Federal Trade Commission Provides New Guidance on its Health Breach Notification Rule for Health Apps and Connected Devices
September 21, 2021
By Paul J. Giancola and Mary Colleen Fowler
On September 15, the Federal Trade Commission (“FTC”) issued a policy statement (“Statement”) addressing the scope of its Health Breach Notification Rule (“Rule”) on health apps and connected devices.1 The Rule, first issued in 2009, requires vendors of personal health information and related entities to report a breach—any unauthorized disclosure or acquisition of unsecured consumer health information data—to consumers, the FTC and possibly the media.2 The failure to report could result in civil penalties. The Rule seeks to ensure that entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are nevertheless held accountable for the mishandling of sensitive health data. The FTC noted that although the Rule was issued over 10 years ago, there has been an explosion of new apps and connected devices that are being marketed to and used by consumers. For this reason, the FTC considers the Rule to be of greater importance today, and its Statement a notice to vendors of their obligations to protect health information, and the obligation to be transparent about breaches.
Notably, the Statement affirms that the Rule applies to health apps, such as fertility or glucose tracking apps, and connected devices, such as wearable fitness tracking devices. More specifically, the Rule applies to health apps or connected devices that collect sensitive health data and that can draw data from multiple sources, such as through a combination of consumer inputs and application programing interfaces (“APIs”), and that are not covered by the HIPAA breach notification rule. For example, the Rule would apply to a health app that collects personal health information and then syncs the personal health information with a fitness tracking device through an API. Although app developers and vendors are not deemed health care providers (and therefore covered entities) under HIPAA, the Rule generates some confusion because under the Rule’s definitions, developers of health apps or connected devices are considered a “health care provider” because it “furnish[es] health care services or supplies.”3 Critically, entities that do not comply with the Rule could pay up to $43,792 per violation per day.4
In her supporting statement, the Chair of the FTC, Lina M. Khan, emphasized that although “this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics.”5 She additionally emphasized the need to scrutinize business models that place consumers’ sensitive data at risk.6
The FTC’s affirmation of the Rule’s application to health apps and connected devices indicates its increased focus on ensuring apps and devices that collect individuals’ sensitive health data are held accountable. Companies developing and supporting such products should be mindful of their data practices, specifically concerning the handling of sensitive health information. The FTC offered compliance tips to companies in its analysis of Flo Health, including:
- Handle health information with care. Companies must clearly disclose how they will disclose consumers’ information and substantiate their claims within their privacy policies.
- Ensure privacy representations to the public and in operation of the app are consistent over time.
- Consider how third parties will handle shared data in light of their terms and services.
- If you participate in a privacy program, live up to its standards.9
Companies, especially those collecting sensitive health data, should consider doing an in-depth analysis to both fully understand and create a breach notification action plan concerning the type of data their products collect, how and who that data is shared with, and whether any laws or regulations, such as the Rule, apply in the event of a data breach.
- FTC Press Release: Statement of the Commission On Breaches by Health Apps and Other Connected Devices available at https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf.
85 Fed. Reg. 31,085, 31,087 (codified at 16 C.F.R. pt. 318) (“the Rule”). The Rule implements the requirements of the American Recovery & Reinvestment Act of 2009, 42 U.S.C. §§ 17937, 17953.
- Statement of the Commission, supra note 1.
- Remarks by Chair Lina M. Khan on the Health Breach Notification Rule Policy Statement Commission File No. P205405 available at https://www.ftc.gov/system/files/documents/public_statements/1596360/remarks_of_chair_lina_m_khan_regarding_health_breach_notification_rule_policy_statement.pdf.
- FTC Press Release: Health App Broke Its Privacy Promises by Disclosing Intimate Details About Users available at https://www.ftc.gov/news-events/blogs/business-blog/2021/01/health-app-broke-its-privacy-promises-disclosing-intimate. The FTC finalized its settlement with Flo Health in June 2021. See FTC Press Release: FTC Finalizes Order with Flo Health, a Fertility-Tracking App that Shared Sensitive Health Data with Facebook, Google, and Others available at https://www.ftc.gov/news-events/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared.
©2021 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.