by Suzanne Burdick, Ph.D. at the Defender
The Health Information Privacy Reform Act would require wearable developers to explicitly notify users that HIPAA’s privacy rules won’t protect their data and offer opt-out features for users who don’t want their data shared. But a legal expert told The Defender the bill, introduced by Sen. Bill Cassidy, doesn’t address location tracking.
Sen. Bill Cassidy (R-La.) introduced a bill this month to protect people’s privacy and consent when they use wearables that track health data.
Cassidy’s bill, the Health Information Privacy Reform Act, would require wearable developers to explicitly notify users that HIPAA’s privacy rules won’t protect their data and offer opt-out features for users who don’t want their data shared.
The bill also calls on U.S. Health Secretary Robert F. Kennedy Jr. to direct the National Academies of Sciences, Engineering and Medicine to study the ethics and implications of paying people to share their health data for research purposes.
According to Cassidy, wearables like smartwatches or Fitbits can be “helpful tools” for managing a patient’s health. However, they also create “privacy concerns that didn’t exist when it was just a patient and a doctor in an exam room.”
“Let’s make sure that Americans’ data is secured and only collected and used with their consent,” he said in a statement.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs traditional provider-patient interactions. “However, HIPAA is failing to keep up with consumer health products that connect individuals to health tools outside of the doctor’s office,” Cassidy’s press release stated.
Ted Claypoole, legal expert and cyberspace law committee chair of the American Bar Association, who reviewed Cassidy’s bill, told The Defender it addressed “some of the obvious holes” in current HIPAA coverage.
However, Claypoole said the legislation “does not seem to address the other major privacy concern of location tracking.” He said he would like to see federal legislation that limits companies’ ability to track and share people’s locations.