Is Your Fitness Tracker Violating Your Privacy Rights?

Jessica Sweeb
Associate Editor
Loyola University Chicago School of Law, JD 2019

An increasing number of companies are providing fitness trackers for their employees as a part of their benefits package. The use of fitness trackers has been steadily growing over the past few years, and is predicted to hit a shipment size of 240.1 million devices by 2021. Even though the popularity of these fitness trackers has boomed, their compliancy with HIPAA has not kept up with them as quickly. A few companies that make fitness trackers have become HIPAA compliant, such as Fitbit and Apple. However, some companies have remained silent as to whether they are or plan on becoming compliant. While fitness trackers have been shown to have an overall positive effect in corporate wellness programs, corporations should remain up to date with how to keep their employees’ health information secure as well as ensure that the fitness tracker that they are providing is HIPAA compliant.

Fitness trackers and their role in the corporate office

Starting in 2006 through 2013, companies such as Fitbit, Google, and Nike have released their own version of wearable fitness trackers. Certain companies, Fitbit in particular, began to accumulate large name companies as clients to sell their fitness trackers to. Target, one of Fitbit’s clients, announced in 2016 that it would provide 335,000 trackers to its American employees.

Corporations have begun to implement corporate wellness programs, some of which include the use of fitness trackers, to help their employees adopt a healthier and more active lifestyle. Corporations may also be driven by the amount of money they can potentially save if their employees are more active. A 2010 study conducted by Duke University showed that obesity has cost American businesses a total of $73.1 billion due to medical expenses as well as being absent from work.

As of 2017, around eight percent of companies that participated in the Society for Human Management survey had provided fitness trackers to their employees, including IBM. IBM provided Fitbit trackers to 40,000 of their employees and established multiple wellness programs. Since then, IBM reported that roughly 96% of the employees that received Fitbit trackers tracked their health data, including daily meals. Additionally, after the company implemented a step challenge, it found the employees that participated reached more than twice as many steps as those who did not participate in the challenge.

Fitness trackers have shown to be an overall welcomed and successful addition to corporate wellness programs. They increase employee well-being, boost morale, and reduce insurance premiums. Despite this, corporations may have not considered that these trackers may put their employees’ health information at risk.

Fitness trackers, health data, and privacy concerns

Fitness trackers are able to track a wide variety of health data, including heart rate, sleep patterns, calories burned, and even glucose levels. Though this makes the consumer’s life easier, these trackers may not be completely HIPAA compliant, leaving the consumer’s health information vulnerable to being hacked, stolen, or sold.

Among other things, the HIPAA Privacy Rule covers protected health information (PHI) – which is defined by the U.S. Human Health and Human Services (HHS) as “ ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” This rule applies to fitness trackers and the health information they collect when the information integrates with a consumer’s healthcare organization’s information or with the consumer’s electronic health record.

Though Fitbit became HIPAA compliant in September 2015, it sold nearly eleven million fitness trackers in 2014 – meaning that for almost a year, consumers’ health information was left completely unprotected. With an increasing number of corporations giving fitness trackers to its employees, it’s important for both employers and employees to be aware of the privacy risks associated with them if the employee sends their tracker’s information to their healthcare provider.

 How companies can help protect their employees

Companies can help keep their employees’ privacy information protected by making sure that the employee understands the privacy risks associated with using a fitness tracker. Employees also should recognize exactly what health information the company is tracking and keeping for themselves, and what they plan to do with it. Companies could hold informational sessions in order to inform their wellness program-enrolled employees about fitness trackers. The sessions may explain what information is collected by fitness trackers, how they are beneficial, and the measures the corporation is taking to protect the health information. It’s good practice for the corporation to be completely transparent if their employees inquire about how their health information is being stored and how it will be utilized.

Providing fitness trackers in corporate wellness programs to help employees stay healthy has been found to be highly effective. Corporations should keep distributing the trackers – as long as the employees are fully informed and aware of the privacy risks associated with them.