The Washington Post

December 11, 2020

Sen. Amy Klobuchar wants the federal government to provide more consumer privacy protection in response to a new wearable health device from tech giant Amazon.

After a Washington Post review of the $65 Amazon Halo, Klobuchar (D-Minn.) on Friday sent a letter to Health and Human Services Secretary Alex Azar asking what his agency is doing to ensure such devices safeguard sensitive health information.

“I think that this is even more intrusive than many of these products — and I had already been concerned,” Klobuchar said in an interview. “This one just takes it to the Nth degree.”

Along with constantly recording activity and heart rate, the wrist-worn Halo includes a microphone that’s used to listen to and evaluate its owners’ tone of voice. The Halo’s companion app also asks users to strip down and take photos so it can estimate their body fat percentage.

(Amazon CEO Jeff Bezos owns The Washington Post.)

“There have been so many privacy violations in the past, and selling of data,” Klobuchar said. “Of course people just don’t want to have their data shared out there on the Internet, but it’s also about employers getting the data, insurance companies getting the data, all kinds of things.”

In 2019, Klobuchar sponsored legislation with Sen. Lisa Murkowski (R-Alaska) to regulate tracking devices, health apps and home DNA testing kits. The Protecting Personal Health Data Act proposed that the HHS secretary should create regulations for new direct-to-consumer health products not covered by existing laws.

Amazon spokeswoman Molly Wade said the company is reviewing the letter and is in touch with Klobuchar’s office. “Privacy is foundational to how we designed and built Amazon Halo. Body and Tone are both optional features that are not required to use the product,” she said.

Amazon’s privacy policy for the Halo says it does not send voice recordings to Amazon’s servers, like its Echo smart speakers do. Instead, it sends recordings to owners’ phones for analysis and then deletes the recordings. Body-fat photos are sent to Amazon’s cloud for processing, then deleted from its systems. Amazon also says it won’t sell users’ data, share it without their explicit permission or use it to target them with sales pitches.

But little of that is a regulatory requirement. America’s most well-known health law, the Health Insurance Portability and Accountability Act (HIPAA), does not apply to consumer tech devices when they’re not part of care provided by a covered entity such as a doctor or health professional.

“HHS is in the business of regulating health privacy through HIPAA and has the expertise, so it makes sense to me for them to regulate this type of personal information,” Klobuchar said.

HHS said it received the letter and would respond directly to Klobuchar.

In her letter to Azar, Klobuchar asked what authority HHS has to regulate the security and privacy of health devices — and what additional authority or resources it needed to do so.

“This isn’t as partisan as some things, this issue,” Klobuchar said. “So I’m hoping they can give us some guidance even before we have a new HHS secretary.”