FTC Warns Health Apps and Connected Device Companies to Comply with the Health Breach Notification Rule

Igor Gorlach, Douglas Henderson, Marisa Maleck, Adam Solander
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On September 15, 2021, the Federal Trade Commission (“FTC”) issued a Policy Statement instructing health app and connected device companies to comply with the Health Breach Notification Rule (“the Rule”). The Rule, codified at 16 C.F.R. Part 318, requires vendors of Personal Health Records (“PHR”) and PHR-related entities to disclose breaches of unsecured identifiable health information to the FTC, consumers, and, in some instances, the media. A “breach of security” under the Rule includes acquisition of unsecured identifiable health information without the authorization of the individual, and “authorization” is not clearly defined.

Since the Rule’s promulgation in 2010, there have been only four reports of breaches by vendors and PHR-related entities. The FTC stated that it intends to start enforcing the Rule, and placed entities “on notice of their ongoing obligation to come clean about breaches.” The Statement is the latest amplification of enforcement aimed at the privacy practices of health app and connected device companies. Earlier this year, in the matter of Flo Health Inc., Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a joint statement in which they asserted that Flo Health’s failure to notify users that their health data was being shared with Facebook and Google constituted a violation of the Rule, and that the Commission should have enforced it against Flo Health. The September 15 Statement extends this position to formal guidance, stating that “the Health Breach Notification Rule will have its intended effect only if the FTC is willing to enforce it.” In her statement, Chair Khan indicated that the Rule can address the “fundamental problem” that is commodification of sensitive information for purposes of behavioral ads, power user analytics, and surveillance-based advertising.

Applicability of the Rule

The Rule applies to foreign and domestic vendors of personal health records, PHR-related entities, and third-party service providers that maintain information of U.S. citizens or residents. Covered entities and business associates under the Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the Rule. The FTC has interpreted the Rule to include the developers of health apps as “health care providers” because they “furnish health care services or supplies.” In her statement on the FTC’s action, Chair Khan expressed that the goal of the Rule is to rectify a gap that exists because most health apps are not (or do not believe they are) covered under HIPAA, and many do not comply with the Rule.

A PHR is statutorily defined as an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. If an app derives information from multiple sources, including user inputs, or an application programming interface (“API”) then it is subject to the Rule, even if the health information is only drawn from one source. One example that the commission gives is that an app that monitors blood sugar levels from user inputs, and also draws dates from the user’s phone calendar would be subject to the Rule, as it obtains information from multiple sources. Chair Khan further clarified this position in her comments, saying “health apps that are capable only of collecting data from users directly—in other words, apps that are not capable of drawing data from multiple sources—are not covered by the Rule.”

Breach of Security Under the Rule

The term “breach of security” as defined in the Rule, does not only mean a cybersecurity failure, or the result of “nefarious activity,” but also applies to the sharing of protected data without the consent of the user. Sharing data with advertisers or other third-parties without obtaining proper authorization constitutes a breach of security and would trigger a covered entity’s notice obligations under the Rule. Notably, “authorization,” is not clearly defined. In its analysis of comments to the final Rule, the FTC queried whether consumers can “be said to have authorized” dissemination of their data if “a privacy policy contains buried disclosures describing extensive dissemination of consumers’ data.” The FTC took the position that “an entity’s use of information to enhance individuals’ experience with their PHR would be within the scope of the individuals’ authorization, as long as such use is consistent with the entity’s disclosures and individuals’ reasonable expectations.” It included a number of examples of authorized uses: “communication of information to the consumer, data processing, or Web design.” But it warned that, “[b]eyond such uses,” the FTC expected vendors of PHR and PHR-related entities to “limit the sharing of consumers’ information, unless the consumers exercise meaningful choice in consenting to such sharing.” “Buried disclosures in lengthy privacy policies,” the FTC concluded, “do not satisfy the standard of ‘meaningful choice.’’’

Upon discovery of a breach of security, an entity covered by the Rule is obligated to notify the each affected United States citizen, as well as the FTC. If less than 500 consumers were affected, then the entity must provide notice to affected individuals and to the FTC no less than 60 days after the breach is discovered. If 500 or more individuals were affected, the entity must report the breach to the Commission within ten business days, and to individuals within 60 days of discovering the breach. If 500 or more individuals in the same state or jurisdiction were affected by the breach, the entity must report the breach to prominent media outlets within the jurisdiction within 60 days.

Implications

As noted above, the FTC’s Statement is the latest in a series of enforcement actions taken against health technology companies to curb the use of health information for marketing and analytics purposes. The enforcement of the Rule means that entities will now be responsible for the reporting of certain breaches under the Rule, in addition to any reporting obligations under applicable state breach notification laws and potentially HIPAA. Further, entities that are subject to the Rule should ensure that their interactions with individuals provide sufficient “authorization” to collect, use, and disclose the data.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide