The perils of connecting wearables with medical records

• That means a fitness tracker that asks for someone's medical history could become a target for bad actors, or be subject to a patchwork of conflicting privacy standards.
• "What HIPAA does is it sets like a baseline, a floor of protections," said Jodi Daniel, former founding director at the Office of the National Coordinator for Health IT. "Once you're outside of HIPAA, the protections are based on what the parties agreed to."

Driving the news: Wearable fitness tracker Whoop, in partnership with the health records platform HealthEx, announced last week a plan to make it easier to share patient records within the wearable's app ecosystem.

• It comes just weeks after Oura announced a plan to help users integrate their medical records into its smart ring app.
• The idea is to combine wearable data with medical records to provide more meaningful health insights, said Priyanka Agarwal, co-founder and CEO of HealthEx.
• The company is part of a federal initiative, known as the Trusted Exchange Framework and Common Agreement, that aims to promote the secure and interoperable exchange of electronic health information. HealthEx says the initiative requires it to manage data in a manner consistent with HIPAA.

Between the lines: The Trump administration has been encouraging more information sharing, arguing that continuous monitoring and feedback from apps and wearable devices can help consumers manage their health better.

• In April, the administration announced dozens of tools as part of a Centers for Medicare and Medicaid Services health tech ecosystem that aim to make it easier for patients to securely share their records.
• The effort has won support from groups like the CARIN Alliance, which is composed of consumer health and technology companies that have adopted a voluntary code of conduct for protecting patient data.
• "It's more secure than anything under HIPAA," said Ryan Howells, leader of the CARIN Alliance.

Yes, but: Health systems worry that patients may not understand what they're giving up when they authorize records to flow into consumer apps.

• While hospitals and doctors face strict limits on how patient information can be used under HIPAA, the law doesn't apply to most consumer health apps.
• "This is not a level playing field. All health data should be afforded the same level of privacy protections, regardless of who holds it," said Mari Savickis, head of government relations for the College of Healthcare Information Management Executives.

• Third-party companies can leave open privacy loopholes in user agreements which allow them to sell or otherwise expose sensitive patient data.

Outside of HIPAA, companies are still subject to a patchwork of state laws, individual company privacy policies and Federal Trade Commission oversight, which is primarily focused on unfair or deceptive acts.

• While voluntary industry standards have filled some regulatory gaps, Daniel said they're mostly focused on transparency and consent, not setting guardrails for protecting information.

What they're saying: "CMS has worked closely with industry to ensure privacy, security, and patient trust are foundational elements of the health tech ecosystem," a CMS spokesperson told Axios.

• That includes commitments to the code of conduct and and verification that privacy and security practices align with industry best practices.

What we're watching: Congress would have to expand HIPAA or create a new privacy law that applies to health tech. An effort by Senate health committee Chairman Bill Cassidy (R-La.) to expand health privacy protections to to smartwatches and health apps hasn't gained momentum.

The bottom line: Americans are gaining unprecedented control over their health data, which many see as a path to well-being. But it may be leaving them exposed in ways they don't fully understand.