Wearable medical devices and fitness apps collect valuable, and very personal information about their wearers. Once collected, how is this data kept safe and what measures can companies take to put the consumer in control, while meeting data protection regulations and achieving their business goals?
Over the last few years, the trend for wearables has shown the potential benefits of transforming healthcare through digital technologies.
Alongside fitness trackers and smartwatches, there are also medical devices used to monitor a patient’s vitals and some even contain SIM cards to enable two-way communication.
Devices such as insulin pumps, heart pacemakers, and inhalers can track patient data in real-time and transmit to the user’s phone, an app, or their doctor, making the data immediately accessible, and often keeping the patient out of the hospital.
However, this presents challenges for healthcare companies. They must now accommodate providers, patients, and third parties, which have access to sensitive patient information while ensuring security and informed consent at all stages along the journey.
Consent on how personal data is used and with whom it is shared is a common concern for consumers and regulators alike. A recent survey by Deloitte showed that in the US, 40% of consumers who used wearables such as fitness trackers, had concerns about data privacy, which rose to 60% when discussing medical data.
Alongside obtaining consent, any organization dealing with patient data must also ensure compliance with the necessary regulations. Sometimes, data collection and storage may take place in different legal jurisdictions, which can span multiple platforms across other countries with varying data protection laws. And this all requires flexibility and robustness in data management.
Where the data goes from wearable devices
Data collected from wearables is transmitted directly to a smartphone or computer before its eventual transfer to permanent data storage, which usually occurs in proprietary servers. From here, third parties can gain access to the data, provided they have the necessary permissions.
When it comes to where and how this data is stored, an added complexity for healthcare providers is that all of the individual user data won’t necessarily be stored in the same place. Building a complete picture of an individual can be challenging, with patient data coming from many different devices, systems, and touchpoints.
Another issue for data storage is cybersecurity, with the healthcare, pharma, and medical device sectors particularly susceptible to cyberattacks. With patient data being transmitted in real-time, medical device companies are now responsible for large amounts of sensitive electronic patient data.
Data protection laws
Consent within healthcare data is a complex issue. A lack of consent can lead to delayed treatment for patients and penalties for companies if not correctly recorded. From a legal standpoint, consent often has to be collected for each separate piece of data – for example, weight, BP, and heart rate.
While many of us may be happy to share our step-count with others, it’s a very different situation with medical data, which may be sensitive or affect health insurance. Conversely, many people are happy to share their information if they can see a direct benefit, such as a quicker diagnosis or treatment.
Regulations such as the EU’s GDPR, the US’s HIPAA, and California’s CCPA are in place to give people more control over what personal data a company can collect, store and share. Fines for non-compliance can be high, potentially running into millions of euros for breaches of GDPR or up to $50,000 for HIPAA in the US.
Managing data and consent for wearables
The only way for healthcare providers to keep pace with the vast amounts of data that needs to be processed and stored is by choosing a secure and flexible consent management platform (CMP). And ensuring that users have given consent for their data to be shared and used while also complying with international data regulations is where Cassie by Syrenis is a world leader.
Cassie is a CMP that works in real-time across numerous data sources from different platforms and devices, and is used by global healthcare providers. AWS-hosted, Cassie can process high volumes of data in real-time across highly regulated industries, while also managing complex relationships.
“Cassie sits in the middle of an organization. It allows you to deliver your privacy questions to a data subject,” says Glenn Jackson, CEO of Syrenis. “The data subject can choose how or if the organization can interact with them. That is built into these apps or websites over the user journey. And Cassie allows that data to build up over time.”
However, the main issue with obtaining consent is trust, says Igor Lopez, CMP solution expert at Syrenis.
“How you build trust, is about transparency,” says Lopez. “You don’t just give the customer the option to only to opt-in or opt-out, but you also provide granularity. It’s not just a blanket update. Because there is often private information that the data subject may not want to share.”
Granular consent management enables individuals to establish specific privacy, access and usage directives. Lopez describes how that trust can lead to the customer giving consent for third-party use of their data.
“If you want to use that information – which is legitimate – you need to let your patient know and ask for their permission to do so,” he says. “Again, that it is about transparency and giving the customer options while building that trust.”
The issue of data coming from multiple devices is no problem for Cassie says Lopez. “The key here is the multiple identifiers you need to have,” he says. “You need a CMP that allows consolidating data when coming from different devices, which have different identifiers and not just from one device.”
Using Cassie builds confidence for patients that their consent records are maintained safely, updated accurately, and accessible to the professionals that need to use them and meet their business goals.
Data Regulations: Ensuring Compliance with HIPAA
Businesses dealing with data around the world need to comply with the necessary regulations in specific jurisdictions to avoid significant fines from regulators. In the US, HIPAA regulations apply nationwide to protect highly sensitive information about the health of individual patients. Any data shared must only be done so with the patient’s consent or agreement. These national standards are the Privacy Rule and the Security Rule. And while HIPAA became law in the pre-internet age, companies dealing with digital technologies must make efforts to comply with regulations. Complications may arise when multiple parties get involved with data gathering and management. These potentially grey areas must be understood and carefully navigated to ensure compliance throughout the data journey. To learn more about HIPAA regulations and the best ways to ensure compliance, you can download our latest guide Understanding HIPAA Compliance.