On September 15, the Federal Trade Commission (“FTC”) issued a policy statement (“Statement”) addressing the scope of its Health Breach Notification Rule (“Rule”) on health apps and connected devices. The Rule, first issued in 2009, requires vendors of personal health information and related entities to report a breach—any unauthorized disclosure or acquisition of unsecured consumer health information data—to consumers, the FTC and possibly the media. The failure to report could result in civil penalties. The Rule seeks to ensure that entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are nevertheless held accountable for the mishandling of sensitive health data. The FTC noted that although the Rule was issued over 10 years ago, there has been an explosion of new apps and connected devices that are being marketed to and used by consumers. For this reason, the FTC considers the Rule to be of greater importance today, and its Statement a notice to vendors of their obligations to protect health information, and the obligation to be transparent about breaches.
Notably, the Statement affirms that the Rule applies to health apps, such as fertility or glucose tracking apps, and connected devices, such as wearable fitness tracking devices. More specifically, the Rule applies to health apps or connected devices that collect sensitive health data and that can draw data from multiple sources, such as through a combination of consumer inputs and application programing interfaces (“APIs”), and that are not covered by the HIPAA breach notification rule. For example, the Rule would apply to a health app that collects personal health information and then syncs the personal health information with a fitness tracking device through an API. Although app developers and vendors are not deemed health care providers (and therefore covered entities) under HIPAA, the Rule generates some confusion because under the Rule’s definitions, developers of health apps or connected devices are considered a “health care provider” because it “furnish[es] health care services or supplies.” Critically, entities that do not comply with the Rule could pay up to $43,792 per violation per day.
In her supporting statement, the Chair of the FTC, Lina M. Khan, emphasized that although “this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics.” She additionally emphasized the need to scrutinize business models that place consumers’ sensitive data at risk.
The FTC’s affirmation of the Rule’s application to health apps and connected devices indicates its increased focus on ensuring apps and devices that collect individuals’ sensitive health data are held accountable. Companies developing and supporting such products should be mindful of their data practices, specifically concerning the handling of sensitive health information. The FTC offered compliance tips to companies in its analysis of Flo Health, including:
Companies, especially those collecting sensitive health data, should consider doing an in-depth analysis to both fully understand and create a breach notification action plan concerning the type of data their products collect, how and who that data is shared with, and whether any laws or regulations, such as the Rule, apply in the event of a data breach.
85 Fed. Reg. 31,085, 31,087 (codified at 16 C.F.R. pt. 318) (“the Rule”). The Rule implements the requirements of the American Recovery & Reinvestment Act of 2009, 42 U.S.C. §§ 17937, 17953.