How are digital health and genetic testing companies managing your data? How are they regulated?

Health data commonly refers to data about patients that is collected in a clinical or research setting. However, various aspects of your health may be tracked by other types of companies.

Companies that manufacture fitness trackers and other wearables collect data on your heart rate, how well you sleep, the quality and type of physical activity that you do, and where you go. Other types of devices or applications might ask you to manually input data about the food you eat, its nutritional value, when you eat, your moods, your fitness goals, and more. These technologies are designed to incentivize you to follow health practices. By following healthier practices, it is believed that you will achieve better health outcomes. Similar to the risks associated with patient data, you are taking on the risk of these companies sharing your data with insurance payers, employers, or other service providers. Other risks include data breaches or re-identification of your data.

Consumer genomics companies may also collect your health data outside of a clinical setting. Research that is based on the study of an individual’s genes has enabled improved diagnostics, more effective therapeutic strategies, evidence-based approaches for demonstrating clinical efficacy, and better decision-making tools for patients and providers.

Companies that collect your genomic data offer insight into your ancestry and risk of developing rare diseases. Advances in technology have made it possible to analyze and store data on your entire genome sequence. Your individual genome is unique and is an identifier in that sense. However, you might share specific variants within your genome with other biological relatives. For these reasons, you should think of genetic and genomic data as health data when you consider the benefits and risks of sharing such data.

How is data collected by wearables and genetic testing companies protected under law?

Whether or not your data is being collected under the law will depend on the type of product and the context in which your data is collected:

  • Custom applications or medical devices: Data collected by your healthcare provider or health plan through a custom app or medical device are regulated to a certain degree. They have to comply with regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Full explanations of how your data is protected under HIPAA are available on this site here and here.
  • Mobile applications: Data collected by mobile applications connected to fitness trackers, heart rate monitors, are not regulated. Nor are data collected by weight management applications and mindfulness apps are not regulated.
  • Mobile devices and voice assistants: Data collected by mobile devices and voice assistants are not regulated.
  • Genetic data collected for research: Genetic data collected for the purpose of research or by gene data banks are regulated to a certain degree.
  • Genetic data collected by testing companies: Genetic data collected by genetic testing companies are not regulated in the US (except when they use the data for their own research purposes).

Certain products are regulated by rules of the Food and Drug Administration (FDA). However, this federal agency is more concerned about the safety and proclaimed uses of the products than the protection of individual health data.

When companies that collect and manage your data are not regulated, they are not required to observe the minimum requirements regarding your ‘protected health information’ (PHI) set out in HIPAA. It is possible that these companies have risk assessments and procedures to protect your security and privacy in place, but it is also possible that they do not have adequate safeguards. We discuss some ways that you can assess your privacy and security risks below.

Can the companies that collect my data through wearables share it without my permission?

When data is collected by digital health companies that are not regulated by HIPAA or other law, they can decide if they will share your data with other companies or organizations. Companies may provide some information about how they share your data in the privacy policies associated with their website or product. Common sharing practices offer varying levels of protection and include:

  • No sharing of data for commercial or marketing purposes: Apple wearables products typically adopt this standard, which means that the company does not share your health data with advertisers or third party data collectors. This does not guarantee that your data will remain private. For example, this sort of policy might not prevent your employer from accessing your health data if your wearable is connected with a company owned smartphone.
  • De-identified or aggregate data may be shared with anyone: Fitbit products often follow this practice which means that the company will strip your data of personal information such as your name, address, and other identifying data. They will then pool your data with that of other users of the product and share it with or sell it to other companies or researchers. You should be aware that you are assuming some level of risk because analytical technology today has advanced so much that it is often possible to de-anonymize data and trace individual patterns. This is particularly true of location data.
  • Sharing with affiliates who perform services for the company: Samsung products typically include this approach to sharing data. Since a company works with a range of affiliates, it is difficult to understand the types of companies with whom your data could be shared. This could include business affiliates who could target you with advertisements about their products.

For product specific assessment of sharing practices and privacy policies, please see Mozilla’s *Privacy Not Included buyer’s guide on wearables here.

What is my risk of exposure to data breaches when using a wearables product?

Your exposure to data breaches depends on the type of technology that your wearable is built on and the security practices of the company that manufactured it. For example, most companies use bluetooth technology in their wearables, but they apply different levels of encryption. Encryption at rest and in transit is thought to provide the most security from outside attacks. Further, you can use the security practices followed by the company that manufactured your device as another measure to help you evaluate your risk. If the company has a good system to manage vulnerabilities, you can be more comfortable with purchasing products from that company.

How can I evaluate the security and privacy risks of the wearables product I am considering buying?

Since data from wearables are not regulated by law, it is important for you to evaluate the risks and benefits for yourself. While there is no single framework to evaluate these products, organizations like the Mozilla Foundation have developed ratings for wearables from a security and privacy perspective. You can use the following metrics to evaluate the risks:

  • Sharing practices followed by the company: As discussed above, your data might not be shared at all for commercial purposes or could be shared in a de-identified format.
  • Collection of location and biometric data: Many of these products collect biometric and location data. The more of this data they collect, the greater your exposure.
  • User friendly privacy information: A company that allows you to easily access its privacy policy and explains the policy in language that you can understand is more likely to be committed to preserving your privacy.
  • Collection of unnecessary or excessive data: A product that automatically or manually collects data about you that is not required for the service it provides is riskier. For example, products that collect your location data even when you are not using them expose you to greater risk than products that collect only data that is required to power its technology or analytics
  • Encryption and updates: A product that adopts encryption at rest and in transit along with regular updates to its security infrastructure is more secure.
  • Strong passwords: Since wearables are typically connected to a mobile application, it is important that they follow strong password protection protocols.

What are the privacy risks in using genetic tests?

Your genetic code is unique to you, but it can also reveal specific traits of a larger group like your relatives. Your use of a genetic testing product can impact your known or unknown relatives without their consent. For example, genetic tests have been used to trace blood relatives of people whose DNA has been tested without those relatives’ consent. It has been used in criminal cases to identify relatives of people who have provided DNA samples to commercial companies.

Can genetic testing companies share my data without my permission ?

When data is collected by genetic testing companies that are not regulated by HIPAA they can decide whether or not to share your data with other companies or researchers. You should note that the research community is very interested in personal genetic data and often works with gene testing companies like 23andMe to access your data. Sometimes, these companies use your genetic data for research that they themselves conduct. Ideally, if they are sharing your data, they do so with your consent and in a de-identified format.

Even though healthcare providers also share your data for research, there is a difference in your risk exposure when genetic companies share your data in a de-identified format. This is because healthcare providers are subject to HIPAA requirements and have to ensure that the de-identification process follows certain minimum standards. Since genetic companies are not subject to HIPAA, they can follow less rigorous methods of de-identification and not provide enough information about their de-identification techniques.

Here are some factors you could consider when reviewing the privacy policies of genetic testing companies:

  • Research by the company: If your genetic data is used for research being conducted by the company, the company will have to at least follow the requirements of an independent review board under regulations governing human subject research (known as the ‘Common Rule’),
  • Sharing practices followed by the company: If your genetic data is being shared for commercial or advertising purposes, you are at most risk. This data could fall into the hands of employers or insurers. A company that proactively obtains your consent and shares data in a de-identified format for research purposes is likely to more effectively protect your privacy.
  • Security practices: While it is difficult to conduct an independent evaluation of a company’s security practices, a company that better communicates about its system for managing vulnerabilities and that has responded well to prior data breaches can be considered more favorably.

As a patient, how can I advocate for ethical use of consumer generated health data by companies?

As a patient, you can advocate for better industry guidelines and regulations to govern the use of consumer generated health data.

  • Legislation: You can advocate for comprehensive laws to regulate consumer-generated health data. The law will need to adopt uniform standards for consumer-generated data and ensure de-identification, consent, and sharing rules are adopted.
  • Industry-wide guidelines: Even with legislation in place, the private sector will need to coordinate its efforts to adopt best practices for preventing individual discrimination or group harm from misuse of health data. Companies should collaborate to produce a set of ethical guidelines that govern the use of patient-generated data. This framework could build on existing models such as the Future of Privacy Forum, Consumer Technology Association, or the CARIN Alliance.

Please read more on the potential approaches to regulating consumer generated data here.