- The FTC issued a policy statement on Sept. 15, 2021, emphasizing that developers of health apps and other connected devices and their service providers have breach notification requirements under the Health Breach Notification Rule.
- The breach notification requirements include a rapid 10-day notice period to the FTC, and a 60-day notice period to individuals and the media, with violations potentially resulting in significant civil penalties of $43,792 “per violation,” “per day.”
- The policy statement warned that the FTC intends to bring enforcement actions.
- Accordingly, developers of health apps and other connected devices should take steps immediately to evaluate their obligations under the Health Breach Notification Rule.
In response to the proliferation of health apps during the COVID-19 pandemic, the Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, to clarify the breach notification requirements on vendors of health apps and other connected devices and their service providers under the FTC’s Health Breach Notification Rule, 16 CFR Part 318.
Research from the Organization for the Review of Care and Health Applications found that the COVID-19 pandemic led to a 25 percent increase in health app downloads, and that, of the 350,000 health apps available on the market, 90,000 were introduced in 2020 alone, an average of 250 per day. Generally, health apps are not covered by the Health Insurance Portability and Accountability Act (HIPAA), which has led some vendors of health apps and their service providers to mistakenly believe they do not have breach notification obligations.
In the Sept. 15 policy statement, the FTC emphasized that the Health Breach Notification Rule, which has been in place since 2009, covers many vendors of health apps and connected devices and their service providers, requires such entities to comply with breach notification requirements and subjects the entities to significant penalties for failure to do so. Accordingly, vendors of health apps and connected devices and their service providers must take steps now to ensure they comply with the Health Breach Notification Rule’s requirements for notification of data breaches, as the FTC’s policy statement signals that increased enforcement is on the horizon.
What information is covered by the Health Breach Notification Rule?
The Health Breach Notification Rule covers personal health records (PHRs). A PHR is an electronic record containing “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”
In its statement, the FTC clarified that an electronic record is “drawn from multiple sources” even if the health information does not come from “more than one source.” The FTC explained that “a combination of consumer inputs and application programming interfaces (‘APIs’)” could be considered “drawn from multiple sources.” For example, the policy statement clarified that a health app would be covered by the Health Breach Notification Rule and is an electronic record “drawn from multiple sources” under the definition of a PHR if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. Further, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels) but also takes non-health information from another source (e.g., dates from a phone calendar), it is covered under the Health Breach Notification Rule as an electronic record “drawn from multiple sources.”
Thus, the rule is broad and covers apps and devices that collect consumer information directly and sync to other apps or devices, including those that sync to wearable fitness trackers or to users’ digital calendars.
Who is covered by the Health Breach Notification Rule?
The Health Breach Notification Rule applies to (1) “foreign and domestic vendors” of PHR, (2) “PHR-related entities” and (3) “third-party service providers” that maintain information of U.S. citizens or residents.
A “foreign and domestic vendor” of PHR is any entity that “offers or maintains a PHR.” For example, an online platform that allows consumers to upload medical information from other sources for organization in a central location is a vendor of PHR.
A “PHR-related entity” is one that (1) offers products or services through the website of a vendor of PHR, (2) offers products or services through the websites of HIPAA-covered entities that offer individuals PHR or (3) accesses information in a PHR or sends information to a PHR. For example, an app that allows consumers to upload blood glucose readings into a personal health record is a PHR-related entity.
A “third-party service provider” is an entity that offers services to a PHR vendor or a PHR-related entity and accesses PHR identifiable information because of such services. For example, an entity that is hired by a vendor of PHR to handle billing, data management or data storage related to health information is a third-party service provider. Vendors of PHR and PHR-related entities must inform third-party service providers, ideally in the parties’ written contract, that the Health Breach Notification Rule covers them.
Any company that HIPAA covers is not considered a vendor of PHR or a PHR-related entity, and accordingly, is not subject to the Health Breach Notification Rule. HIPAA-covered entities and their business associates are instead subject to the HIPAA breach notification rules. However, it is critical for health apps and consumer-connected devices to carefully consider their relationship with HIPAA-covered entities. They should first consider whether the health apps and device entities are a “business associate” or “subcontractor” of a business associate under HIPAA, which would not be subject to the Health Breach Notification Rule, but subject to HIPAA or a “PHR vendor,” which is covered by the Health Breach Notification Rule if it “offers products or services through the websites of HIPAA-covered entities that offer individuals PHR.”
What is considered a breach of security?
The Health Breach Notification Rule defines a breach of security as an “acquisition of [unsecured PHR identifiable health information of an individual in a PHR] without the authorization of the individual.” The FTC noted in its policy statement that a breach is “not limited to cybersecurity intrusions or nefarious behavior.” Any incident of unauthorized access to covered consumer data may be considered a breach, including data sharing without prior customer approval. While a cybersecurity intrusion or unsecured data theft would be considered a security breach, unauthorized sharing of unsecured identifiable information for behavioral advertising or other data analytics could also be considered a breach. Thus, the FTC policy statement suggests that PHR vendors and PHR-related entities that are sharing data “without patient authorization” or outside of their privacy policies must consider whether this practice requires notification under the Health Breach Notification Rule.
What is required in the event of a breach of security?
In the event of a breach of unsecured identifiable health information, PHR vendors and PHR-related entities must notify impacted U.S. consumers, the FTC and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or the FTC within 10 days if 500 or more individuals are affected by the breach. Third-party service providers must notify the PHR vendor or PHR-related entity of any breach in accordance with the written contract between the entities. Thus, it is critical for PHR vendors and PHR-related entities to ensure their contracts with third-party service providers include how and when to notify the entity of a breach, so its notification obligations can be met.
PHR vendors and PHR-related entities should take special note of the incredibly short 10-day notification window to the FTC if 500 or more individuals are affected by the breach.
What are the penalties resulting from a violation of the Health Breach Notification Rule?
A covered entity that fails to disclose a breach of security properly is in violation of the Health Breach Notification Rule. Violations can result in civil penalties of $43,792 per violation, per day.
Looming FTC Enforcement
The FTC’s policy statement follows a recently finalized settlement between the FTC and the creators of a fertility-tracking app, Flo Health Inc. In its complaint against Flo Health, the FTC alleged that despite promising to keep millions of its users’ menstruation, ovulation and pregnancy health data private, Flo Health shared this sensitive health data with marketing and analytics firms, including Facebook and Google. As a part of the settlement, Flo Health must notify affected users about disclosing their private health information and instruct any third party in receipt of health information to destroy the data.
Though the FTC declined to enforce the Health Breach Notification Rule in the Flo Health case and has never taken enforcement action under the Health Breach Notification Rule in over a decade, its policy statement warns that “the Commission intends to bring [enforcement] actions” in the future. Accordingly, it is more important than ever for vendors of health apps and connected devices and their service providers to ensure compliance with the Health Breach Notification Rule to avoid reputational damage and significant monetary penalties. When the Health Breach Notification Rule was enacted in 2009, it was estimated that the rule would only cover approximately 900 entities and require 11 breach notifications a year. Today, given the proliferation of health apps and consumer devices, the number is easily in the hundreds of thousands, with thousands of potential violations requiring notification each year.
Next Steps for Impacted Entities:
- Evaluate the entity’s status as a vendor of PHR or a PHR-related entity under 16 CFR § 318.2. If the entity qualifies as a vendor of PHR or a PHR-related entity under 16 CFR § 318.2, notify all entities that may qualify as third-party service providers about the entity’s status and audit contracts for compliance with the Health Breach Notification Rule.
- Ensure that all consumer PHR identifiable health information is encrypted and secured.
- Audit internal data security and privacy systems to ensure compliance with the Health Breach Notification Rule requirements, including an evaluation of breach notification procedures to ensure compliance with 16 CFR § 318.3-6.
- Continue monitoring announcements from the FTC related to the rule and its enforcement.