Congress recently introduced the Stop Marketing and Revealing the Wearables and Trackers Consumer Health Data Act, nicknamed the Smartwatch Data Act. The legislation, introduced by Democratic Senator Jacky Rosen and Republican Senator Bill Cassidy, aims to ensure that health data collected through fitness trackers, smartwatches, and health apps, cannot be sold without consumer consent.
What is the Smartwatch Data Act?
The Smartwatch Data Act is aimed to fill in a gap left open by HIPAA – specifically, by the HIPAA Privacy Rule. While the HIPAA Privacy Rule prohibits the disclosure of protected health information (PHI) in certain instances, there is no prohibition on use, sharing, or selling health data that is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. At present, consumers have no control over who can access this information. The Smartwatch Data Act aims to address this “gap” in privacy.
The bill prohibits the transfer, sale, sharing, or access to any non-anonymized (de-identified) consumer health information, or other individually identifiable health information, that is:
- Collected,
- Recorded, or
- Derived from personal consumer devices
The groups with respect to which the collected, recorded, or derived data may not be transferred, sold, shared, or accessed, include:
- Domestic information brokers,
- Other domestic entities, or
- Entities based outside of the U.S.,
Unless consent has first been obtained from the consumer.
Under the Smartwatch Data Act, a personal consumer device is defined as “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”
Under the Smartwatch Data Act, “consumer health information” – the information that cannot be transferred, sold, shared, or accessed without consent – includes information about the health status of an individual, personal biometric information, and kinesthetic information collected directly through sensors or inputted manually into apps by consumers.
The Smartwatch Data Act would expand the current definition of PHI by treating all health data collected through apps, wearable devices, and trackers as protected health information.
The Smartwatch Data Act does not seek to expand the definition of “covered entity” to include app developers and wearable device manufacturers that collect, store, maintain, process, or transmit consumer health information; rather, the legislation applies to the data itself, as noted above. The Smartwatch Data Act does not extend HIPAA to cover these companies, instead the legislation applies to the data itself.
The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR), which currently enforces HIPAA compliance, would be responsible for Smartwatch Data Act enforcement as well, per the terms of the draft legislation. Penalties for not complying with the Smartwatch Data Act would be the same as penalties for violations of HIPAA.
Introduction of the Smartwatch Data Act reflects concerns over Google’s intent to acquire fitness tracker manufacturer Fitbit in 2020. Privacy advocates have raised concerns about how Google will use personal health data collected through Fitbit devices.