Maybe you snuck a doughnut for breakfast one too many times or failed to reach that step count because the new season of House of Cards was released and you just had to finish it. Your health insurer might not know that now, but with the growth of wearable technology and wifi-enabled health monitoring devices, there’s growing concern around the idea that your laziness can be used against you.
“Is this happening without consumers knowing? That’s definitely a concern,” Cora Han, an attorney with the Federal Trade Commission, tells Inverse. She’s quick to point out there’s no evidence of this happening currently, but it’s a subject that has been raised among industry professionals against the greater backdrop in the debate over health data privacy protection.
Wearables are estimated to sell 148 million units annually by 2019, up from 33 million shipped in 2015, according to a Business Insider report. But few are certain of how all this new data collection will come to help doctors make prognostic decisions and give consumers more control of their health outside of the hospital.
Han, who’s with the FTC’s division of privacy and identity protection, says the Commission’s role is generally not so much to dictate how that data is used, because they can’t predict the future, but rather set up the parameters such that consumers know what they are getting into.
The FTC has grown ever more concerned about the safety of consumer health data, and on Tuesday, Jessica Rich, director of the Commission’s Bureau of Consumer Protection, went before the House Government and Oversight Reform subcommittee on information technology to provide knowledge on this area and urge the government to “strengthen its existing data security authority and require companies, where appropriate, to provide breach notification,” Han says.
Breach notifications under the Health Insurance Portability and Accountability Act (HIPAA) require health insurers and their business associates to provide consumers notifications following a breach of unsecured health information. However, that same rule does not apply to health data gathered from wearables and wifi connected health monitors.
“A lot of the new products and services that are handling consumer health data are outside of HIPAA,” Han says.
While the Commission can address them on a case-by-case basis under the FTC Act, Han says the agency has been urging the government to enact a federal Breach Notification law that would extend these sorts of HIPAA protections to emerging tech.
A 2015 CBS report shows that stolen health records are a bigger threat to consumers than stolen credit cards, because banks have become really good at detecting fraud. Health care providers lag behind.
Hackers collecting data is one concern, but there’s also the matter of deceptive companies misusing information collected through apps and portals. The FTC has already gone after malicious or neglectful companies that have compromised consumer health records, such as PaymentsMD, LLC and its former CEO, Michael Hughes.
PaymentsMD is a billing service for physician practice groups, which allows patients to manage and pay their bills directly online. But when the FTC discovered consumers were not being alerted that the information they reported to PaymentsMD was being used in a separate patient health service report, the commission ordered the company to destroy the extra information collected.
The commission also has concerns about how this data might be used in advertising, but without stricter laws in place, Han says the FTC will continue to look for ways to make companies more transparent about how they use consumer data, in hopes that can best prepare them for what the future holds.
“You may not want to get targeted advertising about particular health conditions and … will that information be considered for employment or insurance?” Han says. “This is data that consumers often regard as private and sensitive, and I think what consumers are concerned about is having it be used in ways they might not reasonably expect.”