In an effort to formalize its Sept. 15, 2021, Statement of the Commission on Breaches by Health Apps and Other Connected Devices, as previously discussed in a McGuireWoods Oct. 5, 2021, alert, the Federal Trade Commission (FTC) released a notice of proposed rulemaking on May 18, 2023. The proposed rule would broaden the Health Breach Notification Rule (HBNR) to cover “most health apps and similar technologies that are not covered by HIPAA.”
The proposed rule is intended to better align the HBNR with recent technological advancements and mobile applications that access personal health data. As such, the proposed rule (i) modifies several key definitions to clarify the inclusion of various forms of technology, such as digital health platforms, mobile applications and other similar software programs; (ii) clarifies the HBNR’s applicability to non-HIPAA-covered developers of health apps and similar technologies; and (iii) updates the permissible methods of notice and expands the notice content requirements. The FTC now seeks public input on whether the proposed rule sufficiently accomplishes these objectives.
The HBNR applies to vendors of personal health records (PHR) not covered by the Health Insurance Portability and Accountability Act (HIPAA) and requires such vendors to notify the FTC, individuals impacted and, in certain cases, the media “following the discovery of a breach of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor.”
The FTC has taken two widely publicized enforcement actions for violations of the HBNR. In the first enforcement action, the FTC announced that GoodRx, a digital health company, will pay a $1.5 million civil penalty for its failure to report the unauthorized disclosure of consumer health data — as required by the HBNR — to companies such as Meta, Criteo and Google for advertising purposes, and GoodRx will be prohibited from sharing user health data with such third parties for advertising.
In the second enforcement action, the FTC announced that Easy Healthcare, the company operating the fertility-tracking app Premom, shared users’ personal and health information with third parties without the users’ consent and failed to notify users of the disclosures. As a result, Easy Healthcare will, among other things, pay a $100,000 civil penalty and will be permanently banned from sharing personal health data with third parties for advertising.
The FTC notes that these recent enforcement actions are meant to discourage “dark patterns” of subverting a user from informedly consenting to sharing health information. Examples of such practices include placing information relevant to consent in the boilerplate of the terms and conditions, manipulating the user interface so a user must click through multiple screens to decline consent, or deceiving users through excessive legalese.
To ensure a user’s informed decision-making is protected when engaging with a PHR vendor, the FTC seeks comment on, among other things, what constitutes an acceptable method of user authorization, particularly when unauthorized sharing occurs. The FTC’s discussion indicates that it may require a PHR vendor or PHR-related entity to do more than (i) ask in the boilerplate of an app’s terms and conditions for an individual’s authorization to share information, or (ii) prompt a user to merely click “agree” when consenting to an app’s terms and conditions.
The proposed rule amends HBNR definitions to account for advancements in technology such that apps providing healthcare services or supplies would qualify as healthcare providers. As a result, these changes subject apps to the HBNR. Some key definitions that the proposed rule modifies include (i) more closely aligning “PHR Identifiable Information” and “Health Care Provider” with the HIPAA definitions of PHI and healthcare provider; (ii) expanding “health care services or supplies” to include online services, apps and other internet-connected devices capable of tracking health conditions, vital signs, fertility, sleep, mental health, diet, genetic information, wellness or health-related services; (iii) describing that the unauthorized sharing of a PHR with third parties can be considered a “breach of security” and that the breach need not be nefarious in nature; and (iv) clarifying that an online service or app is a PHR-related entity.
The proposed rule states that apps that have the “technical capacity to draw information” can be considered PHRs. Specifically, the proposed rule provides that a product is a PHR if it has the ability to draw PHR information from multiple sources, even if the consumer elects not to use this feature of the online service or app. This would include medical wearables such as ECG monitors, glucose meters, blood pressure monitors, smart watches and smart eyeglasses.
Further, the proposed rule seeks to expand the methods for the provision of an acceptable HBNR notice by including email. The notice must be clear and conspicuous, and vendors must obtain consumer consent that email is the consumer’s preferred form of communication. The proposed rule defines “electronic mail” as “email in combination with one or more of the following: text message, within-application messaging, or electronic banner.” Exemplar notices can be found in Appendix A of the proposed rule. Regarding the content of the notice, in the event of a breach, the proposed rule would require PHR vendors to include a brief description of the potential harm that may result from the breach.
The FTC has already signaled its willingness to enforce the HBNR, and the proposed rule attempts to align the FTC’s expansive HBNR interpretation with the FTC’s enforcement actions. These enforcement actions and the proposed rule illustrate that the FTC (i) intends to strengthen HBNR’s applicability to keep up with recent technological advancements, and (ii) is committed to regulating the use of digital health platforms, apps and other similar software programs that collect, use, store and share personal health data, particularly where companies use such data for marketing or analytics.
McGuireWoods attorneys track updates in digital health and healthcare privacy. For more information on how the HBNR and proposed rule may apply to you and the potential implications, or if you would like assistance submitting a comment on the proposed rule, please contact any of the authors of this article.
Comments on the proposed rule may be submitted electronically through the Federal eRulemaking Portal or by mail. They must be submitted by Aug. 8, 2023.