The Information Society

An International Journal

ISSN: 0197-2243 (Print) 1087-6537 (Online) Journal homepage: https://www.tandfonline.com/loi/utis20

Wearable devices and healthcare: Data sharing

and privacy

Syagnik (Sy) Banerjee, Thomas Hemphill & Phil Longstreet

To cite this article: Syagnik (Sy) Banerjee, Thomas Hemphill & Phil Longstreet (2018) Wearable
devices and healthcare: Data sharing and privacy, The Information Society, 34:1, 49-57, DOI:
10.1080/01972243.2017.1391912

To link to this article: https://doi.org/10.1080/01972243.2017.1391912

Published online: 27 Dec 2017.

Submit your article to this journal

Article views: 3075

View related articles

View Crossmark data

Citing articles: 24 View citing articles

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=utis20
THE INFORMATION SOCIETY
2018, VOL. 34, NO. 1, 49–57
https://doi.org/10.1080/01972243.2017.1391912

Wearable devices and healthcare: Data sharing and privacy

Syagnik (Sy) Banerjee, Thomas Hemphill, and Phil Longstreet
School of Management, University of Michigan, Flint, Michigan, USA

ABSTRACT ARTICLE HISTORY

Wearable devices introduce many new capabilities to the delivery of healthcare. But wearables also Received 28 October 2016
pose grave privacy risks. Furthermore, information overload gets in the way of informed consent by Accepted 14 September 2017
the patient. To better protect American patients in an increasingly digital world, the U.S. Congress KEYWORDS
passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This article HIPAA; informed consent;
examines the adequacy of HIPAA vis-
a-vis issues raised by wearable technologies in the Internet of Internet of Things; privacy;
Things environment and identifies policy gaps and factors that drive health data exposure. It regulatory policy; wearables
presents a 2 £ 2 Partnership-Identity Exposure Matrix, illustrates implications in four different
contexts, and provides recommendations for improving privacy protection.

Introduction
Wearable technologies are anticipated to have a major
impact in the health sector. With wearables like Vital
Connect’s Healthpatch MD, physicians can remotely
receive updates on patient’s vitals (Terry 2014). For
patients with amyotrophic lateral sclerosis (ALS) or
other neurodegenerative diseases, wearables under devel-
opment could scan their brainwaves, thoughts, feelings,
and expressions and generate alerts and commands to
electronic devices in the room (e.g. televisions, lighting)
(Blum and Dare 2015). Wearable devices are also chang-
ing healthcare for obesity, cardiovascular diseases,
asthma, and Alzheimer’s and also in-hospital monitor-
ing. They enable better patient monitoring, drug man-
agement, asset monitoring, tracking, and early medical
interventions. In general physicians, insurers, patients,
and caregivers are anticipated to have unparalleled access
to information (FTC Staff 2015).
But wearables also pose grave privacy risks, with
potentially very serious consequences, including reduc-
tion in life chances. On the one hand, companies can
gather and trade data gleaned from smartphone sensors
and wearables to learn of moods, stress levels, habits,
well-being, sleep patterns, exercise, movement, etc. to
make credit, insurance, and employment decisions
compromising privacy and possibly even resulting in
barriers to healthcare. On the other hand, information
overload gets in the way of informed consent (Cate and
Mayer-Sch€ onberger 2013). The value of personal
information is often not known when it is collected (i.e.,
when notice and consent are normally given); also the
relationship between users and processors of personal
data has become increasingly complicated, as datasets
are combined, transferred, shared, or sold. Consent noti-
ces that do not disclose identity of third parties who can
access user data forestall consumers’ ability to provide
genuinely “informed” consent. Additionally, consent
notices are often written so broadly, or in such volumi-
nous detail, that they inhibit the user’s comprehension,
and thus render “conscious choice” meaningless. Such
notices, which create the illusion of consent, often
distract users from their own privacy protection
(Cate 2010). In effect, consumers do not really share but
“surrender” information (Walker 2016).
Data collected by healthcare wearables are subject to
various legal protections. There are sector specific laws,
such as the Americans with Disabilities Act, Children’s
Online Privacy Protection Act, and Fair Credit Reporting
Act, not to mention federal and state laws on access to
healthcare insurance and consumer discrimination. On
the regulatory front, the U.S. Food and Drug Adminis-
tration (FDA) regulates medical devices but not wearable
devices, although there have been calls to include wear-
able devices in FDA’s regulatory purview (Future of Pri-
vacy Forum 2016). To better protect patients in an
increasingly digital world, the U.S. Congress passed the
Health Insurance Portability and Accountability Act of
1996 (HIPAA). This article examines the adequacy of

CONTACT Syagnik (Sy) Banerjee syban@umflint.edu School of Management, University of Michigan, 2120 Riverfront Center, 303 East Kearsley Street,
Flint, Michigan 48502-1950, USA.
Published with license by Taylor & Francis. © Syagnik (Sy) Banerjee, Thomas Hemphill, and Phil Longstreet
50 S (SY) BANERJEE ET AL.
HIPAA vis-
a-vis issues raised by wearable technologies
in the Internet of Things (IoT) environment.1
The rest of the article proceeds as follows: first, a
healthcare IoT technologies taxonomy is presented;
second, the interests of different stakeholders in the
IoT ecosystem are identified and explained; third, the
factors driving health data exposure are analyzed;
fourth, implications in different types of scenarios are
drawn; and last, recommendations are offered to
improve privacy protection.
Wearables in healthcare
Applying the framework proposed by Healey, Pollard,
and Woods (2015), healthcare devices are categorized
as Wearable Health Monitoring Devices, Medical
Wearable Devices, Medical Embedded Devices, and
Stationary Medical Devices (see Figure 1 below). Wear-
able health monitoring devices are consumer products
(e.g., Fitbit, Fuelband, etc.). Medical wearable devices
are prescribed devices (e.g., insulin pumps). Medically
embedded devices are implanted into the body (e.g.,
pacemakers) (Taylor 2016). Stationary medical devices
are designed for use in a specific physical location (e.g.,
chemotherapy dispensing stations for home-based
healthcare). Each of the devices in the aforementioned
categories has some of following attributes: Identifica-
tion (serial number to provide positive identification of
the user), location (geospatial coordinates), sensing
(sensors that produce alert warning signals), and con-
nectivity (ability to connect with other devices and
share information) (Dohr et al. 2010).
The wearable healthcare device market is forecasted to
save 1.3 million lives annually (Dolan 2014b) and grow
to $72.7 billion by 2021 (Malik 2016). As the demand for
these IoT wearable devices has increased in both con-
sumer and medical markets, the number of entities inter-
ested in them has also increased. They are broadly
categorized as Healthcare, Bystander Beneficiaries,
Figure 1. Healthcare Devices Typology.
Hardware and Infrastructure, and Watchdogs. The
Healthcare IoT entities are those that are directly
involved in the use of devices in medical treatments.
They include healthcare providers (e.g., doctors, hospi-
tals, and laboratories) and also patients who consent to
the use of these devices. Bystander Beneficiaries IoT enti-
ties are those that seek to capture market value by utiliz-
ing advances in healthcare and well-being related IoT
technologies without investing in the delivery process
(e.g., employers, insurance companies, data brokers, and
marketers). In other words, they are users of the infor-
mation provided by the IoT devices and are neither
involved in the manufacturing, selling, or supporting the
IoT devices, nor information creation or delivery pro-
cess. Infrastructure IoT entities are those that make, sell,
support, facilitate, or connect the devices (e.g., device
manufactures, infrastructure providers, tech support
providers, and app developers). Finally, Watchdog IoT
entities are primarily interested in ensuring that technol-
ogy specifications and ethical practices are met and
employed in use of IoT technologies (e.g., Food and
Drug Administration, Federal Trade Commission, and
Future of Privacy Forum).
Several organizations have initiated corporate well-
ness programs, which include use of wearable devices.
Oscar Heath Insurance has offered its customers $1
credit towards an Amazon gift card every time they
reach a daily step count goal (Bertoni 2014). Cigna has
distributed armbands to thousands of its employees.
Self-insured employers, like Autodesk, have purchased
Fitbit trackers and distributed them to their employees
(Olson, 2014). Oil giant BP has provided incentives to
employees for wearing Fitbit and permitting the com-
pany to track their daily work steps (Olson 2014).
Some employers are using Wildflower, an application
for pregnant women to measure weight gain at preg-
nancy milestones, to reduce maternity-related medical
costs (Olson 2014). Conversely, some companies are
using punitive measures to change behavior. For
example, stickK believes that taking away wellness
points, a disincentive, is more effective than offering
rewards (Olson 2014). Some self-insured companies
are planning to add a $50 surcharge to insurance pre-
miums of employees who smoke. CVS has been charg-
ing employees $50 per month who refuse to report
weight, body fat, cholesterol, blood pressure, and sugar
levels. Overall, improved wellness compliance is
emerging, but raises vexing ethical questions about the
use of the data being captured.
Such efforts rest on the assumption that the increasing
health costs are a product of individual lifestyle choices.
In contrast, there exists another perspective that takes a
systemic view. In this perspective, supposed personal

“choice” is viewed by scholars as product of the environ-
ment (Alkon and Agyeman 2011; Langston 2010) and
ecologies that are “inescapable” (e.g., prenatal exposure
to toxins can lead to outcomes like obesity) (Nash 2006).
Guthman (2011) argues that obesity is a symptom of a
greater problem which can only be solved by challenging
the cultural values or economic interests of powerful
entities that are invested in existing socioeconomic sys-
tems. Biltekoff (2007) goes a step further and urges indi-
viduals to make responsible choices for protecting their
own health instead of relying on government protections
and services, which are a product of neoliberal ideologies.
However, in practice, the individual lifestyle choices nar-
rative informs most analysis and recommendations
(Bipartisan Policy Center 2012; The Physicans Founda-
tion 2012).
Health Insurance Portability and Accountability
Act
The Health Insurance Portability and Accountability Act
of 1996 or HIPAA (U.S. Government Publishing Office
2013), Public Law 104–191, was enacted on August 21,
1996. Sections 261 through 264 of HIPAA require the
U.S. Secretary of Health and Human Services (HHS) to
publicize standards (also known as Administrative
Simplification provisions) for the electronic exchange,
privacy, and security of patient health information. The
HHS Standards for Privacy of Individually Identifiable
Health Information administrative rule (“Privacy Rule”)
were published on August 14, 2002 in the Code of the
Federal Register (@45 CFR Part 160 and Part 164).
The primary goal of the Privacy Rule is to protect
patients’ health information while allowing the flow of
such information to “covered entities”, i.e., healthcare
providers, health plans, healthcare clearinghouses,
and relevant associates (U.S. Department of Health and
Human Services 2003). In addition, HHS also published
the Security Standards for the Protection of Protected
Electronic Health Information (“Security Rule”), which
establishes a national set of security standards for pro-
tecting certain health information that is held or trans-
ferred in electronic form (Scholl et al. 2008). A major
goal of the Security Rule is to protect the privacy of
patients’ health information while allowing covered enti-
ties to adopt new technologies to improve the quality
and efficiency of patient care.
Obtaining written permission from individuals to use
and disclose their protected health information for treat-
ment, payment, and healthcare operations is optional
under the Privacy Rule for all covered entities (U.S.
Department of Health and Human Services 2003). How-
ever, HIPAA, and specifically the Privacy Rule, requires
THE INFORMATION SOCIETY 51
that a covered entity must obtain the patient’s written
authorization for any use or disclosure of protected
health information that is not for treatment, payment,
healthcare operations or otherwise permitted or required
by the Privacy Rule (U.S. Department of Health and
Human Services 2003).
On the surface, it seems that for patients receiving
treatment from a healthcare provider use of wearable
devices to monitor their health, any data shared with busi-
ness associates are well protected, as per the Privacy Rule
(@45 CFR 164.504(e)). Business associate functions and
activities include: claims processing or administration;
data analysis, processing, or administration; utilization
review; quality assurance; billing; benefit management;
practice management; and repricing. Business associate
services include legal, actuarial, accounting, consulting,
data aggregation, management, administrative, accredita-
tion, and financial.
Similarly, under Title XIII of the American Recovery
and Reinvestment Act of 2009, the Health Information
Technology for Economic and Clinical Health
(“HITECH”) Act has security requirements. For exam-
ple, it requires business associates to comply directly
with Security Rule provisions directing implementation
of administrative, physical, and technical standards for
electronic protected health information; develop, enforce
policies and documentation standards; report noncom-
pliance and terminate contracts with noncompliant enti-
ties; and requires HSS to conduct compliance audits.
However, different problems emerge as far as wearable
devices and adequacy of HIPAA are concerned. Much of
the data leakage occurs due to policy gaps, explicit policy
violations, as well as legal but self-interest driven market-
place behavior by covered entities.
Factors increasing health data exposure
In this section, we identify and discuss factors that drive
the exposure of personal health data. This understanding
is necessary for developing effective remedies.
1. HIPAA
i) Conditionality of protection: According to the Pri-
vacy Rule (@45 CFR 160.103), a business associate
is defined as a person or organization that per-
forms certain functions or activities that involve
the use of disclosure of protected health informa-
tion on behalf of, or provides services to, a covered
entity. In other words, a wearables manufacturer
or distributor that neither provides services to any
covered entity, nor uses or discloses information
on behalf of a covered entity, can be subject to the
52 S (SY) BANERJEE ET AL.
compliance requirements of business associate
defined under HIPAA. Despite additional regula-
tory safeguards initiated by the healthcare sector,
such as the Omnibus Rule, increased penalties,
breach notification standards, and incorporation
of added protected health information (PHIs)
(U.S. Government Publishing Office 2013), they
continue to apply to business associates, and
mHealth technologies remain “noncovered enti-
ties” (NCEs). Even if a doctor endorses a particular
app, or even if healthcare providers and app devel-
opers enter into interoperability arrangements,
HIPAA does not protect consumer data. The sta-
tus of a wearable manufacturer–distributor
depends on whether its participation has been
contracted by the healthcare provider for patient
management services. If the contract indicates that
the wearable device manufacturer engages in
transmission of data on behalf of the healthcare
provider, the manufacturer is considered a covered
entity. However, if a patient purchases a wearable
device from a retailer, uses it and voluntarily
shares some results with his or her doctor, who
then responds with some advisory comments, the
company manufacturing the device is not a
HIPAA covered entity; consequently, the data col-
lected by the manufacturer is neither bound by
nor protected under HIPAA. This situation is sim-
ilar to sharing data after an automobile accident,
when both the healthcare insurer and automobile
insurer receive medical bills. One can be bound by
HIPAA, the other may not, because the health
insurer has not partnered and endorsed the auto-
mobile insurer under its own line of business.
When the HIPAA guidelines were developed, the
increasing diffusion of mobile wearables and sub-
sequent proliferation of third party entities were
not foreseen as a potential complication. The only
way to make wearable device manufacturers or
distributors conform to HIPAA laws is to have
them partner with covered entities.
ii) Protected data types: Applicability of HIPAA
depends on what fields of information are being
collected and shared. The HIPAA Privacy Rule
protects most “individually identifiable health
information”, such as medical records, laboratory
reports, and hospital bills, because they can iden-
tify the patient by name. The University of
California, San Francisco, uses eighteen criteria
defining healthcare data covered under HIPAA
(Lee 2015), which includes names, geographical
markers smaller than a state (street address,
county, and zip code), elements of dates directly
related to a person (birth, admission, and dis-
charge), phone, fax and e-mail, social security
numbers, numbers related to medical records,
health plan beneficiary, accounts, certificates and
licenses, vehicle identifiers, license plates, IP
addresses, device identifiers, web URLs, biomet-
ric identifiers, and photographic images. How-
ever, many fields of information that appear to
be private, such as blood pressure or sleep statis-
tics, can be shared separately as long as they are
not identified by unique personal information.
iii) Definition of unique identifiers: Collected health,
behavior data or variables can become unique
identifiers themselves, though not recognized or
categorized as PHI under HIPAA. At a data con-
ference in New York City, Ira Hunter, the CIA’s
Chief Technology Officer, said that a person can
be hundred percent guaranteed to be identified
simply by their gait, i.e., how they walk (Kelley
2013). In other words, gradually evolving fields of
behavioral data that we merely consider patterns
could be as unique as fingerprints, and therefore
personally identifiable.
iv) Ability to bypass identification: Even if the con-
cerned entity qualifies as a business associate that
is required to comply with HIPAA, in recogni-
tion of the potential usefulness of health informa-
tion when not identifiable, x164.502(d) of the
Privacy Rule allows a covered entity or its
business associate to create information that is
not individually identifiable by following the
deidentification standard and implementation
specifications in x164.514(a)-(b). If that is true,
identification can be achieved post-sharing, by
creating and tracking unique proxy combination
patterns, therefore in effect bypassing the privacy
rule.
2. E-discovery
Personal health data can be made accessible for legal
purposes. In 2014, a law firm in Calgary used activity
data from Fitbit to assess the effect of an accident on
their client in a personal injury case (Olson 2014). Simi-
larly, in 2015, a woman’s fitness watch disproved her
rape report (Snyder 2015). The entry of wearable device
data into judicial proceedings through e-discovery has
been facilitated by analytics platforms like Vivametrica,
which use public health records to compare a specific
person’s records with those of the general population.
Once used in judicial proceedings, this personal health
information can become part of publicly searchable
information under the Open Records Policy or Freedom

of Information Act. Though there can be exemptions to
preserve security and privacy, the provisions vary from
state to state (Solove 2002).
iv) Data sovereignty: Since most of the wearable
3. Data sharing modalities
i) Ambiguous legal status of shared data: The existing
public policy environment is ambiguous about the
future of shared data. If an entity legitimately
shares data with a firm (neutral, third party, or oth-
erwise) that undergoes a change in ownership or
bankruptcy, or enters bankruptcy, how is the col-
lected data to be treated? Should it be treated as a
firm-owned asset? In an end user license agreement
(EULA), terms and conditions of wearable devices
often indicate that in the event of the sale of their
company, or if in bankruptcy proceedings, the
company reserves the right to sell the data
(Maddox 2014). When Radio Shack underwent
bankruptcy, it requested the court to allow it to sell
data to pay off its creditors. AT&T and Apple filed
a motion to prevent the sale of data concerning
customers who had purchased Apple or AT&T
devices (Isidore 2015). Similar ambiguities exist
regarding status of federal government data, which
become very apparent when there is a change in
administration.
ii) Encryption and hardware connectivity: The exist-
ing encryption regime of wearable device or hard-
ware identifiers by manufacturers is inadequate.
Wearable devices are usually synced via Bluetooth
Low Energy to wirelessly connect to mobile devi-
ces or computers. Electronics firm Symantec con-
ducted an experiment where it built portable
Bluetooth scanners using Raspberry Pi minicom-
puters and readily available retail components,
which could be purchased and assembled for $75
by any person with basic IT skills. Using the
scanner, Symantec employees were able to scan
airwaves for signals broadcast from devices and
extract device hardware addresses and location as
well as other personal data (Barcena, Wueest, and
Lau 2014). While location in itself is not a data
field that is covered by HIPAA, when connected
to an identifier, air quality and pollution estimates
can inform audiences about the potential health
risks of the individual.
iii) Cloud storage vulnerability: Most wearable data
transferred between wearables and mobile devi-
ces are stored in “clouds.” Due to lack of associ-
ated physical space or control, cloud storage can
be vulnerable to breaches by hackers. In the first
quarter of 2015, approximately hundred million
THE INFORMATION SOCIETY 53
patient records, i.e., estimated by volume of
patient records, were compromised in the top six
attacks (i.e., by volume of compromised patient
records) (Munro 2015).
device applications store the generated data in
the cloud, there are a wide variety of national
laws determining how protected the data are and
how safely they are stored. Earlier, “safe harbor”
regulatory compliance with the European
Union’s data protection framework required data
processing entities to provide sufficient data pro-
tection guarantees “irrespective of their location.”
(Gibbs 2015) However, following the Snowden
revelations regarding U.S. intelligence agencies’
surveillance into commercial Internet services,
the European Union struck out the “safe harbor”
provision and the consequent move towards
adhering to domestic privacy policies could
impede the movement of data across borders
(Meyer 2016). Similarly, Indonesia introduced
Regulation PP 82/2012, which requires data ser-
vice providers to store the personal data of her
citizens within the country. Australia also insti-
tuted laws and regulations for such data carried
overseas. Moreover, more explicit rules are
expected to be issued by the EU General Data
Protection Regulation (Bradbury 2015). The
increasing push for data sovereignty and
adherence of domestic laws, as opposed to
international frameworks, could create data
vulnerabilities (Berry and Reisman 2012). For
instance, start-up application developers operat-
ing within tight budgets could sign up with cloud
storage providers operating from countries with
more “flexible”, i.e., less rigorous, regulations.
v) Data brokers: There is a large, disorganized data
broker industry that has evolved in the pursuit of
profits. In 2012, nine data broker firms analyzed
by the FTC generated $426 million in annual rev-
enue (Federal Trade Commission 2014). Unique,
personal information is a high-priced commod-
ity, and it is estimated that the information con-
tained in wearables stored on a smartphone or a
“cloud” is worth ten times that of credit cards in
a black market (Maddox 2015). A study by the
FTC found that twelve health applications that
were tested transmitted information to seventy-
six different third-parties (Dolan 2014a), some of
which were data brokers, who aggregate and sell
consumer data in the marketplace (Addonizio
2015). What is disturbing is that much of this
data consisted of unique device identifiers, social
54 S (SY) BANERJEE ET AL.
security numbers, demographics, court and pub-
lic records, travel, running routes, dietary habits,
sleep patterns, addresses, financial information,
full names, health information, location, date of
birth, and other similar personally identifiable
information (Privacy Rights Clearinghouse
2013).
vi) Corporate alliances: Organizations and insurers
demand so-called “granular” detailed informa-
tion, because more detailed behavioral profiles
offer insurers more accurate impressions of indi-
vidual health risks. There have been reports
about regional hospitals, insurers, and grocery
retailers collaborating to transform buyers’ gro-
cery purchase data into health risk profiles
(Sherbit 2015).
vii) Liability minimization: Employers who imple-
ment healthy work practices monitor employees
to ensure improved health and justify reduced
insurance premiums. In order to mitigate liabili-
ties related to storage and potential misuse of
data accrued while monitoring, employers often
introduce neutral third party firms, such as Stay-
well or Welltok, to help remove personal health
information from employee records (Firestone,
2014). There is a potential threat that such neu-
tral third-party firms can “feed” or join the data
broker industry to exacerbate misuse concerns
and liability.
4. End user license agreements
End user license agreements (EULAs), whose density
alone has a significant negative effect on a users’ willing-
ness to read and comprehend (B€ohme and K€opsell
2010), often overreach as they are designed without con-
sidering the legal enforceability of their terms and condi-
tions. In the process, a wide variety of terms that are not
legally enforceable are included into the EULA, further
undermining the users’ ability to understand what they
are consenting to when they start using the device.
Health data exposure contexts
In this section, we use Nissenbaum’s (2004) Contextual
Integrity Framework to detect ethical violations, the
existence of policy gaps, and provide recommendations.
To assess if storage or transfer of information violates
contextual integrity, one must examine four factors
(Nissenbaum and Patterson 2016): (1) the prevailing
context in which data is generated; (2) the key actors,
their roles and responsibilities; (3) key information
attributes;
and (4) principles of data transmission between
parties. These factors determine the norms of appropri-
ateness (whether it is appropriate for concerned entities
to access and store information at hand) and distribution
(when it is acceptable to share the same information with
external parties). We employ two factors—varying roles
and information attributes—from Nissenbaum and
Patterson (2016), to design a simple 2 £ 2 Partnership-
Identity Exposure Matrix (see Table 1 below) to map dif-
ferent scenarios of health data exposure.
We start by defining the family of terms included
under the umbrella of health information. Health
information (HI) is a broad term that includes both
protected health information (PHI), which contains
unique identifiers that can be directly linked back to
the patient, and de-identified health information
(DHI), which is not readily identifiable. Here it is
important to clarify that DHI is not necessarily anony-
mous data; in fact, data can vary from completely
anonymous to completely identifiable, differing on the
extent to which identification is preserved, masked, or
eliminated, based on the effort, skill, time, and cost
necessary for complete identification (Nelson 2015).
Often, a minimal level of identifiability is desired in
the data so that health researchers can combine data-
sets, or conduct effectiveness or policy analysis for
greater societal benefits. To define this safety standard
of identifiability, HIPAA’s Privacy Rule provides
specific guidelines for alternative methods of de-identi-
fication (HHS 2012), thus mitigating privacy risks for
patients and enabling safe data sharing practices.
Hence, data processed through the above methods for
de-identification, i.e., DHI, is considered safer to share
than PHI. Also, as described earlier, vendors and
device manufacturers who have partnered with health-
care service providers are subject to HIPAA regula-
tions as covered entities (CEs) or business associates
(BAs). Those who are not partnered are not subject to
HIPAA regulations, and are considered noncovered
entities (NCEs).
The following scenarios depict contexts where a wear-
able device manufacturer stores and shares HI with third
party data brokers. The scenarios vary on two factors.
Table 1. Partnership-Identity Exposure Matrix.
Partnership of Device Manufacturer with Healthcare Service Provider
Identity Exposure Level of Shared Health
Information
Shared DHI Shared PHI
Partnered CEs A (CE, DHI) B (CE, PHI)
Not Partnered NCEs C (NCE, DHI) D (NCE, PHI)

“Partnership” indicates whether or not the wearable
device manufacturer has been contracted by a healthcare
service provider for patient management services and, as
a result, plays the role of a CE or NCE; and “identity
exposure” indicates whether or not the shared data was
processed through a de-identification method prescribed
in the HIPAA privacy laws. Identity exposure level (DHI
or PHI) indicates whether or not a user is vulnerable to
identifiable information, and partnership status (CE or
NCE) indicates whether or not the user can avail legal
recourse in the event of harm.
Given these conditions, both scenarios A and C are
relatively low risk, since the user is not vulnerable in
either of these cases, whether they have legal recourse or
not. Scenario “B” is a concerning scenario, where PHI
has been shared with a third party data broker. However,
since the device manufacturer is a CE, the user has legal
recourse for any violation. Scenario “D” is the most con-
cerning because user PHI has been shared with a third
party data broker, making the user potentially vulnerable
to targeting or manipulation, and the device manufac-
turer is a NCE, hence the user has no legal recourse for
any potential harm.
We identify the device manufacturers as the primary
party and examine whether they should have access to
stored user HI, and then analyze whether they should be
allowed to share HI with third party data brokers. If a
device manufacturer is a CE, as a partner it functions as
an entity instrumental to healthcare service delivery,
which makes it appropriate to possess or store user HI.
However, in the case of an NCE, the manufacturer is not
required to be HIPAA compliant, because the NCE
strictly sells or maintains medical devices, but does not
create, transmit, or receive HI on behalf of any CE. Fur-
ther, if the entity is an NCE, it does not necessarily share
the missions/visions of healthcare providers, and conse-
quently, it does not need to comply with the norms of
the healthcare industry to which it does not belong.
Thus, the NCE device manufacturer can provide life-
style-related services, which involve storage of user
health/fitness related information, and its access to user
HI does not violate the norms of appropriateness because
it is not subject to HIPAA.
While it may be appropriate for a device manufacturer to
store HI, it does not imply the manufacturer has the right to
further distribute stored HI. HIPAA allows covered entities
to share HI only when it is not identifiable. In other words,
contextual integrity is violated when PHI, which are identifi-
able, are shared. Such violation of contextual integrity can
lead to informational harms (e.g., targeting of vulnerable
populations based on sensitive information), informational
inequality (e.g., data brokers wielding significant power over
the fates of individual users), and disruption of relationships
THE INFORMATION SOCIETY 55
(e.g., between service provider–client) among others (Nis-
senbaum 2004). Overall, scenario B illustrates a clear viola-
tion of contextual integrity, since the device manufacturer is
a covered entity (CE) that has shared identifiable PHI in
contradiction to the requirements of HIPAA. But the most
dangerous scenario is D, which can lead to user vulnerabil-
ity without offering legal recourse, thus becoming an ethical,
but not legal violation.
When HIPAA was enacted, healthcare service pro-
vider’s medical record documents were the primary, if
not the only, sources of health information. This is the
reason why nonhealthcare entities were not included in
the purview of the law. However, increased penetration
of technologies capable of generating PHI, the lack of
laws to protect user data from NCEs, and the increasing
diversity of nonhealthcare providers with access to such
information, have together increased the risks of con-
sumer data breaches and misuse. In that light, transfer of
PHI from NCEs requires greater scrutiny.
Recommendations
Ideally, many of the problems with sharing of health data
would be addressed by the industry itself. Forms of
industry self-regulation range from “pure” self-regula-
tion, where there is no government or other stakeholder
involvement in the private regulatory process, to public
standard-setting or pricing and output setting, where
there is a high level of direct government oversight
(Garvin 1983). However, the greatest potential for
industry self-regulation resides with a mixed form of
industry rule-making and government oversight (Gupta
and Lad 1983). We therefore make the following
recommendations:
1. The U.S. Department of Health and Human Serv-
ices should create a “watchdog” unit that is charged
with identifying and monitoring types of new
behavioral data that can be captured by wearable
technology. Such a unit should examine the extent
to which data enables user identifiable. If it is high,
this type of data should be added to HIPAA’s list
of unique identifiers. In general, this list should be
at minimum annually updated.
2. The FTC should require NCE device manufac-
turers, based on the section 5 of the FTC Act, to
“prevent unfair or deceptive acts or practices in or
affecting commerce” to record and track any trans-
actions involving sharing, sale, or distribution of
information that would be considered PHI under
HIPAA, and appoint third party agencies or
experts to assess and certify parties buying data
from NCE device manufacturers.
56 S (SY) BANERJEE ET AL.
3. While the EEOC already provides guidelines for
operating employee wellness programs and volun-
tary (and not mandatory) transmission of data
from employees to employers, it should also moni-
tor the aggregate insurance premiums of partici-
pants over time to ensure that employees are not
discriminated against.
4. Manufacturers should develop identification proto-
cols for detecting sensitive information and give it
enhanced protection in routing, usage, and storage
using encryption and other techniques. They
should also develop mechanisms for alerting the
user.
Note
1. The Internet of Things consists of billions of smart devices
communicating with each other. It comprises of “‘things’
such as devices or sensors—other than computers, smart-
phones, or tablets—that connect, communicate, or trans-
mit information with or between each other through the
Internet” (FTC Staff 2015). This networked system of con-
versing devices and products is growing exponentially
from an estimated two billion devices in 2006 to a fore-
casted fifty billion by 2020 (Evans 2011).
References
Addonizio, G. 2015. The privacy risks surrounding consumer
health and fitness apps, associated wearable devices, and
HIPAA’s limitations. South Orange, NJ, USA: Seton Hall
Law (Paper 861). Retrieved from http://scholarship.shu.
edu/student_scholarship/861
Alkon, A. H., and J. Agyeman. 2011. Cultivating food justice:
Race, class, and sustainability. Cambridge, MA, USA: MIT
Press.
Barcena, M. B., C. Wueest, and H. Lau. 2014. How safe is your
quantified self. Mountain View, CA, USA: Symantec.
Retrieved from https://www.symantec.com/content/dam/
symantec/docs/white-papers/how-safe-is-your-quantified-
self-en.pdf
Berry, R., and M. Reisman. 2012. Policy challenges of cross-bor-
der cloud computing. United States International Trade Com-
ission, Journal of International Commerce and Economics,
Web Version, pp. 1–38. Retrieved from https://www.usitc.
gov/journals/policy_challenges_of_cross-border_cloud_com
puting.pdf
Bertoni, S. 2014, December 8. Oscar Health using misfit wear-
ables to reward fit customers. Retrieved April 23, 2017,
from http://www.forbes.com/sites/stevenbertoni/2014/12/
08/oscar-health-using-misfit-wearables-to-reward-fit-cus
tomers/
Biltekoff, C. 2007. The terror within: Obesity in post 9/11 U.S.
life. American Studies, 48(3), 29–48.
Bipartisan Policy Center. 2012. What is Driving U.S. Health
Care Spending. America’s Unsustainable Health Care Cost
Growth. Washington, DC: Bipartisan Policy Center.
Blum, B., and F. Dare. 2015. Enhancing Clinical Practice with
Wearables: Innovations and Implications. Arlington, VA,
USA: Accenture.
B€ohme, R., and S. K€opsell. 2010. Trained to accept? A field
experiment on consent dialogs. In Proceedings of the SIGCHI
conference on human factors in computing systems (pp.
2403–6. New York, NY, USA: ACM.
Bradbury, D. 2015, December 17. After safe harbour: Navigat-
ing data sovereignty. Retrieved October 6, 2016, from
http://www.theregister.co.uk/2015/12/17/navigating_data_
sovereignty/
Cate, F. H. 2010. Protecting privacy in health research: The
limits of individual choice. California Law Review, 96(2),
1765–803.
Cate, F. H., and V. Mayer-Sch€onberger. 2013. Notice and con-
sent in a world of Big Data. International Data Privacy
Law, 3(2), 67–73.
Dohr, A., R. Modre-Osprian, M. Drobics, D. Hayn, and G.
Schreier. 2010. The Internet of Things for ambient assisted
living. ITNG, 10, 804–9.
Dolan, B. 2014a, May 23. In-Depth: Consumer health and
data privacy issues beyond HIPAA. Retrieved October
24, 2016, from http://www.mobihealthnews.com/33393/
in-depth-consumer-health-and-data-privacy-issues-
beyond-hipaa
Dolan, B. 2014b, December 16. Prediction: Health wearables to
save 1.3 million lives by 2020. Retrieved October 24, 2016,
from http://www.mobihealthnews.com/39062/prediction-
health-wearables-to-save-1-3-million-lives-by-2020
Evans, D. 2011, April. The Internet of Things: How the Next
Evolution of the Internet Is Changing Everything. Cisco,
IBSG. Retrieved from http://www.cisco.com/c/dam/en_us/
about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf
Federal Trade Commission. 2014. Data Brokers: A Call for
Transparency and Accountability. Washington, DC, USA.
Retrieved from https://www.ftc.gov/system/files/docu
ments/reports/data-brokers-call-transparency-accountabil
ity-report-federal-trade-commission-may-2014/140527data
brokerreport.pdf
Firestone, C. M. 2014. Developing policies for the Internet of
Things, background materials. Twenty-Ninth Annual Aspen
Institute Conference on Communications Policy.
FTC Staff. 2015. Internet of Things: Privacy and security in a
connected world. Technical report, Washington, DC, USA:
Federal Trade Commission.
Future of Privacy Forum. 2016. FPF Mobile Apps Study. Wash-
ington DC, USA: Future of Privacy Forum. Retrieved from
https://fpf.org/wp-content/uploads/2016/08/2016-FPF-
Mobile-Apps-Study_final.pdf
Garvin, D. A. 1983. Can industry self-regulation work? Califor-
nia Management Review, 25(4), 37–52.
Gibbs, S. 2015, October 6. What is “safe harbour” and why did
the EUCJ just declare it invalid? The Guardian. Retrieved
from https://www.theguardian.com/technology/2015/oct/
06/safe-harbour-european-court-declare-invalid-data-pro
tection
Gupta, A. K., and L. J. Lad. 1983. Industry self-regulation: An
economic, organizational, and political analysis. Academy
of Management Review, 8(3), 416–25.
Guthman, J. 2011. Weighing in: Obesity, food justice, and the
limits of capitalism (Vol. 32). Oakland, CA, USA: University
of California Press.

Healey, J., N. Pollard, and B. Woods. 2015. The Healthcare
Internet of Things: Rewards and Risks. Atlantic Council.
Retrieved from http://www.atlanticcouncil.org/publica
tions/reports/the-healthcare-internet-of-things-rewards-
and-risks
HHS. 2012. Guidance regarding methods for de-identification
of protected health information in accordance with the
Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule. Retrieved April 28, 2017, from
https://www.hhs.gov/hipaa/for-professionals/privacy/spe
cial-topics/de-identification/index.html
Isidore, C. 2015, May 15. Apple, AT&T fight sale of Radio-
Shack customer data. Retrieved October 23, 2016, from
http://money.cnn.com/2015/05/15/news/companies/radio
shack-apple-att/index.html
Kelley, M. B. 2013, March 21. CIA Chief Tech Officer: Big Data
is the future and we own it. Retrieved October 23, 2016,
from http://www.businessinsider.com/cia-presentation-on-
big-data-2013-3
Langston, N. 2010. Toxic bodies: Hormone disruptors and the
legacy of DES. New Haven, CT, USA: Yale University Press.
Lee, K. 2015, July. Wearable health technology and HIPAA:
What is and isn’t covered. Retrieved October 23, 2016,
from http://searchhealthit.techtarget.com/feature/Wear
able-health-technology-and-HIPAA-What-is-and-isnt-cov
ered
Maddox, T. 2014, July 3. The scary truth about data security
with wearables. Retrieved October 23, 2016, from http://
www.techrepublic.com/article/the-scary-truth-about-data-
security-with-wearables/
Maddox, T. 2015, October 7. The dark side of wearables: How
they’re secretly jeopardizing your security and privacy.
Retrieved October 23, 2016, from http://www.techrepublic.
com/article/the-dark-side-of-wearables-how-theyre-
secretly-jeopardizing-your-security-and-privacy/
Meyer, D. 2016, February 25. Here comes the post-safe harbor
EU privacy crackdown. Retrieved October 24, 2016, from
http://fortune.com/2016/02/25/safe-harbor-crackdown/
Malik, M. A. 2016. Internet of Things (IoT) healthcare market
by component (Implantable sensor devices, Wearable sensor
devices, System and software), Application (Patient monitor-
ing, Clinical operation and workflow optimization, Clinical
imaging, Fitness and wellness measurement)—Global
Opportunity Analysis and Industry Forecast, 2014–2021.
Allied Market Research. Retrieved from https://www.allied
marketresearch.com/iot-healthcare-market
Munro, D. 2015, December 31. Data breaches in healthcare
totaled over 112 million records in 2015. Retrieved October
23, 2016, from http://www.forbes.com/sites/danmunro/
2015/12/31/data-breaches-in-healthcare-total-over-112-mil
lion-records-in-2015/
Nash, L. L. 2006. Inescapable ecologies: A history of environ-
ment, disease, and knowledge. Oakland, CA, USA: Univer-
sity of California Press.
Nelson, G. S. 2015. Practical implications of sharing data: A
primer on data privacy, anonymization, and de-identifica-
tion—Semantic Scholar. Semantic Scholar. Retrieved from
https://www.semanticscholar.org/paper/Practical-Implica
THE INFORMATION SOCIETY 57
tions-of-Sharing-Data-A-Primer-on-Nelson/8a091b5cc
4d3f861c0080d7b3ddf51b717244e6c
Nissenbaum, H. 2004. Privacy as contextual integrity. Wash. L.
Rev., 79, 119.
Nissenbaum, H., and H. Patterson. 2016. Biosensing in context:
Health privacy in a connected world. Quantified: Biosensing
Technologies in Everyday Life, ed. Dawn Nafus, 79–100.
Cambridge, London: The MIT Press.
Olson, P. 2014, June 19. Wearable tech is plugging into health
insurance. Retrieved October 23, 2016, from http://www.for
bes.com/sites/parmyolson/2014/06/19/wearable-tech-
health-insurance/
Privacy Rights Clearinghouse. 2013, July 15. Privacy Rights
Clearinghouse Releases Study: Mobile Health and Fitness
Apps: What Are the Privacy Risks? j Privacy Rights Clear-
inghouse. Retrieved October 23, 2016, from https://www.pri
vacyrights.org/blog/privacy-rights-clearinghouse-releases-
study-mobile-health-and-fitness-apps-what-are-privacy
Scholl, M. A., K. M. Stine, J. Hash, P. Bowen, L. A. Johnson, C.
D. Smith, and D. I. Steinberg. 2008. An introductory
resource guide for implementing the Health Insurance Porta-
bility and Accountability Act (HIPAA) Security Rule. Gai-
thersburg, MD: National Institute of Standards \&
Technology, U.S. Department of Commerce.
Sherbit. 2015, April 6. How insurance companies profit from
“wearables.” Retrieved October 23, 2016, from https://www.
sherbit.io/the-insurance-industry-and-the-quantified-self/
Snyder, M. 2015, June 19. Police: Woman’s fitness watch dis-
proved rape report. Retrieved October 23, 2016, from
http://abc27.com/2015/06/19/police-womans-fitness-
watch-disproved-rape-report/
Solove, D. 2002. Access and aggregation: Privacy, public records,
and the Constitution—viewcontent.cgi. Minnesota Law Review,
86. Retrieved from http://scholarship.law.gwu.edu/cgi/viewcon
tent.cgi?article D 2079&context D faculty_publications
Taylor, H. 2016, March 4. How the “Internet of Things” could
be fatal. Retrieved September 22, 2016, from http://www.
cnbc.com/2016/03/04/how-the-internet-of-things-could-
be-fatal.html
Terry, K. 2014. Mobile polysensors offer new potential for
patient monitoring. Medscape Medical News. Retrieved
from http://www.medscape.com/viewarticle/828637
The Physicans Foundation. 2012, November. Drivers of
Healthcare Costs White Paper. Boston, MA. Retrieved from
http://www.physiciansfoundation.org/focus-areas/drivers-
of-healthcare-costs-white-paper
U.S. Department of Health and Human Services. 2003. Sum-
mary of the HIPAA privacy rule. Washington, DC: Office
for Civil Rights. Retrieved from http://www.hhs.gov/hipaa/
for-professionals/privacy/laws-regulations/
U.S. Government Publishing Office. 2013, January 25. Federal
Register. Vol. 78, Issue 17. Office of the Federal Register,
National Archives and Records Administration. Retrieved
from https://www.gpo.gov/fdsys/granule/FR-2013-01-25/
2013-01073/content-detail.html
Walker, K. L. 2016. Surrendering information through the
looking glass: Transparency, trust, and protection. Journal
of Public Policy & Marketing, 35(1), 144–58.