The Federal Trade Commission (“FTC”) recently issued an important policy statement to health apps and other connected devices that collect or use consumers’ health information. The FTC’s policy statement effectively clarified the position that health apps and related connected devices are subject to the Health Breach Notification Rule (“the Rule”), which requires vendors of personal health records (“PHR”) and PHR-related entities to notify U.S. consumers, the FTC, and in cases of certain breaches involving over 500 consumers, the media, if there has been a breach of unsecured identifiable health information. The FTC’s commissioners voted 3-2 to approve the policy statement.
The FTC’s Rule helps account for entities that are not subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), but nonetheless collect and use sensitive health information. The FTC notes in its policy statement that while the Rule was established more than a decade ago, “the explosion in health apps and connected devices” particularly with the onset of the COVID-19 pandemic, and a spike in cyberattacks in this space, has made the Rule’s obligations “more important than ever.” Health apps include everything from fitness, sleep and diet trackers, to apps that help individuals track their disease, diagnosis, medications, mental health, other vital areas and more.
Specifically, the Rule states that:
each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall:
- Notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such breach of security; and
- Notify the Federal Trade Commission.
In addition, the Rule requires third-party service providers of such vendors, following the discovery of a breach of security, to provide notice of the breach to an official of the vendor designated in writing, and if no such designation is made, to a senior official of the vendor.
PHR is defined as an electronic record or individually identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for an individual.
Notably, the policy statement emphasizes that a health app is subject to the Rule if it is capable of drawing information from multiple sources, even if the health information comes from only one source. The FTC provides the example of a blood sugar monitoring app that draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar) – such an app is covered under the Rule.
The FTC’s policy statement further clarifies that when a health app discloses sensitive health information without user consent, a “breach of security” is triggered under the Rule, and such a breach is not limited to “nefarious behavior”. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.” Entities that fail to comply with the Rule are subject to monetary penalties of up to $43,792 per violation, per day.
The Rule has generated significant confusion for entities offering PHRs, particularly since the onset of the COVID-19 pandemic. It is important to emphasize that the FTC’s rule does not apply to HIPAA-covered entities. The preamble of the Rule, for example, addresses whether the Rule would cover PHRs that a HIPAA-covered entity offers its employees. The preamble explicitly notes that “because the FTCs rule does not apply to HIPAA-covered entities, it does not apply to PHRs that such entities offer their employees”. The overarching goal is to “harmonize” HHS and FTC data breach notification reporting requirements, and compliance with certain HHS rule requirements in turn satisfies compliance under the FTC rule. There are, however, situations where an entity may have “dual or overlapping” coverage under the HHS and FTC rules. Here are a couple examples: 1) A vendor with a dual role as both a business associate under HIPAA and a provider of PHRs to the public through its own website (reporting requirements under HHS for its functions related to qualifying as a business associate, and requirements under the FTC rule for its role as a provider of PHRs to the public), 2) PHRs offered to families (a HIPAA covered group health plan would have data breach reporting requirements under HHS Rule for the employee covered by the plan, but not for a spouse who has a PHR under the plan, but is insured by the a different provider, for which the FTC Rule would be applicable). As a result, it is crucial for an entity that provides services and functions to varying categories of individuals, to carefully parse out applicability under each of the rules.
The health app industry is booming. It brings innumerable potential benefits as well as significant data privacy and security risks. Organizations that collect, use, and store medical data face increasing compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.