Alayna Frauhiger
Associate Editor
Loyola University Chicago School of Law, JD 2021
On November 18th, 2019, Congress introduced the Stop Marketing and Revealing the Wearables and Trackers Consumer Health Data Act, known as the Smartwatch Data Act. The Smartwatch Data Act was introduced by Democratic Senator Jacky Rosen and Republican Senator Bill Cassidy, due to Google’s desire to acquire fitness tracker manufacturer Fitbit in 2020. Since notice of this acquisition, privacy advocates have raised concerns about how Google will use personal health data collected through Fitbit devices. Therefore, this legislation aims to ensure that health data collected through fitness trackers, smartwatches, and health apps, cannot be sold without consumer consent.
Mobile health and fitness app basics
Under the Smartwatch Data Act, a personal consumer device is defined as “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”
Most Americans own at least one mobile device capable of running software applications (apps), and there are millions of apps available for almost every purpose imaginable. This includes health and fitness monitoring that supports diet and exercise programs, pregnancy trackers, behavioral and mental health coaches, symptom checkers that can link users to local health services, sleep, and relaxation aids, and personal disease or chronic condition managers. In addition to health apps, it is critical for legislatures to also consider wearables in this proposal since these have continued to gain traction in the marketplace as a way to automate data entry into a mobile app. Wearables include any device or technology “worn” by the user and the vast majority of wearables aim to automate the collection of data that apps formerly required users to manually enter. This means that many of the same concerns regarding researching the privacy policy for apps apply to wearables as well.
What is the Smartwatch Data Act?
The Smartwatch Data Act is aimed to fill in a gap left open by HIPAA – specifically, by the HIPAA Privacy Rule. While the HIPAA Privacy Rule prohibits the disclosure of protected health information (PHI) in certain instances, there is no prohibition on use, sharing, or selling health data that is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. At present, consumers have no control over who can access this information. The Smartwatch Data Act aims to address this “gap” in privacy.
The bill prohibits the transfer, sale, sharing, or access to any non-anonymized (de-identified) consumer health information, or other individually identifiable health information, that is:
- Collected,
- Recorded, or
- Derived from personal consumer devices
The groups with respect to which the collected, recorded, or derived data may not be transferred, sold, shared, or accessed, include:
- Domestic information brokers,
- Other domestic entities, or
- Entities based outside of the U.S.,
This data cannot be collected unless consent has first been obtained from the consumer.
Essentially the Smartwatch Data Act would expand the current definition of PHI by treating all health data collected through apps, wearable devices, and trackers as protected health information. The Smartwatch Data Act, however, does not seek to expand the definition of “covered entity” to include app developers and wearable device manufacturers that collect, store, maintain, process, or transmit consumer health information. The Smartwatch Data Act would not extend HIPAA to cover these companies, instead, the legislation applies to the data itself.
Steps moving forward
Currently, the bill is in the first stage of the legislative process and will need to be considered by the committee before possibly being sent on. The bill then must be passed by both the House and Senate in identical form and then be signed by the President to become law. In preparation of this bill becoming a law, privacy departments will need to prepare new policies and procedures to ensure compliance with the new protections. It will be critical for the privacy policies to reflect the language of the bill and allot real-time protection to consumer information. Furthermore, Congress will need to push enforcement to ensure that all Smartwatch companies are compliant with the increased protection given to consumers.
The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), which currently enforces HIPAA compliance, would be responsible for Smartwatch Data Act enforcement as well, per the terms of the draft legislation. Penalties for not complying with the Smartwatch Data Act would be the same as penalties for violations of HIPAA such as voluntary compliance activities and civil money penalties. Federal fines for HIPAA noncompliance are based on the level of perceived negligence found within your organization at the time of the HIPAA violation. Fines and consequences can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.