The current generation is often called the ‘tech-savvy generation’. This nickname is evident in the extent to which technology has been integrated into human lifestyle. Digital innovations have now entered every sector – from creation of online business platforms such as Amazon; to AI based digital assistants like Siri and Alexa; to digital payment apps such as Google Pay, Paytm, etc.
Another new and fast developing innovation is that of wearables and wearable technology. In layman terms, a wearable is any device that is worn on the person throughout the day. This device could be worn as an accessory, embedded in clothing, or even implanted within the body.[1] These devices are equipped with built-in sensors, which through contact with human skin can collect and analyze data; and further connect with other external devices such as smartphones. The term ‘wearable’ is used synonymously with ‘wearable technology’; both the terms carrying the same meaning. Broadly, wearables maybe categorized into three categories – E-Textile (i.e., devices available in the form of smart garments, either hand or foot worn); E-Patch (i.e., devices in the form of a body patch such as E-skin); and Accessories (i.e. devices worn as accessories. These could be wrist worn (smartwatches), head mounted (smart eyewear, etc.), or even jewelry (smart rings)).[2]
This article focuses on the pros and cons of wearable technology in healthcare with regard to data security. The article discusses the legal and ethical issues caused by usage of wearable technology in healthcare, the data collected and the existing regulatory framework with respect to the same.
Wearables in the healthcare industry
Healthcare is one of the most promising sectors when it comes to integration of wearable technology. Wearables can be used for a wide variety of functions, such as physical activity monitoring, patient management, disease monitoring, etc. The vital signs and health trends tracked by a wearable can support diagnosis and prognosis of chronic diseases; thus, making wearables a support aid for health services. Apart from functional benefits, healthcare wearables are light and convenient to carry, and easy to use. They also play a motivational role in the form of helping users set and achieve fitness goals; and help in increasing the overall productivity and efficiency of a user.
But while the wearable technology has its benefits, there are disadvantages to using them as well. Two major concerns that arise with use of the wearables are privacy and security. Both of these concerns stem from the process used by the wearables – collection and analysis of data.
Wearables collect and process data from the human body. This can be done in two ways – first is through built in sensors within the devices, that collect data when in contact with human skin (for example, heart rate, oxygen level, etc.); and the second is manual input of information by the user (for example, kind of food consumed, amount of water consumed, etc.).[3]
Wearables constantly collect data of an individual. This data is either collected within the mobile application in the user’s device or it is stored with a company’s storage system directly. Privacy policies often state the possibility of data being shared with third parties, and (as discussed below), such a policy if accepted may not be regulated, leaving companies free to sell/share the health data.[4] There is also a question of the ownership of data. Once stored by a wearable, does the company own the data? If the company manufacturing the wearable is acquired by another company (as Google bought FitBit recently), then does Google now possess the data that FitBit gathers or had gathered prior to the acquisition?
Ownership of the data collected by a wearable has been an object of debate for long. Ethically, since it is the personal data of an individual, the individual is the owner of the data. But when users manually input their personal data in a wearable, then they consent to the terms and conditions (and the privacy policy) of the device and the app on their smart phones too. So now, the wearable and the smartphone app would also be ‘owners’ of the data. A collective bargaining agreement of the Major League Baseball, which focused on this issue stated that data collected “belonged to the team; confidential and de-identified in nature; and available to the player on request.”[5] When Google acquired FitBit, it was publicly declared that as per the investigation report, Google could not use Fitbit data to inform a user’s ad profile; and that the Fitbit Health data has to be kept in a separate ‘data silo’.[6] But while this may address privacy concern, it still doesn’t identify the owner of the data. Similarly, different situations have different rules and there is no clear answer as to who actually owns the data. This is the primary reason wearables exist in a grey area in the regulation sector.
Wearables also often track more than needed information from a human body. Occasionally, a device’s information can be interpreted to track all activities of a person, including sexual activity, causing violation of privacy.[7] Data collection by healthcare wearables, hence, is fraught with privacy and security risks.
Regulations and restrictions on wearable technology in healthcare:
As mentioned above, wearable technology not only poses benefits, but also carries certain security and privacy risk. Hence, there is a need for strict regulation of such technology. Most countries have a legislation that protects healthcare data. The grey area in this situation is whether the regulation/ law includes such data collected by a healthcare wearable under its ambit.
A) USA
The FDA, following a 2016 guidance document, stated that low-risk general wellness wearables do not classify as ‘medical devices’ and hence, need not be regulated.[8] However, the legislation governing health data in USA is the Health Insurance Portability and Accountability Act, 1996 (HIPAA). The Act aimed to protect the privacy and security of the health information. In order to implement the requirement of HIPAA, three Rules were enacted by the US Department of Health and Human Services (HHS) – The Privacy Rule, the Security Rule, and the Security Breach Notification Rule.[9] The Privacy Rule lays down standards for use and disclosure of Protected Health Information (PHI) by entities subject to the Rule. The Security Rule lays down standards for protection of electronic Protected Health Information (e-PHI). The Security Breach Notification Rule is the set of guidelines required to be followed by covered entities in situations of breach of the Privacy Rule.
These three Rules are interconnected by the definition of Protected Health Information – which is defined within the Privacy Rule as “any individually identifiable health information which is held and transmitted by a covered entity or their business associate, in any form or media, whether electronic, paper or oral.”[10] The Security Rule covers only electronic information; hence it covers only a subset of the definition.
The grey area formed here is that the Rules apply to only those entities that are covered under HIPAA. As per the Act, a ‘covered entity’ refers to “a health plan; a healthcare clearing house; or any healthcare provider who transmits any health information in electronic form in connection with a transaction as under the Act.[11] HIPAA governs only transactions between an individual and a covered entity. By its definition, a healthcare app, or a wearable healthcare device is not included under the definition of covered entities. Hence, if an individual were to walk into a store and buy a FitBit, then the data collected by the wearable is not subject to HIPAA. But if the same FitBit were prescribed by the doctor as part of a healthcare requirement to the patient, data collected under such situations is protected under HIPAA. This is the first loophole.
The second grey area is formed with respect to the definition of PHI and e-PHI. The information that is protected is any information that can identify the individual. Hence, name, social security number, address, birthday, data related to a past, present or future medical condition is protected, but medical data, such as heartrate, BP, sleep data, etc. will not be protected unless they are linked to an individual.[12] Hence, most low- grade healthcare wearables are not covered by this Act.
The Federal Trade Commission (FTC) recently released guidelines to prevent unfair or deceptive practices, including non-compliance of privacy policies. The guidelines do not resolve the loophole related to the data, but extend to both covered and non-covered entities.[13] Hence, under the FTC guidelines, wearable companies have more regulation in comparison to HIPAA. However, this improves the security concern, but not the privacy concern.
B) European Union
The Global Data Protection Regulations (GDPR) regulate processing of personal data in the EU. Aside from the other data protection laws, what sets GDPR apart is the extension of the regulations to non-EU entities doing business with an EU entity. GDPR sets out a very strong framework for protection of personal data of an individual.
In addition to defining personal data, GDPR categories certain sets of data as ‘sensitive personal data’.[14] GDPR prohibits processing of sensitive personal data unless any exception listed under article 9 is satisfied. Since health data is also considered sensitive personal data, as per GDPR it can only be processed when the individual gives their consent[15] or when such processing is needed for medical diagnosis or as a form of preventive medicine.[16]
Thus, for the wearables in healthcare, processing (which, under the GDPR includes collecting of data as well) of data is only possible when an individual explicitly consents to it. Where the wearable technology is being used in a medical context, the exception under Art. 9(2)(h) is satisfied only as long as the processing is done ‘under responsibility’.[17] Hence, this is again a grey area since GDPR does not define ‘under responsibility’. For commercial wearable apps and devices, the data is recorded on the patient’s device and there is no accuracy as to how much data is actually processed by the wearable. Hence, it cannot be determined whether the processing of data of commercial wearables is ‘under responsibility’.
In addition to protection of health data, GDPR also insists upon the principle of ‘data design by design and default.’[18] Along with this, it mandates a data protection impact assessment[19] and adoption of a code of conduct.[20] Both steps will help the data controllers focus on the data collected and its purpose, along with gaining of consumer trust in the market.[21]
C) India
The current legal framework in India with respect to protection of personal data is through the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011 (also called SPDI Rules). The IT Act penalizes disclosure of personal data in breach of contract or without user’s consent[22]; and provides for compensation for negligence in maintaining reasonable security procedures for handling of SPDI.[23] Just like the GDPR, the SPDI rules also classify data as ‘personal data’ and ‘sensitive personal data’.[24] Data stored by healthcare wearables, such as physical and physiological data, biometric information, and medical records are categorized as sensitive personal data.[25]
The SPDI rules apply to any body corporate dealing with such data. They provide for basic compliance requirements such as obtaining consent prior to collecting personal data[26] and maintaining ‘reasonable’ measures to protect SPDI[27]; in addition to publishing a privacy policy.[28] However, with the wearable market, these measures fail to provide adequate protection. Since they have a market across borders, wearable devices need to be compliant with basic data protection regimes across different countries. Privacy policies, data security measures and consent provisions, thus, are a given for any wearable to be approved by an agency like the FDA or to clear a regime like GDPR. But as explained above, there are gaps even in the strongest data protection regimes. The SPDI rules, hence, are not adequate protection.
Another loophole that can be noticed is in the definition of the term ‘body corporate’. Body Corporate is defined as “a company, firm, sole proprietorship, or any association of individuals engaged in commercial or professional activities.”[29] The wearable itself, and the app on the user’s device which collects the device, do not classify as body corporate. Even though the manufacturing company can be included into the definition, the primary storage space for the data does not have any restrictions on what data to collect, how to collect, and where to store. Further, although the IT Act does apply to offences committed outside of India, the same is subject to involvement of a computer, computer system or computer network in India.[30] Again, devices and networks operating outside of India; devices such as the wearables and smartphones are not included.
In 2018, a draft bill Digital Information Security in Healthcare Act (DISHA) was brought out by the Indian Government. DISHA aimed to protect the digital electronic records and digital information of the patient. The Bill segregates sensitive personal information from personal information. Sensitive health information includes physical and mental condition, sexual orientation and disease records among other categories.[31] Additionally, the Bill defines an ‘entity’ and includes all organizations (excluding only ‘Clinical Establishments’ and establishments owned by armed forces) under its ambit.[32] Further, the Bill distinguishes between different kinds of digital data, such as de-identified data and anonymized data.[33] If enacted, this law can be the first ever digital security law made in India.
The same year, the Personal Data Protection Bill (PDP Bill) was introduced. This Bill was based on the GDPR and aimed to protect personal data of an individual. Together, DISHA and PDP Bill can regulate the data collected in healthcare wearable industry. However, they are currently tabled in the Parliament. In the absence of both these legislations, India can well be said to be without any adequate laws that protect personal data.
India has adopted digital health easily, but at the same time, faces a high incidence of cyber- attacks and data leaks. As recent as February, 2020, over a million patients’ data and patient history were leaked due faulty healthcare data security systems.[34] As for dependency on wearables, India has a wide market for fitness devices. Surveys and studies showed that a large number of Indians purchased fitness wearables, but while they were aware of the device, they weren’t aware of what data was collected.[35] The most popular reason was ‘better exercise’. Fitness wearables are also a good option for developing markets like India. This is evident in the increasing recommendation that Indian doctors give to health and wearables.[36] Hence, given India’s increasing dependence on healthcare wearables, it is in a vulnerable position; with the data of nearly a billion consumers at risk, and completely unrestricted in terms of processing due to loopholes in existing legal framework.
In conclusion, it can be said that the wearable industry seems to be within a grey area in terms of legal regulation. The laws and legislations of a country may protect data (and even something as specific as health data); the entities using the data in a medical context, such as the hospitals, the healthcare providers, etc. are also bound by regulations related to health data. But the manufacturers of the wearables, and the individuals using the wearables themselves are neither protected by the regulations, nor bound by it. And so, the security risks and privacy risks to data collected by wearables remain even with regulations existing on the subject. Given the nature of such risks; and the possibility of wearables being of integral importance in the near future, it is necessary to bridge this gap and specifically include healthcare wearables into the legal framework.
[1] Adam Hayes, Wearable Technology, Investopedia, 11th May, 2020, https://www.investopedia.com/terms/w/wearable-technology.asp – last accessed on 14th Sept, 2021 at 7 AM. [2] Liezel Cilliers, Wearable Devices in Healthcare: Privacy and Information Security Issues, HIMJ, 1, 2, 30th Apr, 2019, Wearable devices in healthcare: Privacy and information security issues - PubMed (nih.gov) – Last accessed on 14th Sept, 2021 at 7.15 AM. [3] Ibid at pg. 2. [4] Cindy Ng, Five Privacy concerns about wearable technology, Varonis, 29th Mar, 2020, 5 Privacy Concerns about Wearable Technology (varonis.com) – last accessed on 14th Sept, 2021 at 11 AM. [5] Edith Noreiga, As Science, Technology gather more Biometric Data, who owns the information?, As science, technology gather more biometric data, who owns the information? - Global Sport Matters, GlobalSportMatters, 11th July, 2018, last accessed on 21st Sept, 2021 at 7 PM. [6] Andrew Williams, Google now owns Fitbit, what it means for your Fitness Data Privacy, Forbes, 14th Jan, 2021, 11.43 AM, Google Now Owns Fitbit: What It Means For Your Fitness Data Privacy (forbes.com) – last accessed on 21st Sept, 2021 at 7 PM. [7] Supra note 4. [8] Guidance document, General Wellness: Policy for Low-Risk Devices, FDA, Sept, 2019, General Wellness: Policy for Low Risk Devices | FDA – last accessed on 14th Sept, 2021 at 6 PM. [9] HIPAA for Professionals, HHS, Combined Regulation Text of All Rules (hhs.gov) – last accessed on 14th Sept, 2021 at 6 PM. [10] 45 C.F.R, §160.103, Summary of the HIPAA Privacy Rule | HHS.gov – Last accessed on 14th Sept, 2021 at 6 PM. [11] HIPAA Administrative Simplification Regulation Text, 12, Mar, 2013, HHS, Combined Regulation Text of All Rules (hhs.gov) – last accessed on 14th Sept, 2021 at 6 PM. [12] Kristen Lee, Wearable health technology and HIPAA: What is and isn’t covered, Tech Target, 24th July, 2015, Wearable health technology and HIPAA: What is and isn't covered (techtarget.com) – Last accessed on 14th Sept, 2021 at 6 PM. [13] Gicel Tomimbang, Wearables: where do they fall within the regulated landscape, Iapp, 22nd Jan, 2018, Wearables: Where do they fall within the regulatory landscape? (iapp.org) – last accessed on 14th Sept, 2021 at 6 PM. [14] Art. 9(1) of GDPR. EUR-Lex - 32016R0679 - EN - EUR-Lex (europa.eu) – Last accessed on 14th Sept, 2021 at 6.45 PM. [15] Ibid at Art. 9(2)(a) [16] Supra note 12 at Art. 9(2)(h) [17] Supra note 12 at Art. 9(3) [18] Supra note 12 at Clause 61, Preamble. [19] Supra note 12 at Art. 35 [20] Supra note 12 at Art. 40 [21] Lorna Cropper, Wearable Technology and the GDPR, SCL, 17th Feb, 2016, SCL: Wearable Technology and the GDPR – last accessed on 14th Sept, 2021 at 7.15 PM. [22] S. 72A, Information Technology Act, 2000. [23] S. 43A, Information Technology Act, 2000. [24] Rule 2(1)(i) and Rule 3, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011. [25] Ibid, Rule 3. [26] Supra note 20, Rule 5. [27] Supra note 20, Rule 8. [28] Supra note 20, Rule 4 [29] Supra note 21. [30] S. 75, Information Technology Act, 2000. [31] S. 3(1)(o), Digital Information Security in Healthcare Bill. R_4179_1521627488625_0.pdf (nhp.gov.in) – last accessed on 14th Sept, 2021 at 7.15 PM. [32] Ibid, S. .3(1)(f), [33] Supra note 25, S. 3(1)(a) and S. 3(1)(d). [34] Healthcare Data Leak: Over 120 Mn medical images exposed, Inc42, 4th Feb, 2020, India Healthcare Data Leak: Over 120 Mn Medical Images Exposed (inc42.com) – last accessed on 21st Sept, 2021 at 8:10 PM. [35] Fitness Wearables: Is their growth in India Sustainable?, RedSeer, Jan, 2018, Fitness Wearables: Is their growth in India sustainable? | RedSeer, - Last accessed on 21st Sept, 2021 at 8:10 PM. [36] Indian Healthcare on the cusp of a Digital Transformation, pg. 11, report at Telemedicon, 2016, Bengaluru, published by PwC, Digital Health whitepaper_Online_Single page.pdf – last accessed on 21st Sept, 2021 at 8:10 PM.