How the FTC’s Health Breach Notification Rule Will Impact Health Apps

October 05, 2021 - Customers regularly provide their heart rate, weight, height, sleep, fertility, and other sensitive medical data to health apps. But while standard healthcare providers are beholden to HIPAA, health apps are not required to comply with the same regulatory standards when it comes to health data breaches and patient data sharing.

With its new policy statement, the Federal Trade Commission (FTC) affirmed that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule.

The policy statement raised new considerations about what the FTC considers a data breach to be, what entities can be defined as healthcare providers under the rule, and how federal lawmakers can keep pace with the fast-moving tech industry which has disrupted how consumers manage their health.

To Lara Compton, a healthcare regulatory attorney at Mintz who advises clients at the crossroads of healthcare and technology, the policy statement signified a major shift in how personal health record (PHR) breaches are classified and dealt with.

“Traditionally, I think people have a concept of what healthcare is, what healthcare services are, and who a healthcare provider is,” Compton told HealthITSecurity.

READ MORE: FTC: Health Apps Must Comply with Health Breach Notification Rule

“So, to go from that traditional context to a much broader interpretation of what healthcare is, it’s a pretty big change for people who have been in the health tech industry for a long time.”

Back to basics: FTC defines PHRs, healthcare providers, and data breaches

The FTC’s policy statement provided long awaited clarification to health app developers whose products often fall into a gray area of healthcare regulatory policies—they are not covered under HIPAA, but they possess the same types of sensitive data that HIPAA covered entities have access to.

In an effort to hold entities not covered under HIPAA accountable for data breaches, the FTC introduced the Health Breach Notification Rule in August 2009. The rule requires vendors of personal health records and other entities to alert the FTC, consumers, and in some cases the media when a personal health record (PHR) data breach occurs.

But at the time, health apps were not nearly as popular as they are now. The recent policy statement served to remind health app developers and connected device companies of their obligations under the rule.

The FTC considers a personal health record to be “an electronic record that can be drawn from multiple sources.” Any health app that is capable of drawing information from multiple sources, such as through consumer inputs and application programming interfaces (APIs), must comply with the rule.

READ MORE: Congress Urges FTC Crackdown on Health Apps Via Breach Notice Rule

The commission designated “healthcare providers” as entities that “furnish healthcare services or supplies.” Since health apps and connected device companies provide a healthcare service, they fall under this definition.

The FTC also specified that a data breach “is not limited to cybersecurity intrusions or nefarious behavior.” Instances of unauthorized access, such as an entity sharing health information without an individual’s permission, triggers notification obligations.  

These clarified definitions will have significant implications for how health apps conduct business and what standards they must adhere to.

“The FTC is moving towards more of a HIPAA concept in a way, where it's not strictly a network breach. Unauthorized disclosure and use can also potentially trigger the breach reporting rule,” Compton explained.

“That's a pretty big change in terms of the types of incidents that would then need to be reported. It’s  a shift in concept from what people were traditionally thinking of as a PHR breach. So, if you take those things together, in my view, it's a pretty big change from what people viewed the PHR breach rule historically.”

Why now?

READ MORE: Proposed Data Privacy Bill Creates Federal Data Standard, Empowers FTC

Although the rule was introduced over a decade ago, the FTC has never brought any enforcement actions under it. Now, failure to comply with the rule could result in monetary penalties of up to $43,792 per violation per day.

“The law and the regulations always lag behind where the technology is, and so the government is constantly trying to play catch up to address what's going on based on the framework that they've got,” Compton explained.

Compton explained that the FTC’s ruling had been building for some time. In May 2020, the FTC sought public comment on whether changes should be made to the decade-old rule to include services such as virtual assistants and mobile health apps. The commission received overwhelming support from stakeholders and other entities.

At the same time, the COVID-19 pandemic boosted telehealth and virtual healthcare platforms to the forefront of the industry.

“COVID caused a technology boom and pushed everything into a virtual environment. It really got people thinking about how much electronic data is out there,” Compton said.

Meanwhile, consumers were becoming increasingly educated about HIPAA as the COVID-19 vaccination rollout began. Many people realized that HIPAA was not as all-encompassing as they had previously believed.

“What became really obvious to me during the pandemic and a lot of the discussions around COVID information and COVID apps is that a lot of people think HIPAA is much broader than it actually is,” Compton remarked.

“I never expected Trevor Noah to talk about how HIPAA applies on The Daily Show, but he actually did. That's such a huge change from what was going on 10 years ago when very few people outside of healthcare understood HIPAA, and it certainly didn't come up in everyday conversation. In the wake of COVID, the public is becoming more aware of what HIPAA actually protects and what it doesn't.”

It became clearer to the general public that when people give their medical information to health apps, HIPAA rules do not apply.

The combination of advancing technology, a more informed public, and widespread stakeholder support naturally led the FTC to use its power to hold health apps accountable and fill in the gaps that HIPAA left open.

What health tech companies should expect moving forward

The FTC’s policy statement is rooted in a quest for transparency. Health app developers do not necessarily have to change how they operate, but they are required to keep customers informed of data security incidents or risk FTC penalties.

“I do think some apps will probably take a look at their functionality and see if they can make changes so that the rule doesn’t apply,” Compton stated.

But for many companies, collecting health information from consumers is part of their business model, and it will be difficult to avoid the FTC’s regulations. If that is the case, Compton emphasized that health apps will need to reassess incident investigation and breach notification policies to ensure compliance and transparency.

“You then have to start thinking about who else has access to that information and what kind of flow-down provisions you need to be putting in your agreements in connection with compliance,” she continued. “So, all of those vendor contracting policies and procedures need to be looked at as well.”

Along with reviewing business associate contracts and updating privacy policies, Compton suggested that health tech companies be aware of “the new tool in FTC’s toolbox.”

“I think that the take home message here is if you're in any way collecting information from consumers that could relate to a person's health, now is the time to really take a look at this guidance and make a determination about whether or not you think the rules apply,” Compton suggested.

“Even if they don't, consider where this is going more broadly under FTC's jurisdiction and whether the information you're providing consumers is transparent. Certainly, it should be accurate, because if it's not, that's an easy enforcement action for FTC.”