Fitbit Complies with HIPAA—Does Your Business? 7 Questions to Ask

Fitbit get HIPAA compliantFitbit’s recent news that it has achieved compliance with HIPAA—which protects patients’ health data—shines a light on the importance of HIPAA medical privacy concerns to an ever-widening circle of businesses. Still, many firms SHOULD be HIPAA compliant, but aren’t, putting them at risk for legal action. Could your business be one of these lawbreakers, without knowing it?

The Fitbit news shows that HIPAA compliance is no longer limited to insurance companies, doctors’ offices and hospitals. Even device manufacturers like Fitbit now want to show HIPAA compliance, to be considered for doing business with compliance-savvy enterprises.

HIPAA sanctions and marketplace advantages

But the neglected story is that so many businesses mistakenly assume that they don’t have to comply with HIPAA medical privacy laws. That’s a blunder that could cost thousands of businesses in fines, lost business, ruined reputations and possibly even criminal penalties.

The opposite is also true: Companies that achieve HIPAA compliance—even companies that are in industries far afield of medicine or insurance—can use HIPAA compliance as a competitive edge to win new business, as Fitbit now can do.

Fitbit isn’t a healthcare provider. It is a consumer device manufacturer. Yet without its HIPAA compliance, the human resources departments of many major enterprises might justifiably be a little leery of supplying their employees with the devices out of concern that they might risk running afoul of HIPAA regulations on the health-related information that Fitbit collects and transmits.

But now that Fitbit has been verified to be a HIPAA-compliant business, it can issue and sign documentation called Business Associate Agreements for enterprises wanting to purchase Fitbits for its employees. These agreements are designed to protect companies that use Fitbits from any HIPAA compliance actions that might stem from their use of such devices. Because Fitbit has been verified to be compliant, any company that uses the devices doesn’t have to worry about Fitbit affecting its own compliance.

The Fitbit announcement is important because many observers say that medical and fitness “wearables” are shaping up to become the next HIPAA battleground. Already, millions of people wear at least one medical or fitness-related device on a regular basis, and they can have major benefits for both wearers and insurers. Yet HIPAA is one of the laws that govern the privacy of medical information, so being able to eliminate compliance objections is a major win for Fitbit and clears the way for more device sales to a broader market that now includes wellness programs. That’s what made Fitbit’s HIPAA compliance such big news in the business press and on popular programs like Jim Cramer’s “Mad Money.”

But the news is also important because it illustrates some hard principles of HIPAA. First, HIPAA compliance is like a chain that can be broken by one weak link; BAAs help to ensure that every link is sound, and that your compliance chain won’t be broken by the BAA issuer if that signer has been verified to be HIPAA compliant.

8x8, for example, has offered HIPAA-compliant services—such as business phone service and cloud contact center solutions—since 2013. And because 8x8 has been verified to be compliant, the company can issue Business Associate Agreements that document our compliance. These BAAs help to protect the compliance of companies we do business with, because if any of our customers are ever audited, they can show that they are trusting their communications to a provider that is third-party verified to be HIPAA-compliant.

‘We’re not in healthcare, so why worry about HIPAA compliance?’

Many companies don’t realize that their human resources departments have access to protected health information, or PHI, through things like company health insurance plans. Sometimes, such information is stored in communications systems—phone systems, voicemail recordings, customer call centers and collaboration tools like meeting software—that aren’t necessarily certified to be HIPAA-compliant. Because so few enterprises think to ask about their phone systems’ HIPAA compliance, many companies are unwittingly putting themselves at risk.

Estimates of the number of such HIPAA violating companies aren’t available. However, in my experience as a CISO at a company that provides business communication systems that DO comply with HIPAA, I’m often amazed at how many companies don’t even realize they need to comply with HIPAA. And HIPAA isn’t just a regulation that hospitals have to worry about. It is a real law, with real penalties, and applies to everyone who stores protected information.

Luckily for businesses that become aware that they could be running afoul of HIPAA, it is possible to find communications providers that comply, and even more importantly, will give you a critical agreement called a Business Associate Agreement, which states the communications provider complies with HIPAA. The best providers can even advise you on the standard compliant way to configure their systems so that communications issues don’t put your company in violation of HIPAA.

Questions to ask communications providers

I’m often asked what companies can do to make sure their communications systems comply with HIPAA. A good start is to ask the following questions of representatives at the firms that provide your business phone service, fax services, and call centers.

  1. Are you a HIPAA-compliant business associate? Many companies aren’t, and doing business with them could jeopardize your compliance if you use their services.
  2. What has your company done to ensure compliance? For telecommunications providers, compliance is an extensive, ongoing process. Not only must they make sure their company complies, but they need to verify that their own chain of business associate subcontractors is compliant.
  3. Has your HIPAA compliance been assessed by independent experts? It’s important to get actual third-party verification so that you don’t jeopardize your own company’s compliance. Salespeople are often confused about the new rules themselves, and could mislead you, so ask for independent confirmation. Be sure to get the name of the verifying organization, too. Also, an independent assessment of compliance will likely have more credibility with regulators than an internal assessment.
  4. Can your communications provider [business phone service, fax service, call center, web conferencing provider, etc.] supply my business with a HIPAA Business Associate Agreement? “If you use a cloud-based service, it should be your business associate,” says David Holtzman, formerly of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division. If a provider offers a business associate agreement, it is willing to stand behind its compliance and say in writing that it has the proper privacy and security controls in place. If your business is going to use a vendor that stores PHI on your behalf, you must have a business associate agreement in place. Holtzman adds, “If they refuse to sign, don’t use the service.” Get it in writing, in other words.
  5. Can the services that you provide my business be configured to be HIPAA-compliant? Some providers actually warn customers that they should not use its services to store HIPAA-protected health information. These providers do not even try to achieve HIPAA compliance or help customers comply. But with a little digging—and these questions—you can find out.
  6. Can you recommend particular configurations of our system to help us comply? Providers that make compliance a priority can often supply you with expertise or recommendations to help you comply, and they’re more likely to have a compliance officer who can explain how their services are set up to make compliance easier.
  7. Can your firm provide encryption for both “data in motion,” and “data at rest”? When information is being transmitted, such as via voice communications, it’s subject to encryption requirements for data in motion. When it’s being stored, such as in voicemail, faxes and voicemails, it should also be encrypted for protection. Many service providers cannot offer both forms of encryption, but some can.

Many businesses that are too small for a full time compliance officer or department are understandably intimidated by HIPAA compliance issues. But a few communications providers are increasingly shouldering more of the burden of compliance, so picking the right communications provider is critical to plugging this common compliance hole. And as the Fitbit example shows, doing the right thing legally is not only a virtue but can prove profitable, too.

A version of this article appeared previously at, and this article is published here with permission from the publishers of

Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png