June 29, 2022

Volume XII, Number 180

Advertisement
Advertisement

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

FTC Continues to Signal Interest in Digital Health Industry, Publishing Updated Resources

The FTC recently published two new resources for complying with the Health Breach Notification Rule. The Rule requires vendors of personal health records (PHR), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information. The guidance reaffirms and adds further clarity to the Agency’s broad interpretation of the Rule released in its policy statement last fall.

The shorter guidance largely provides a high level overview of the Rule. The second, lengthier guidance provides more detail about applicability of the rule, what triggers notification, and notification requirements in the event of a breach. It also provides answers to questions asked about the Rule. This new guidance confirms the FTC’s position that breaches are not limited to just cybersecurity intrusions. It also includes incidents of unauthorized access, including sharing of covered information without authorization. A settlement from last year with a popular fertility tracking app demonstrates how broadly the FTC may interpret such “sharing.” The guidance also clarifies that the Rule preempts contradictory state breach notification laws. But, it does not preempt state laws that impose additional, non-contradictory breach notification requirements.

Putting it into Practice. Health and wellness apps and wearables that sit outside of HIPAA are reminded of other requirements they may have from the FTC. This includes considerations under unfair and deceptive trade practice laws (Section 5) as well as the Health Breach Notification Rule. In light of the broad interpretation of “breach” under this Rule, companies should consider auditing all instances of “sharing” of health information. Companies in this space are also reminded of potential obligations under upcoming state privacy laws (CaliforniaColorado, and Virginia).

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 74
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement
Advertisement