FTC Personal Health Records Breach Rule Applies to Health App and Connected Device Developers

Mintz - Health Care Viewpoints

Mintz - Health Care Viewpoints

On September 15, 2021, in response to the “proliferation of apps and connected devices that capture sensitive health data” the Federal Trade Commission (FTC) issued a Policy Statement (the Statement) offering guidance on the scope of the FTC’s Health Breach Notification Rule (Breach Rule).  According to the Statement, the Breach Rule applies outside of the traditional health care context (e.g. health care involving diagnosis and treatment by a licensed health care provider) and the FTC intends to bring enforcement actions for noncompliance involving up to $43,792 in civil penalties per violation, per day.

The Breach Rule implements requirements for personal health records (PHR) under the American Recovery and Reinvestment Act of 2009 (ARRA) and requires notification to consumers, the FTC, and in some cases the media in the event of unauthorized acquisition or disclosure of unsecured “individually identifiable health information” as defined by HIPAA (which means among other things that the information involved would need to be created or received by a health care provider, health plan, employer or health care clearinghouse).

In the Statement, the FTC “clarifies” that under the Breach Rule health apps and connected devices that capture health data are “health care providers” because they “furnish health care services or supplies.” As a result, the Breach Rule broadly applies to a wide range of health apps and connected devices where identifiable health information is involved.    

The FTC also takes an expansive view of what electronic records are subject to the Breach Rule. “Personal health record” is defined by the ARRA as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. In the Statement, the FTC explains that health apps are covered by the Breach Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (APIs) even if some sources do not contain health information, and provides the following examples:

  • An app that collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker; and
  • A blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar).

Finally, the FTC took the opportunity to remind PHR vendors that a “breach” is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Breach Rule.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Health Care Viewpoints | Attorney Advertising

Written by:

Mintz - Health Care Viewpoints

Mintz - Health Care Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.