More employers are considering whether to encourage or even require employees to use wearables to reduce workplace injuries, lower workers’ comp claims and even lower health care benefit costs. But they should take note: any potential exposure to workers’ private health information could subject employers to rules under the Health Insurance Portability and Accountability Act (HIPAA).

Wearables such as Google Glass, smart safety helmets and any number of sensor-enabled devices can identify hazardous conditions on worksites such as toxic chemical fumes or equipment under excessive pressure. Employers are also looking into clothing that carry embedded biosensors, actuators and gyroscopes to follow movement, heart rate, stress level, fatigue, and countless other metrics … all of it connected wirelessly to mobile devices and computers.

But can the use of such devices expose employers to claims of HIPAA violations? What kind of due diligence will they need to do in order to ensure that their use of wearables can’t come back to haunt them later?

Julie Anderson, a principal at AG Strategy Group in Washington, D.C. said this is a murky area as policy always lags behind the development and use of technology. HIPAA was passed in 1996, and nine years later in 2005 HIPAA released its first privacy rule as it related to health care data. In 2013 those rules were updated.

“It’s a complex set of issues, and it can take that long for policymakers to react to what’s happening in the marketplace, particularly regarding how health care entities are using technology and handling the data they collect,” Anderson said.

“It is possible that all technology providers in the chain of custody of personal health care data from the wearable manufacturer to the Internet service provider to the cloud provider could someday be subject to HIPAA.” — Julie Anderson, principal, AG Strategy Group

The first category of those required to comply with HIPAA are individuals or entities that come into contact with personal health care data which could be sensitive, she said. The second category are business associates, such as an accounting firm that audits claims data containing personal care diagnostic codes for a health care insurance company. That accounting firm has to enter into a business associate agreement with the insurance company, which is a contract mandated by the federal government and enforced by the Health and Human Services Dept.

In 2013 the regulation changed, and the business associate definition was broadened to include technology and manufacturing companies that receive, transmit or store personal health care data, Anderson said.

“It is possible that all technology providers in the chain of custody of personal health care data from the wearable manufacturer to the Internet service provider to the cloud provider could someday be subject to HIPAA,” she said. “But for employers who urge their workers to use wearables, this is a murky area of law not established in case law, so it’s unclear whether they would be held liable.”

If employers are outsourcing the management and storage of their employees’ data collected from the wearables, as well as the decision-making based on that data, then every single entity that touches that data in theory needs to be HIPAA compliant, Anderson said. That could also mean the employer has potential exposure, if employees view their data on the third-party website using the employer’s computer.

“Plaintiff attorneys may want to sue as many parties as possible,” she said.

Employers considering the use of wearables first should make sure their third-party providers are covered by a business associate agreement that they have entered into with a HIPAA-covered entity such as a health care clearinghouse, Anderson said. Employers should also make sure these parties are HIPAA compliant where applicable, if they are handling personal health information.

“If it’s a situation where an employer is mandating the use of wearables which can interact with personal and private activities, and employees are not involved in policymaking, that could be inviting a world of hurt in terms of legal action,” she said. While the law is not yet settled in this area, “if they have employee participation in the development of those policies governing voluntary participation, it becomes harder for a plaintiff attorney to say the employer did this to an employee.”

David Gibson, vice president at Varonis Systems Inc., a New York City-based software vendor for the management and protection of unstructured data, said the first question employers should ask themselves is whether they are storing any health or patient-related data as a result of wearables, which would then make the company itself a business associate to a HIPAA-covered entity.

Employers also have to know exactly where that data is warehoused, he said.

“You might be surprised, but a lot of companies lose track of where their sensitive data is stored,” Gibson said. “Furthermore, the data they store — particularly in file shares and Intranets — is often not very restricted. A lot of organizations are turning to automation to find health-related data that they have lost track of, and to make sure only the right people have access to it and are using it correctly.”

Another key component is figuring out when employers no longer need to keep the data, he said. A lot of organizations are determining what data should be kept for regulatory compliance or to protect themselves if they find themselves in court, and what data can and should be deleted.

To minimize risks, employers should also consider trimming their collection wishlists at the outset.

“It used to be easy to believe that more data is better, even if you weren’t sure if or how you would use it all,” Gibson said. “But organizations really need to start limiting what they collect to what they really need.”

Michael H. Cohen, founder of the Michael H. Cohen Law Group in Beverly Hill, Calif., said that even if HIPAA does not technically apply, because no insurance claims are being submitted electronically with respect to the information, mirror-HIPAA privacy and security provisions in state law could create liabilities for companies.

“HIPAA compliance is therefore best industry practice,” Cohen said.

At minimum, compliance obligations include appointing a privacy and security official, conducting HIPAA/privacy and security training for employees, putting in place a robust set of privacy and security policies and procedures — including provisions for employee discipline in case employee negligence leads to data breaches, and conducting a risk management analysis.

“Because wearables are a relatively new technology, we are likely to see data breaches and reports of penalties in the news long before we see regulation specifically targeted to company use of wearables,” he said. “An ounce of legal prevention is more cost-effective than responding to a pound of regulatory penalties or lawsuits.”