In the United States, federal laws give consumers limited protection over the sale of their personal health information by entities not covered by HIPAA.
This poses a significant problem for consumers who increasingly use devices and applications to help manage lifestyle, fitness and health. These devices collect significant amounts of personal information from users, including health and biometric data which, without their knowledge or consent, can then be lawfully sold on.
Feeding health information privacy concerns, the unconsented sale of health information may have serious long-term consequences for the development of digital health strategies.
At a federal level, US lawmakers are attempting to address this through a bi-partisan bill introduced into the Senate, November 18, by Senators Bill Cassidy, M.D. (R-LA) and Jacky Rosen (D-NV): The Stop Marketing And Revealing The Wearables And Trackers Consumer Health Data Act (aka the SMARTWATCH Data Act).
The bill is intended to prohibit the sharing of non-aggregated or non-anonymised consumer health information derived from consumer devices to information brokers or entities that will analyse the information for profit, or for whom the information will add value unless:
- informed consent to the sharing has been provided by the consumer;
- the information is provided to a HIPAA-covered entity; or
- the information is provided to academic, medial or research institutions or non-profit organisations, for limited specified purposes, such as research.
There are further limitations on the transfer of the information to entities outside of the US.
It is worth noting that the definition of “consumer device” is far wider than the title of the bill would suggest, extending to any:
“commercially produced piece of equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”
That’s a pretty broad definition and by separate refence in the bill, will also include medical devices.
Coming at a time when large data players like Google and Ascension are seeking to capitalise on consumer health data to which they have (or will seek to get) access to, the bill, if passed, may be seen as a welcome albeit limited intervention at US federal level in addressing health information privacy concerns.
The full text of the bill can be found at:https://www.congress.gov/bill/116th-congress/senate-bill/2885/text?q=%7B%22search%22%3A%5B%22Consumer+Health%22%5D%7D&s=2&r=2&overview=open#content
