from Apple and Samsung and Google’s non-commercial wristband, consumers could soon be swimming in data. Many organizations have asked the logical question of whether these types of devices can plug into a larger data set and potentially allow for more than just simple health monitoring. Can FitBits be used to connect to health insurance programs, hospital’s Electronic Medical Records (EMR/EHRs) or to clinical trial management platforms? With this new announcement, one of the largest hurdles appears to have been overcome.
What’s the Big Deal with HIPAA and Wearables?
HIPAA stands for “Health Insurance Portability and Accountability Act” (note the two A’s and one P folks). The act was passed in 1996 as an attempt to ensure the confidentiality of healthcare information (and also to help people get and keep their insurance). In 2013 HIPAA was updated with the Final Omnibus rule which contained several updates and clarifications to HIPAA, but there were two big things that affect wearable tech:
- Any software or technology developer that wanted to build an application that was going to integrate, store and share health information with a covered entity (hospital, insurance provider, doctor’s office) would need to meet the standards laid out in the HIPAA security rules. This isn’t trivial and it means that companies who want to work with this type of data need to show that they understand privacy and protect people’s personal health information. These developers are called Business Associates and needed to create what are called Business Associate Agreements (BAAs) with Covered Entities.
- The second change reflects how to manage any breach of personal health data. With all the news about data breaches lately, this is a core component of how HIPAA should be working to keep our info out of the hands of those who might try to steal it. This lays out provisions for how and when a breach should be reported. Encryption of consumer data at rest (while it’s being stored on servers) and in transit (while it is moving from device to server or vice versa) gives a greater level of protection if anything were to be breached.
So for the first time it seems that FitBit has the capacity to enter into BAAs with any Covered Entities and has addressed the potential security audit requirements in HIPAA.
Why was this a smart move for FitBit
Aside from opening up their business corporate wellness platform to a host of self-insured companies, hospitals, insurers, etc. (who would be considered Covered Entities under HIPAA) their fitness tracker application can start to become part of the standard of care for physicians. It also could make the FitBit a viable option for integration into clinical research in a way that non-HIPAA certified device couldn’t be.
Imagine your doctor prescribing you a FitBit as a part of a Diabetes management program that includes medications and changes in diet. You wear your FitBit and your doctor can monitor your progress against specific fitness goals through an integration into their practice’s EHR and send you HIPAA complaint messages through the Wellness Platform.
Imagine a pharmaceutical manufacturer wants to track and monitor walking speed as an endpoint for one of their clinical trials. FitBits can be given to trial participants to wear and passively connect back to the trial site’s servers to understand whether patients on drug are more active than those on placebo.
Imagine an insurance company wanted to help their members stay healthy through fitness gamification and offered a free (or subsidized) FitBit to all enrolled. Those participants who opt-in to the program could receive real-time “nudges” to walk more, stand more or get their heart rate up more often. Members and insurers alike could reap the benefits of a more active lifestyle leading to better overall health and better medication adherence.
Wearables still have a ways to go to be a true part of the clinical experience.
- Validation – Right now, none of the wearable offerings have been approved by the FDA as a medical device (including Google’s non-commercial entrant into the space). This means that the data collected (even if it can be shared with your physician in a compliant way) can’t be used for diagnostic purposes. Most of the wearables on the market have a vastly different level of accuracy. Take walking speed for example. CNET.com conducted a test of commercial pedometers and found that several products deviated from walk to walk by as much as 16%.
- Support and Training – FitBit may have great customer service, but to properly integrate their offering into a clinical experience, it could be a much larger challenge to support. If patients are calling their doctor’s offices directly asking how to install the app on their phones or how to complete the HIPAA authorization to share their data, the programs will likely grind to a halt.
- Data Context – Collecting ambient data as a part of a formal prescribed fitness monitoring program could have real limitations in knowing what specifically might be changing your biometric outputs. Did your heart rate change because you were on a stationary bike or because you were nervous for your midterms? Was your sleepless night a side effect of your medication or because your kid got suspended from school? Even though ambient data collection is an amazing tool, it rarely comes with the context of why. Pairing fitness trackers with self-reported journalling might alleviate this concern.
It’s exciting to see FitBit who owns the majority share of the wearable market take this first important step into integration with broader health platforms. We’re working with several of our clients on integrating passive monitoring into their toolkits for disease management and adherence and this advancement is a big deal for them. The challenges are still myriad but the opportunity to improve the health of the nation through better monitoring, sharing and gamification of health is very exciting.