Cardiology Coding Alert

Reader Questions:

Ensure Practice Maintains Compliance

Question: We use wearable devices and health apps to remotely monitor our patients when they’re at home and living their daily lives. Our networks are secure, we’ve established data collection policies, and we are HIPAA compliant. Do you have any other advice to ensure our practice is compliant?

Maine Subscriber

Answer: As part of the Internet of Things (IoT), wearable devices are beneficial to both patients and healthcare providers. Wearable devices, such as smartwatches and continuous glucose monitors (CGMs), allow physicians and care teams to monitor a patient’s condition while the patient goes about their daily life.

You’ve hit the ground running by establishing data collection policies, complying with HIPAA rules, and securing your network, but you should review the policies of the health apps and devices you’ve currently deployed. In September 2023, the Federal Trade Commission (FTC) issued guidance for businesses collecting, using, or sharing health information.

The HIPAA Privacy Rule instructs that covered entities or business associates cannot use or disclose a patient’s protected health information (PHI) for marketing purposes without the consumer’s HIPAA authorization. At the same time, the FTC Act “prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce,” the agency wrote in the guidance. The FTC Act also applies to HIPAA-covered entities and business associates, in addition to companies that aren’t required to comply with HIPAA that gather, share, or use health information.

Health apps collect a wide swath of information, such as glucose levels for those with diabetes, sleep patterns, and heart health data. The FTC indicates the Health Breach Notification Rule covers apps, websites, and connected devices that store electronic health information in a patient’s health record. However, if companies suffer a cybersecurity breach that exposes the patient’s identifying health information, the organization is obligated to notify the affected consumer, the FTC, and the media.


Other Articles in this issue of

Cardiology Coding Alert

View All