IS HIPAA READY FOR MEDICAL WEARABLE DEVICES?

In technology years, the HIPAA Security Rule is a dinosaur. HIPAA was a brainchild of the  enacted in 1996, largely to address health care access, “portability”, and privacy. The final rule on security standards was issued in 2003, to specifically address the security of Electronic Protected Health Information (“PHI”).

Where was the Internet and mobility when all this was going on? The term” Internet” was first officially defined in 1995. Although we had laptops, the first smart phone would not be available for another 10 years when the iPhone was released on June 29, 2007. Mobil apps, application software designed to run on smart phones, tablets and other mobile devices, began appearing in 2008. The first tablet, the iPad, was not released until April 3, 2010.

This historical review is simply to point out that when HIPAA was first written, the use of mobility, mobile apps, and wearable medical devices was not imagined, much less considered by the authors of HIPAA.  Can HIPAA handle the upcoming explosion of medical wearable’s?

Research projects that by 2016 wearable wireless medical device sales will reach more than 100 million devices annually. The market for wearable technologies in health care is expected to exceed $2.9 billion in 2016. This would account for at least half of all wearable technology sales.

The questions then, as we stand at the edge of an explosion in the use of medical wearable devices, is who will be responsible for the security of the millions of  transmissions of PHI from medical wearables, and does HIPAA adequately address the gathering and transfer of this information.

Let’s look at a simple scenario. A patient wears a monitor that tracks the patient’s vital signs and blood glucose levels. The information is wirelessly transmitted to the patient’s doctor. The doctor  then use this information to adjust the patient’s medication in real time. The problem arises when the monitor is hacked, and the patient’s medical and demographic information (ePHI)  is stolen when it is being transmitted from the monitor to the doctor.

Does the doctor have HIPAA liability? Does the manufacturer of the monitor have liability as a HIPAA business associate? The answers are unclear at best. How can the doctor be liable if the ePHI never reached him in the first place?  Should the doctor be liable for the security of the ePHI when it is in transmission? The HIPAA Security Rule does not seem to provide a security protocol that will address the security of ePHI while it is in transmission before it has come under the doctor’s control.

The manufacturer would also seem to escape HIPAA liability if it did nothing more than manufacture the wearable device. If it never had control over, or access to the ePHI, it would not be a business associate under HIPAA. The manufacturer might have problems with the FDA, or the FCC, but not the HIPAA police, aka  the OCR.

The problem is that the HIPAA Security Rule, like other statutes that attempt to govern the privacy and security of electronic data, cannot keep up with the speed of  technological advancement. As courts attempt to retrofit obsolete laws to address current technology, we are bound to get unsatisfactory and inconsistent results.

While this post might seem to raise more questions than it answers, the point is if you are a medical provider, or a manufacturer or distributor of a medical wearable device, you need to address and understand how HIPAA will affect the wireless transmission of ePHI from medical wearable devices.

Written by: Richard Sheinis, Esq.