On November 16, 2014, Forbes published an article about what appears to be the first case of using data from a fitness tracker in personal injury claim litigation. Simon Muller of McLeod Law in Calgary, whose client filed the lawsuit, says: “If you’ve been wearing the Fitbit monitors it’s likely you’ll see court applications to compel disclosure of that data.” Mathew Pearns, another Canadian lawyer, said that wearables could become “the black box” for the body.

It is not surprising that lawyers are seeking access to a new pool of personal data that might be useful to them. After all, there are many businesses, such as cell phone companies and social networks, that collect data in order to provide services and find themselves responding to legal requests from others who want the data for unrelated uses. What is interesting about fitness trackers is that many people wear them in order to get discounts on their health insurance through wellness programs. Let us take a look at the way the data pools produced by these devices are evolving and the rules that apply to them in the US.

The market

Until recently people bought and wore fitness trackers for their own personal reasons. These days, though, many employers and insurers are integrating these devices into their wellness programs and creating financial incentives for wearing them. Some employers buy fitness trackers in bulk and distribute or resell them to employees at a discount. Other employers hire wellness vendors that integrate their program management software with several different fitness trackers and allow employees to use the ones they prefer. Whether or not wellness programs improve health, financial incentives that increase employee participation in these programs certainly increase the amount of data that is being generated through fitness trackers.

Some market forecasters believe that wellness incentives provided by employers and health insurers are key to the growth of the fitness tracker market. To get more employers to choose their devices, some vendors have created sales forces dedicated to the corporate market. One device maker, Garmin, is creating a less expensive fitness tracker specifically for that market. This is because most consumers who purchase fitness trackers for themselves or receive them as gifts abandon them within a short time. According to one study, about a third of consumers stop wearing their fitness trackers within six months. However, if wearing a fitness tracker leads to a discount on health insurance or another financial incentive, people continue to wear them.

The data

Wearable fitness trackers can provide a treasure-trove of information about their users. Depending on the device, they may record time- and location-stamped records of sleep, exercise and biometrics such as blood pressure, body temperature or heart rate. The apps associated with the devices can be used to record food, water and alcohol consumption. Analytic algorithms can combine this data with public data, such as local weather, or type of building or business in a specific location, to reveal the types of places where the someone spends time; work, leisure and exercise patterns; categories of food places visited; and more. Employer-sponsored wellness programs can further enrich this data set with data from health risk assessments, biometric screenings, and other data obtained from the employer's health plan.

Wearable fitness trackers send their data to a variety of entities. A recent study by Symantec found that each of the trackers and apps they tested provided data about user and device behavior to between 5 and 14 Internet domains. The recipients include device and app makers, analytics companies, and in some cases social networks and marketers. When a fitness tracker is linked to a corporate wellness program, it transmits data to the wellness vendor as well.

The rules

In most cases, where employers provide wellness programs through health plans, the vendors that manage these programs operate as Business Associates on behalf of health plans and are subject to the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). However, even when people wear fitness trackers in order to participate in HIPAA-regulated wellness programs, these devices continue to provide data to entities not covered by HIPAA. The rules applicable to this data are not entirely clear.

Fitness trackers and apps acquired by consumers for personal use are not subject to privacy regulation in the US. HIPAA generally does not apply because consumers are not “covered entities” under the law, and neither are device and app makers or various analytics companies. The Federal Trade Commission (FTC) can bring enforcement action against device and app makers for unfair or deceptive practices under the FTC Act, but it needs an allegation of wrongdoing in order to do so. The Food and Drug Administration (FDA) can only regulate devices and apps designated as medical devices, but most fitness trackers and apps are not considered to be medical devices. Therefore, it appears that fitness trackers and apps can collect and disseminate personal information with few constraints, even when incorporated into employer-sponsored wellness programs.

If you generate the data, they will come

Wellness programs can build an exceptionally detailed picture of an individual life. Subject to some legal limitations, these new data pools may be accessed by employers, law enforcement, divorce and personal injury lawyers, and others who discover their existence. As employers and health insurers increase financial incentives to get more employees to participate in wellness programs, the amount of data in these programs is growing. The Calgary case may be the first, but it surely will not be the last in which this type of data is used in new and, possibly, unexpected ways.

Originally published on LinkedIn on November 21, 2014