Doctor-ordered data on patients’ heart rates, tracked steps, and breathing or sleep patterns may be shared with insurers and other health companies because of a loophole in the health data privacy law.

The makers of heart monitors, blood glucose meters, and continuous positive airway pressure sleep machines faced backlash in 2018 after media reports said they shared data to third-party companies and insurers without the user’s knowledge.

It may be surprising, but the companies’ use of that data is entirely legal. Those companies aren’t covered by the Health Insurance Portability and Accountability Act of 1996, said Jordan T. Cohen, an associate with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.

Device manufacturers typically have their own privacy policies that say they won’t sell patients’ data but may share the information with third parties, usually people involved with patient care.

The law protects most health information that’s linked to a specific person, but device makers fall outside the law’s reach. The law only covers data collected by health-care providers, health plans, and clearinghouse billing systems in the industry.

That means device businesses such as Boston Scientific Corp. and Medtronic PLC have more freedom to share patients’ data than hospitals or doctors’ offices.

“When an organization that is not regulated by HIPAA obtains health information, they do not have to comply with HIPAA’s privacy protections that prohibit use and disclosure of the data,” Cohen said.

“So, in most cases, when an individual hands over their health data to a device company, that company is not prohibited from disclosing that data to other entities. This gives device companies a lot of leeway in terms of what they can do with health information they obtain.”

Data Transfers

The data is usually transferred only to the physician who prescribed the device, according to Cathryn Donaldson, a spokeswoman for America’s Health Insurance Plans, a trade group representing insurers.

“If there are instances where information is shared with insurance providers from medical device manufacturers, that data is used to ensure patients are getting the best care possible and are using the medical devices as intended,” she said.

“Health insurance providers often work very closely with care providers, including employing physicians and nurses, to develop value based arrangements that improve care quality for patients,” she added.

Boston Scientific says it doesn’t provide device data to insurers. Its privacy policy warns, however, that a patient’s data could be shared with other parties without additional notice. The parties could be contractors or market researchers.

Read the Fine Print

Patients may be unaware that they have authorized data sharing despite the privacy policies that are connected to the product and a company’s apps, according to Sara Jodka, a member at Dickinson Wright LLP.

“It’s not that patients don’t receive notifications of what they’re signing up for and, more importantly, what type of monitoring they are agreeing to by registering a device, but they may not know or understand what they are agreeing to when they agree to accept an app’s terms and conditions,” Jodka said. “The problem is that the policies tend to be long and people bypass reading them, despite the implications.”

Privacy policies—which list what’s collected, how it’s done, why, and who it’s shared with—can be found on the device makers’ websites or in the device’s phone app.

Boston Scientific collects personal data from patients using its devices—such as name, email address, or phone numbers—if that information has been voluntarily given to the company. Medtronic collects personal data for all patients but won’t share it without permission.

Protected data can also include a patient’s medical condition, age, gender, location, and transaction history. It can be used to schedule doctor’s appointments, notify patients of product updates, and send surveys for research.

Joint Ventures May Trigger Protections

The only way a device company is covered by HIPAA is if it partners with a health insurer, provider, or billing clearinghouse. If a device company’s app is used for and by a hospital, for example, a HIPAA violation may occur, Cohen said.

“If you upload your health data to the device company’s app, you are handing over health information to an entity that is not subject to HIPAA,” he said. “The analysis is more complicated if an entity regulated by HIPAA, such as a hospital, commissions the device company to create an app for the hospital’s patients. That arrangement can cause the device company to become the hospital’s business associate, thereby subjecting it to HIPAA.”

Those joint ventures are rare in the industry, however, which means device companies typically are outside of the health privacy law’s reach.