The Federal Trade Commission ("FTC") recently announced its intent to "vigorously" enforce its 2009 Health Breach Notification Rule (the "Rule") via a policy statement that sheds light on the Rule's scope. The policy statement includes an expanded interpretation of entities subject to the Rule and clarifies that not only does the acquisition of health data by a bad actor constitute a reportable breach but that the disclosure of it to a third-party without an individual's authorization is also a reportable breach. Health tech companies need to take action immediately and determine if they are subject to the Rule. If they are, they may need to update their privacy and security policies. Learn more about the Rule in this update and how Orrick can help.
The Rule requires vendors of personal health records ("PHRs") and PHR-related entities to report breaches of security to the FTC, individuals, and in certain circumstances, the media. The Rule was intended to bridge the gap in breach reporting obligations for entities not covered by the Health Insurance Portability and Accountability Act ("HIPAA") but collecting individually identifiable health information. Under the Rule, a vendor of personal health records is an entity not subject to HIPAA that collects individually identifiable health information drawn from multiple sources into an electronic record managed, shared, and controlled by, or primarily for, the individual (a "PHR"). PHR-related entities include entities not subject to HIPAA that send information to PHRs. For example, the Rule applies to an online service that allows individuals to pull their medical records from multiple health care providers and store them electronically.
In its policy statement, the FTC expands those entities subject to its Rule. Health care providers not otherwise subject to HIPAA are within the Rule's scope due to cross-references incorporated into the definitions section of the Rule. In the policy statement, the FTC states that health apps and connected devices are health care providers because they "furnish health care services or supplies." As such, if they are not otherwise subject to HIPAA and pull information, some of which is health information, from multiple sources, they are subject to the Rule. Health care providers are not subject to HIPAA unless they enter into certain electronic HIPAA standard transactions related to billing payment for healthcare. For these purposes, drawing from multiple sources includes pulling from application programming interfaces ("APIs") and information input directly by the individual (for example, blood pressure input by the individual). This is true, according to the policy statement, even if the health information is drawn from one source, but the app or device collects other non-health information from another source (for example, dates from the calendar on the individual's cell phone).
As far as the nuts and bolts of the Rule, entities subject to it must notify individuals and the FTC following the discovery of a security breach. Similarly, in the event of a security breach, downstream third-party service providers must provide notice to vendors of personal health records or PHR-related entities and obtain acknowledgment that the notice was received. These notifications must be sent "without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security." Under HIPAA, breaches of security are "treated as discovered as of the first day on which such breach is known or reasonably should have been known" to each entity covered by the Rule. Of note, the FTC previously stated that it expects entities subject to the Rule to maintain reasonable security, including breach detection measures, which should assist in the discovery of breaches in a timely manner.
While significant in its own right, the policy statement takes on particular significance during the global pandemic. We have seen a rapid expansion in tech companies offering apps that collect and track health-related information, including mental health, diet, sleep, fertility, fitness, and COVID-19 health and vaccination status. If not subject to HIPAA and if drawing information from more than one source, these tech companies should closely evaluate their apps' collection of health information and the company's privacy and security policies and incident response plans.
As acknowledged in the policy statement itself, in the decade since the Rule's issuance, the FTC has never enforced it. Moreover, there have only been four instances of a company providing notice to the FTC under it. The FTC, however, is loudly signaling that the days of non-enforcement are now over. According to the Chair of the FTC, it plans to "enforce this Rule with vigor." Moreover, given the limitation on the FTC's ability to seek equitable monetary relief under Section 13(b) of the FTC Act arising from the recent decision in AMG Capital Management, LLC v. FTC, 593 U.S. __ (2021), the FTC may be even more likely to pursue actions under the Rule because it offers a civil penalty. Under the Rule, the FTC can seek a civil penalty of $43,792 per violation, per day.