New Technologies Potentially Raise HIPAA Concerns

Through the use of innovative products such as stretchable electronics, wearable technologies and microchips individualized health data can be seamlessly recorded, wirelessly transmitted and stored for later use.[1]  These products can be applied externally or internally to monitor a person’s vital signs.[2]  The stretchable electronics are applied to the skin like a small sticker.[3]  They can record and transmit biological functions such as heart rate, brain activity, respiration, body temperature, hydration levels as well as information about a person’s bloodstream.[4]

These new technologies will undoubtedly have significant implications for the healthcare industry, such as increased efficiency in the delivery of healthcare and reduced costs.  However, anytime health data is being transmitted, it is wise to analyze whether the Health Information Portability and Accountability Act (HIPAA)[5] applies.  If HIPAA does apply, the organizations transmitting and using the data compiled by these devices will need to be careful not to run afoul of the federal statute.

HIPPA protects the privacy of an individual’s health information.  HIPPA’s protections are enforced through the Privacy Rule, which is a group of federal regulations promulgated by the U.S. Department of Health and Human Services.[6]  The Privacy Rule prohibits a “covered entity” from disclosing or unlawfully using a person’s “individually identifiable health information” without the person’s specific written consent.[7]  Violators of HIPPA can be subject to civil penalties ranging from $100 to $50,000 per violation, depending on the circumstances.[8]

Several legal issues may arise from the use of health data collected by stretchable electronics, wearable technologies and microchips.  The first is whether the organizations transmitting and using the health data qualify as a covered entity under HIPAA.  If not, their use or disclosure of the health data is outside the reach of HIPAA.[9]  Covered entities include healthcare providers, health plans, healthcare clearinghouses and the business associates of any of these three types of entities.[10]  Whether or not HIPPA applies will depend on whether the health data is being collected by or shared with one of the covered entities.

Another issue is whether the health information being collected and transmitted is individually identifiable health information protected by HIPAA.  Completely anonymous, or “de-identified” health information is not protected by HIPAA.[11]  However, de-identification is not as simple as removing a person’s name, address, year of birth, etc., from the health data.[12]  De-identification is only achieved when there is no information that can create a reasonable basis to believe it can be used to identify the individual.[13]

A third issue to consider is whether the health data being collected will be used for one of the several uses specifically permitted under HIPAA.[14]  Permitted uses include, among others, public interest and benefit activities’ which includes research and disclosures necessary to prevent serious threats to health or safety.[15]

Finally, the use of health data collected by these devices may be permitted under HIPAA if the person supplying the data consented to its use.[16]  However, the consent needs to be sufficient.  For example, under HIPAA, the individual’s consent must be in writing, in plain terms, be specific about the information to be disclosed and to whom, and provide an expiration date and a right to revoke permission.[17]

Stretchable electronics, wearable technologies and microchips will provide rapid electronic exchange of health information.  These technologies will likely make the health industry more effective and efficient.  However, organizations planning to use the health information collected by these devices should carefully consider HIPAA and the Privacy Rule before doing so.



[1] Quentin Hardy, Big Data in Your Blood, Bits, NY Times.com (Sept. 7, 2012, 10:37 AM), http://bits.blogs.nytimes.com/2012/09/07/big-data-in-your-blood. See also David Talbot and Kyanna Sutton, Making Stretchable Electronics, technology review (Aug. 21, 2012), http://www.technologyreview.com/demo/428944/making-stretchable-electronics; Robert T. Gonzalez, Breakthrough: Electronic circuits that are integrated with your skin, tecca, http://www.tecca.com/news/2011/08/12/breakthrough-electronic-circuits-that-are-integrated-with-your-skin/#uW441jvxJhsYfpO3.03 (last visited Sept. 22, 2012).

[2] Id.

[3] Id.

[4] Id.

[5] Pub. L. No. 104–191, 110 Stat. 1936 (1996).

[6] 45 C.F.R. pts. 160, 162, 164 (2011), available at http://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1.pdf.

[7] 45 C.F.R. §§ 160.102, 160.103.

[8] 45 C.F.R. § 160.404.

[9] 45 C.F.R. §§ 160.102, 160.103.

[10] Id.

[11] 45 C.F.R. §§ 164.502(d)(2), 164.514(a).

[12] 45 C.F.R. § 164.514(a) & (b).

[13] Id.

[14] 45 C.F.R. § 164.502(a)(1).

[15] 45 C.F.R. § 164.502(a)(1), 164.512.

[16] 45 C.F.R. § 164.508.

[17] 45 C.F.R. § 164.508(c).

Author: Brian Scott

Brian Scott is a Senior Editor for the Rutgers Computer & Technology Law Journal. He attends Rutgers School of Law-Newark part-time in the evenings and will be graduating in May 2013. By day, Brian is a human resources manager for a State university where he specializes in employee/labor relations. He also volunteered during the summer last year as a part-time intern in the Trial Unit of the Union County Prosecutor’s Office. Prior to attending law school, Brian earned a B.S. in Management Science from Kean University and a Certificate in Paralegal Studies from Fairleigh Dickenson University. He is a member of the Law Student Divisions of the New Jersey State Bar Association and the American Bar Association.

Leave a Reply

Your email address will not be published.