As someone who's taken the internal trainings a few times by now: NOPE. Health data is scary-scary and no team wants to taint itself with it, unless it's the core of the product.
I hope that's true. I suspect that if it is, it only is until one or two teams does it successfully and monetizes that outcome. Then it's open season.
That's a trend in computing. It's forever too hard, until all of a sudden it isn't for a very select few and they do amazing things[1]. Then a year or two later everyone is doing it.
1: Amazing is relative, and in this case may be less about customers getting something amazing and more about to the execs looking at amazing profit reports...
It's scary because HIPAA puts a lot of restrictions on what it can be used for and also puts a bunch of requirements in place for its safekeeping. My point is that once it's been shown that those issues can be dealt with profitably, others will see that as a new growth sector and follow.
Regulations are often implemented as a set of specific hard rules based on specific values (so it's easy to rule about them). The systems they regulate are almost always never so clear, and are based on competing gradients. Where these rules interact with natural systems (such as a free market) are often some of the most lucrative places for companies to develop new strategies.
Where some people see rules that prevent or kill existing businesses, other people see an opportunity for a new type of business. The whole financial sector is rife with companies that do just this. A simple example of how it could happen in this case is that there may be some non HIPAA covered data (that people may or may not think of as health data at this point in time) mixed in with the HIPAA data, and very carefully harvesting and monetizing that could be lucrative. Maybe later laws are updated to change this, or maybe it becomes the new normal.
Basically, any given health record is covered by HIPAA if it 1) includes personal health information, 2) includes personally identifiable information, and 3) is used by a Covered Entity or Business Associate for some health care purpose. Just being "data with health-related information in it" doesn't make it covered by HIPAA; it has to actually be used by a specific set of organizations for a purpose related to health care.
If Fitbit just stored your personal fitbit data in a data lake in the cloud, that's not covered by HIPAA. But if it then shared that data with a service that made suggestions about your health, now it's covered by HIPAA. But if Fitbit allowed your smartphone to download your data, and gave you an app that allowed you personally to see health-related information about that data, that is (afaik) not covered by HIPAA, because you and your phone alone are not a Covered Entity or Business Associate.
Fitbit has a "health solutions" department which seems dedicated to healthcare solutions based on Fitbit data: https://healthsolutions.fitbit.com/ My guess is anything HIPAA-related is solely done through that arm of the company. Example: https://healthsolutions.fitbit.com/healthsystems/ I take this as them saying, "Hey Covered Entities, sign a Business Associate contract with us, and you can hoover up Fitbit data directly from us". By writing some glue code and doing the HIPAA hokey-pokey, they make a tidy profit.
Health data is not that scary. You create a contract between each business associate, and you can have 20 different orgs in a chain of trust going back to a single care provider. A lot of the modern security best practices of tech companies (not to mention GDPR) fulfill most of the privacy and security requirements of HIPAA too.
Anyway, Health is the next up and coming tech market. That's why Amazon just acquired Health Navigator and is rolling it up under Amazon Care (https://amazon.care/). Google [Alphabet] isn't just going to leave money on the table (and healthcare is lotsa lotsa money)
It seems if they buy fitbit is because they are no longer really "scared" of it, they aren't going to buy it just to keep fitbit a completely separate product.
Have you noticed how terribly siloed Google is? How you cannot use Drive to sync Photos, how long it took to get "One Google" subscription that still doesn't cover all that many of the products, how after moving it takes forever to have all the various products to agree on which country you live in? Dang, a few years back every product was separately asking for my age. That's not only because integrations are hard, but most importantly getting access to another team's data is a whole ton of lawyering through the privacy working group.
Now, that is for data that has no special legal protections. Whereas medical data is, for good reasons, subject to pretty heavy handed laws. Differing quite dramatically across all the diverse jurisdictions Google runs in. Sure, I have no clue what my employer's grand plan is here, but it will surprise me very strongly if medical data starts finding its way to established products. And note this is "medical data" according to the conservative common denominator across all the jurisdictions Google has to care about.
It's not like they don't already have health data. Google Fit exists and plenty of people use it - Any android wear devices, but also plenty of third-party devices feed into Google Fit. Any data they'll be able to get from Fitbit they can already get from Google Fit - acquiring Fitbit will just mean they'll have that same data for a whole bunch more people.
What they currently do with the fitness data they collect is probably a pretty good guidepost for what they'll continue to do with fitness data they collect.
> acquiring Fitbit will just mean they'll have that same data for a whole bunch more people
And this is why you have to carefully read privacy policies. Pebble had a clause in theirs saying they could sell any personal data about you to anyone, either as part of a company acquisition or for any other reason. Pebble got bought out by Fitbit. If that data is part of Fitbit's sale then Google will now have all data Pebble ever collected on anyone (which was, at least potentially, a lot).
It's just as likely they want to use fitbit brand to set the bar for android wearable portfolio, like they do with the Pixel for phones, than harvesting your daily steps for targeted advertising.
Could opting into an app that uses heartbeat for non-health purposes (ex. music game with biofeedback) open the door legally for them to use the data for other non-health purposes?
