FTC: Health Apps Must Comply with Health Breach Notification Rule

September 21, 2021 - The Federal Trade Commission (FTC) issued a policy statement emphasizing that health apps and connected device companies must comply with the Health Breach Notification Rule. The rule requires vendors that collect sensitive health data to notify consumers when they experience a data breach.

The FTC issued the Health Breach Notification Rule in 2009 in order to strengthen security protections for web-based businesses. While HIPAA covered entities are required to comply with data breach notification rules, vendors who collect protected health information (PHI) often get overlooked.

“The Rule was issued more than a decade ago, but the explosion in health apps and connected devices makes its requirements with respect to them more important than ever,” the policy statement explained.

“The FTC has advised mobile health apps to examine their obligations under the Rule, including through the use of an interactive tool. Yet the FTC has never enforced the Rule, and many appear to misunderstand its requirements.”

The rule applies to vendors of personal health records that contain identifiable health information created or received by healthcare providers.

The FTC explained that under this definition, health app developers are healthcare providers because they furnish healthcare services. As such, they are obligated to comply with the Health Breach Notification Rule.

The FTC emphasized that its definition of “personal health record” is “an electronic record that can be drawn from multiple sources.”

“The Commission considers apps covered by the Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (‘APIS’).”

“For example, an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. Similarly, an app that draws information from multiple sources is covered, even if the health information comes from only one source.”

The rule specifically requires entities to deliver breach notices to customers by first class mail no later than 60 calendar days after discovering a breach. Companies must also notify the FTC and in some cases, the media.

Failure to comply could result in monetary penalties of up to $43,792 per violation per day.

In response to the announcement, the College of Healthcare Information Management Executives (CHIME), a professional organization for healthcare IT leaders, issued a statement applauding the FTC for its clarified definition of “personal health record” and its intent to penalize noncompliant companies.

“These actions from the FTC will make a patient’s data more secure and help ensure that those entities who have a breach of this crucial private data are held accountable,” CHIME explained.

“Not only does it hold bad and insecure actors accountable, but it also creates a disincentive that urges all personal health records to strengthen their data security practices.”

Customers use health apps to track fertility, sleep, heart rate, and other highly personal health data. A recent report revealed that 61 million fitness tracker records from Apple and Fitbit were leaked due to a breach at New York-based GetHealth.

GetHealth is a wellness company that allows users to streamline their wearable device, medical device, and health app data. But an independent researcher discovered that GetHealth’s database was not password protected and contained millions of clearly identifiable health records.

The incident proved the importance of regulating health apps and connected device companies that can collect highly sensitive health data while flying under the radar of HIPAA.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Lina M. Khan, FTC chair, explained after the FTC voted 3-2 to approve the policy statement.

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”