Note that HIPAA currently does not cover consumer-purchased wearables. If the wearable is purchased and provisioned to the patient by the health-care provider, then the data originating from that wearable is covered under HIPAA. However, in the case where the patient uses his/her own wearable to collect and provide data, that data is not covered. The concept of data aggregation is also important to understand related to IoT privacy. There are data elements that by themselves are not considered PHI (Protected Health Information) under HIPAA. However, when data elements are combined with identifying information, the combined data is then covered. HIPAA Security Rule identifies 18 criteria that define PHI. The FTC Report (Privacy and Security in a Connected World) called for an update to HIPAA to increase the scope of data collected to include health apps and other connected devices.