Bill Aims to Fill Consumer Health Device Data Privacy 'Gap'Also, House Committee Scrutinizes Google/Ascension Patient Data Sharing Deal
Two U.S. senators have introduced legislation that aims to protect the privacy of consumer health data collected on wearable devices, such as smartwatches and fitness trackers.
The proposal would prevent companies that collect data via these devices from transferring, selling, sharing or allowing access to the information without a consumer's consent.
The privacy legislation introduced on Nov. 14 by senators Bill Cassidy, M.D., R-La., and Jacky Rosen, D-Nev., comes “amid renewed concerns of Google’s plans to buy Fitbit in light of recent reports that Google has partnered with Ascension to secretly harvest the nonanonymized private health data of millions of Americans,” the legislators said in a joint statement.
Google announced Nov. 1 that it plans to purchase fitness tracker maker Fitbit in a $2.1 billion deal that it expects to close in 2020 (see: Google’s Push Into the Health Sector: Emerging Privacy Issues).
In addition, Google and the massive St. Louis-based healthcare system Ascension announced on Nov. 11 a collaboration the organizations say is designed to improve patient care that's raising serious privacy concerns. That’s because the project reportedly involves Ascension sharing with Google data on millions of its patients - without their permission (see: Privacy Analysis: Google Access Patient Data on Millions).
”The actions of Google and Ascension raise questions about how Google and other companies would use data collected from smart device users,” Cassidy and Rosen say in their joint statement.
Meanwhile, the House Energy and Commerce Committee on Monday announced that it’s scrutinizing the recently disclosed patient data collaboration between Google and Ascension, which owns numerous facilities. The committee has requested briefings with both organizations to describe – among other things - how patient privacy is being protected in their arrangement.
The senators say the bill, the “Stop Marketing And Revealing The Wearables And Trackers Consumer Health Data Act’’ or the ‘‘Smartwatch Data Act”, would fix gaps in health data privacy protections.
It’s designed to help protect information about the health status, personal biometric information, or personal kinesthetic information about a specific individual that is created or collected by a personal consumer device, whether detected from sensors or input manually.
Under a provision of the bill, “if a covered entity or business associate, acting in its capacity as a business associate, receives consumer health information generated by a personal consumer device at any time for any reason, such consumer health information is considered protected health information and is subject to the same protections and restrictions under [HIPAA] as any other protected health information.”
The bill, if it became law, would be enforced in the same manner that the Department of Health and Human Services’ Office for Civil Rights enforces HIPAA, the senators say.
“The introduction of technology to our healthcare system in the form of apps and wearable health devices has brought up a number of important questions regarding data collection and privacy,” Rosen says in the statement.
The legislation would extend existing healthcare privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent, she added.
The bill proposes to “treat consumer health information as protected health information, but does not aim to expand HIPAA,” a spokesman in Cassidy’s office tells Information Security Media Group. “It’s nuanced. Violations of the law would have the same penalties as HIPAA and would be enforced by HHS, but this law doesn’t expand HIPAA. HIPAA is about the holders of data. This is about the data.”
Cassidy notes in the statement: “The Google/Ascension news has brought needed scrutiny to the security of Americans’ health data,” The Smartwatch Act prevents big tech data harvesters from collecting intimate private data without patients’ consent. Americans should always know their health information is secure.”
Congress Faces Challenges
Independent HIPAA attorney Paul Hales says Congress faces challenges in taking steps to protect all health information.
”The internet is awash with personal health information shared on social media and recorded on health and fitness apps,” Hales says. “A key legal question is the extent of Congressional authority to address these issues or regulate the actors. And a key policy question is whether and how Congress should address the issues.”
The scope of HIPAA is limited to covered entities and business associates, Hales notes. “Some HIPAA standards are outdated. For example, disclosure of a ‘limited data set’ of protected health information, likely relied on by Ascension and Google [in their collaboration], dates to the turn of the century when the power of big data analytics was inconceivable,” he says.
Although Hales is skeptical the bill will get signed into law, he calls it “a step toward refining health information protections to counter rapidly developing technology.”
Wearable Device Breaches
There have been some reports of data security incidents involving wearable health devices and apps.
For instance, in 2018, a security researcher discovered that Canada-based fitness company PumpUp was exposing sensitive consumer health data and private messages between users via an unsecured backend server hosted on Amazon's cloud infrastructure.
Also in 2018, athletic apparel maker Under Armour revealed that an unauthorized intruder gained access to information, including hashed passwords, for the accounts of 150 million users of its MyFitnessPal mobile app and website.
House Committee Scrutiny
In letters sent Monday to Google and Ascension, the House Energy and Commerce Committee is seeking briefings with the organizations by Dec. 6 to discuss their “Project Nightingale” that involves sharing patient data with Google.
The committee is seeking to learn about:
- What data Ascension is sharing with Google;
- How such data is being used and shared:
- The extent to which employees at Google and its parent company Alphabet have access to this information;
- The extent to which patients were informed about the use and sharing of their data;
- What steps are being taken to protect the privacy and security of patients’ data.