FTC Issues Policy Statement Expanding Interpretation of Health Breach Notification Rule's Scope
On September 15, 2021, the Federal Trade Commission (FTC) voted 3–2 along party lines (with Republican commissioners dissenting) to issue a policy statement announcing an expansive interpretation of the FTC’s Health Breach Notification Rule, 16 CFR Part 318 (the Rule). According to the policy statement, the Rule applies to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (HIPAA) but are capable of drawing information from multiple sources—for example, through a combination of consumer inputs and application programming interfaces (APIs).
The Rule was first promulgated by the FTC in 2010 and does not apply to HIPAA covered entities or business associates (acting in their capacity as a business associate). The Rule requires vendors of personal health records (PHR), PHR-related entities and third-party service providers of PHR vendors to notify US consumers, the FTC and, in some cases, the media if a breach of unsecured identifiable health information occurs. The Rule imposes civil penalties of $43,792 per day, per violation. Since the Rule took effect more than a decade ago, the FTC has received only four notifications under the Rule and has not initiated any enforcement actions.
The Rule defines a PHR as an electronic record of individually identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for an individual. The Rule cross-references the HIPAA definition of individually identifiable health information, which, in relevant part, is defined as information that is created or received by a healthcare provider, health plan or healthcare clearinghouse, and relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or payment for the provision of healthcare to an individual.
During the FTC’s virtual meeting on September 15, 2021, the commissioners voted 3–2 along party lines to approve the policy statement, which clarifies the FTC’s position that:
Developers of mobile health apps or connected devices are healthcare providers for purposes of the Rule because the developer furnishes healthcare services or supplies by offering the app or connected device; and
Any mobile health app is covered by the Rule if it is capable of drawing information from multiple sources, even if health information is collected from only one source.
The FTC provided specific examples of apps subject to the Rule, explaining that an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. The FTC also clarified that the Rule applies to apps that pull information from multiple sources, even if only one of those sources provides health information (e.g., an app that collects health information inputted by a consumer and also gathers non-health information from another source, such as dates from the consumer’s phone calendar).
The policy statement also reminds developers of mobile health apps or connected devices that a breach under the Rule is not limited to cybersecurity intrusions or nefarious behavior, but can also include incidents of unauthorized access, such as sharing of covered information without an individual’s authorization.
The policy statement concludes by stating that the FTC expects to begin enforcing the Rule consistent with this new guidance.
In separate statements, the dissenting Republican FTC commissioners asserted that the FTC’s interpretation was too expansive and raised procedural concerns about the use of a policy statement to outline the scope of the Rule. The dissenting commissioners argued that the statement served as an “end run” around ongoing rulemaking processes, including a public comment period the FTC opened in May 2020 regarding potential modifications to the Rule that specifically requested comments on whether the Rule’s definitions should be modified and potential enforcement implications raised by the proliferation of direct-to-consumer mobile health apps and platform health tools.
The policy statement has broad implications for mobile health, fitness and other apps that fall within the scope of this new guidance. For example, a covered app developer’s disclosure of individually identifiable health information to a third-party analytics provider without the consumer’s authorization likely triggers the breach notification provisions of the Rule, unless the entity “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”
Developers of mobile health apps and connected devices should evaluate their products and services in light of this policy statement, including whether to obtain individual authorization for disclosures of individually identifiable health information made by the developer.
The policy statement will likely gain considerable attention in the digital health community. We will continue to monitor FTC enforcement activity and any related litigation.