October 20, 2021

Volume XI, Number 293

Advertisement
Advertisement

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis

FTC Issues Guidance Clarifying Scope of Its Health Breach Notification Rule for Health Apps and Connected Devices

On September 15, 2021, the Federal Trade Commission issued a Policy Statement to clarify the scope of the FTC’s Health Breach Notification Rule (the “Rule”) as it relates to health apps and connected devices. In its Policy Statement, the FTC emphasized that the Rule was designed to ensure that entities not covered under HIPAA must still be held accountable in the event of a breach of consumers’ sensitive health information. The Rule requires vendors of personal health records (“PHR”), PHR related entities, and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information. Failure to provide such notice can result in civil penalties under the Rule. While the Rule was established more than a decade ago, in 2009, it has never been enforced by the FTC.

The Rule covers vendors of PHR that contain individually identifiable health information created or received by “health care providers.” According to the Policy Statement, the developer of a health app or connected device is a “health care provider” under the definitions cross-referenced by the Rule because the developer “furnish[es] health care services or supplies.” The Policy Statement highlights that the definition of “personal health record” (for purposes of determining if an entity is a vendor of PHR) must be an electronic record that can be drawn from multiple sources. The Policy Statement clarifies that the FTC considers apps to be covered by the Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and APIs. The Policy Statement states, for example, that if an app collects information directly from consumers and has the technical capability to draw information through an API that enables syncing with a consumer’s fitness tracker, it would be covered under the Rule. The Policy Statement clarifies that even an app that obtains health information from only one source, but can obtain non-health information from other sources, would be covered under the Rule. A cited example of such an app is a blood monitoring app that collects blood sugar levels directly from consumers and obtains calendar dates from the mobile device’s calendar.

The Policy Statement specifically states that a health app’s unauthorized disclosure of sensitive health information would be a “breach of security” under the Rule.  The FTC reminds covered entities that a “breach of security” under the Rule is not limited to cybersecurity intrusions or nefarious behavior, but also includes unauthorized access to covered information, including the sharing of covered information without an individual’s authorization.

The FTC put entities on notice that the agency intends to bring actions to enforce the Rule consistent with the Policy Statement, with potential civil penalties of up to $43,792 per violation per day. The Policy Statement specifically mentions apps that track diseases, diagnoses, treatment, medications, fitness, fertility, sleep mental health, diet and “other vital areas,” noting that companies offering these services “should take appropriate care to secure and protect consumer data.”

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 264
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement