FTC Issues Policy Statement on Privacy Breaches by Connected Health Apps and Signals Greater Enforcement

Wiley Rein LLP
Contact

In a 3-2 vote, the Federal Trade Commission (FTC) adopted a Policy Statement emphasizing that vendors who operate health apps and other connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule (HBNR). In its statement, the FTC noted that its “Health Breach Notification Rule helps to ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (HIPAA) nevertheless face accountability when consumers’ sensitive health information is compromised.” Not only does the Policy Statement signal the FTC’s commitment to use additional enforcement tools when consumers’ sensitive health information is at issue, it also expresses the FTC’s intent to use the HBNR against vendors of personal health records and related entities in instances where consumers’ health information has been compromised.

Among other things, the Policy Statement provides more guidance on which health-related apps are subject by the Rule, noting that the FTC “considers apps covered by the Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces.” The Statement also notes that, under the Commission’s interpretation, a “breach” is not just a cybersecurity intrusion, but also “unauthorized access, including sharing of covered information without an individual’s authorization.” The Statement concludes by noting that the “Commission intends to bring actions to enforce the Rule consistent with this Policy Statement.”

Commissioners Christine Wilson and Noah Phillips dissented from issuing the Statement. While both Commissioners stressed during the hearing that they also have a desire to protect sensitive health information, they took issue with the majority’s process. Both orally at the hearing and in written dissents, they expressed concern with what, in their view, represents unilateral action to expand the FTC’s authority contrary to existing guidance, arguing that the FTC’s interpretation end runs ongoing rulemaking processes and should have been made in coordination with other agencies, the Social Security Administration and Health and Human Services, which have overlapping or related enforcement authority.

The FTC has never brought a public enforcement action enforcing the HBNR, but Commissioners Rebecca Slaughter and Rohit Chopra have identified enforcement as a priority. In the context of the Flo Health settlement earlier this year, in a joint statement, Commissioners Slaughter and Chopra argued that a HBNR count should have been included, emphasizing that the FTC expects that companies handling sensitive health information will prioritize privacy and security and arguing that with respect to the HBNR, “[w]here Congress has given us rulemaking authority, we should use it.” 

The HBNR, which applies to vendors of personal health records and related entities not covered by HIPAA, requires notice to individuals, FTC, and, in some cases, the media, if there has been an unauthorized disclosure of health information. If more than 500 individuals are affected by a breach, for example, entities must notify the FTC within 10 business days. The FTC can assess civil penalties of up to $43,792 per violation.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Wiley Rein LLP

Written by:

Wiley Rein LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide