FTC Releases Policy Statement Reminding Health Apps That They Are Governed by Health Breach Notification Rule

Last week, the Federal Trade Commission (“FTC”) issued a policy statement that served to remind developers of apps, connected device manufacturers, and related entities of the applicability of the FTC’s Health Breach Notification Rule (“Rule”).

The FTC adopted the Rule to require certain businesses to notify their customers and others if there is a breach of unsecured personal health records. The Rule applies to entities that offer or maintain personal health records, and which are not otherwise covered by the Health Insurance Portability and Accountability Act (“HIPAA”). The Rule may apply to entities like direct-to-consumer digital health companies, to the extent their records are not governed by HIPAA, and apps and technologies that track or compile information concerning medical history, fitness, fertility, and other vital areas.

Pursuant to the Rule, a “personal health record” (“PHR”) is defined as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by, or primarily for, the individual. This is distinguishable from health records maintained pursuant to HIPAA, as PHR is not collected by or for a health care provider, but instead is managed or controlled by the individual directly.

Under the Rule’s requirements, vendors of PHR and PHR-related entities must notify consumers and the FTC, and, in some cases, the media, if there has been a breach of unsecured identifiable health information or face civil penalties for failing to do so. Of note, a “breach of security” is broadly defined and includes unauthorized access, such as sharing of covered information without an individual’s authorization, in addition to malicious breaches caused by cybersecurity intrusions.

Key Takeaways

The FTC noted that the Rule was issued more than a decade ago, but that the Rule was not enforced. However, in the words of the agency, the FTC now “intends to bring actions to enforce the Rule consistent with this Policy Statement.” This is similar to the delay in the enactment and compliance date for HIPAA and the ultimate trend of enforcement actions that did not begin until years later.

Pursuant to the Policy Statement, health apps can expect to face increased scrutiny on a federal level. Moreover, such entities are already subject to state laws that are substantially similar to the Rule, such as the California Medical Information Act, which was used last year by the California Attorney General to secure a $250,000 settlement from a fertility tracking app for alleged privacy breaches concerning health information not governed by HIPAA.

How Frier Levitt Can Help

Data privacy and technology regulations are rapidly evolving. It is critical that companies and providers with access to health data remain apprised of applicable federal and state laws that may impact how such data is accessed, used, and shared. Contact Frier Levitt for assistance in determining whether the Rule applies to your business, and what measures you must take to ensure your compliance in the event of a breach of security of PHR.

Tagged with: , , , , ,