Fitbit wearable tech becomes HIPAA compliant

Concerns around wearable tech meeting HIPAA compliance have been much discussed following the launch of Apple Watch, and Apple fitness and medical research frameworks HealthKit and ResearchKit.

Fitbit is obviously a company that took note of these concerns after they announced that their wearable tech is now HIPAA compliant. This will allow Fitbit to expand its corporate wellness program to more businesses while ensuring personal information about its customers is kept secure.

According to Amy McDonough, VP and General Manager of Fitbit Wellness, Fitbit users will have to consent for their data to be used, and program managers will only get a subset of that data, such as steps taken, distance walked or minutes of activity. More personal information the device collects, including sleep patterns and heart rate, will not be shared with employers. Some companies may choose to receive aggregate Fitbit data from entire offices, enabling them to collect aggregate data to allow different offices to compete against each other on the Fitbit Wellness platform, giving them the opportunity to provide incentives for employees that embrace the program.

Becoming HIPAA compliant is a fantastic way of forging relationships with enterprises that join the Fitbit Wellness corporate programs, who can be safe in the knowledge that the data collected will be protected. More importantly, it will also open the door to integration opportunities with health plans and self-insured employers by its ability to enter into Business Associate Agreements (BAA) with covered entities.

Before Fitbit became HIPAA compliant, David Reis, Ph.D., Vice President IS & CISO at Lahey Hospital and Medical Center in Burlington, Massachusetts stated:

“The only way data collected by a wearables company like Fitbit would be covered by HIPAA is if Fitbit partnered with a HIPAA covered entity. Such a partnership is unlikely to happen because many companies don’t want to deal with the complexities of HIPAA.

“I think it would be safe to say that companies like Fitbit would have to think very carefully and have a clear objective on why they would want to enter into agreements with covered entities to store that data because of regulations like HIPAA.”

The complexities of HIPAA clearly didn’t put Fitbit off, but most companies that produce wearable devices are not a HIPAA covered entity or have not partnered with a covered entity – therefore the data the company and their devices collect is not bound by or protected under HIPAA. The data that is typically collected by a Fitbit or similar device includes an individual’s height, weight, gender, heart rate, dietary habits and sleep data, as well as personally identifiable information such as name, date of birth, contact details and images of the individual.

Should data considered to be personally identifiable information be transmitted or stored outside of the device, HIPAA requires a business associate agreement to be established between the vendor responsible for managing PHI and the company responsible for creating the device.

Ultimately, being HIPAA compliant makes Fitbit stand out in a saturated wearable tech market, and will help them to grow their wellness program. Target, who have 335,000 employees, will be joining the Fitbit Wellness program as its next – and largest – corporate client, and they have already signed up Adobe, BP and a number of other well known enterprises as customers.

By focusing on a B2B offering that will help organizations drive engaging, effective and motivating wellness programs in a secure and compliant way, Fitbit look set to dominate the corporate sector.