Last week’s news that the Federal Trade Commission is taking steps to begin rulemaking on consumer privacy and artificial intelligence drew plenty of attention from privacy professionals, and suggests 2022 could be an interesting year for federal regulation of privacy and data security. But that development is only one of a series of moves the Commission has recently made in this space.  In September, a divided Commission issued a Policy Statement that adopts a surprisingly broad interpretation of the FTC’s existing Health Breach Notification Rule, and suggests the FTC is seeking opportunities to use its existing authority to crack down on mobile health apps’ lax privacy and data security practices.

In that Policy Statement, the FTC takes the position that the Health Breach Notification Rule, which applies to “vendors of personal health records,” covers any mobile app that processes health information and that can draw personal information from multiple sources. The FTC also states that the Rule broadly requires notification of any unauthorized access to consumer health information, including the sharing of a consumer’s health information without the consumer’s authorization.

Mobile health app developers should take careful note of the Policy Statement’s interpretations and assess their offerings’ compliance posture accordingly.

Overview of the Health Breach Notification Rule

The FTC issued the Health Breach Notification Rule in 2009 to impose breach notification requirements on companies that process consumer health information, but are not subject to HIPAA. To that end, the Rule requires a “vendor of personal health records” to notify affected consumers and the FTC whenever  “unsecured [personal health record] identifiable health information [is] acquired by an unauthorized person” as a result of “a breach of security of unsecured [personal health record] identifiable health information.” A “vendor of personal health records” is an entity that (1) is not a HIPAA covered entity or business associate and (2) offers or maintains “personal health records.”

“Personal health records” are in turn defined under the Rule as electronic records of “individually identifiable health information” that “can be drawn from multiple sources and that [are] managed, shared, and controlled by or primarily for the individual.” “Individually identifiable health information” covers information that identifies or for which there is a reasonable basis to believe could identify an individual that is (1) created or received by a health care provider, health plan, employer, or health clearinghouse and (2) relates to the data subject’s mental health or condition or the provision of health care or the payment for the provision of health care to that individual.

Impact of the Policy Statement

In the Policy Statement, the FTC takes a surprisingly expansive view of what categories of entities are subject to the Health Breach Notification Rule. To that end, the Statement provides that mobile health apps that can draw personal information from multiple sources are “vendors of personal health records” and that health-related personal information collected from sources like wearable fitness trackers or APIs constitutes a “personal health record” subject to the Rule.

That conclusion relies on an aggressive interpretation of the Health Breach Notification Rule’s cross-referenced definition of “health care provider,” which includes a “person furnishing health care services and supplies.” The Policy Statement concludes that entities that offer fitness trackers or APIs that provide health-related data to a mobile health app are “furnishing health care services and supplies” such that they constitute “health care providers.” In the FTC’s view, electronic records of health-related personal information received from those sources are therefore “individually identifiable health information” that constitutes a “personal health record” under the Rule.

The Policy Statement also states an entity can be a “vendor of personal health records” if it collects information from multiple sources, even if it only collects health information from one source. For example, the FTC states that a blood sugar monitoring app that collects blood sugar levels directly submitted by a consumer, and also non-health information such as the date from the consumer’s device’s calendar, is covered by the Rule.

Finally, the Policy Statement also takes a broad view of which incidents require notification. It provides that “a ‘breach’ is not limited to cybersecurity intrusions or nefarious behavior.” The Commission also states repeatedly that disclosures of covered information by an app developer without an individual’s authorization require notification under the Rule. While expressly interpreting “breach” to include any disclosure without consumer authorization is somewhat novel, note that the premise that health information disclosures require consumer authorization is consistent with prior FTC guidance indicating businesses should obtain opt-in consent to collect and disclose health information.

Conclusion

The Policy Statement is not formally binding, and its conclusions may be challengeable in enforcement action litigation. In addition, the FTC has never enforced the Health Breach Notification Rule (as it acknowledged in the Policy Statement). 

But the Policy Statement suggests that the FTC intends to scrutinize mobile health apps more closely, and may be more likely to use enforcement actions under the Health Breach Notification Rule as a tool to do so. And under the Rule, those enforcement actions can carry penalties of up to $43,782 per day.

Mobile health app developers seeking to avoid FTC enforcement actions should assess whether the Health Breach Notification Rule applies to them, create or update incident response policies to account for its requirements, and examine whether and how they should obtain authorizations or consent to disclosures of health information.