FTC Issues Policy Statement Expanding Interpretation of Health Breach Notification Rule's Scope

FTC Issues Policy Statement Expanding Interpretation of Health Breach Notification Rule's Scope
Monday, September 20, 2021

On September 15, 2021, the Federal Trade Commission (FTC) voted 3–2 along party lines (with Republican commissioners dissenting) to issue a policy statement announcing an expansive interpretation of the FTC’s Health Breach Notification Rule, 16 CFR Part 318 (the Rule). According to the policy statement, the Rule applies to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (HIPAA) but are capable of drawing information from multiple sources—for example, through a combination of consumer inputs and application programming interfaces (APIs).

IN DEPTH

The Rule was first promulgated by the FTC in 2010 and does not apply to HIPAA covered entities or business associates (acting in their capacity as a business associate). The Rule requires vendors of personal health records (PHR), PHR-related entities and third-party service providers of PHR vendors to notify US consumers, the FTC and, in some cases, the media if a breach of unsecured identifiable health information occurs. The Rule imposes civil penalties of $43,792 per day, per violation. Since the Rule took effect more than a decade ago, the FTC has received only four notifications under the Rule and has not initiated any enforcement actions.

The Rule defines a PHR as an electronic record of individually identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for an individual. The Rule cross-references the HIPAA definition of individually identifiable health information, which, in relevant part, is defined as information that is created or received by a healthcare provider, health plan or healthcare clearinghouse, and relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or payment for the provision of healthcare to an individual.

During the FTC’s virtual meeting on September 15, 2021, the commissioners voted 3–2 along party lines to approve the policy statement, which clarifies the FTC’s position that:

  • Developers of mobile health apps or connected devices are healthcare providers for purposes of the Rule because the developer furnishes healthcare services or supplies by offering the app or connected device; and

  • Any mobile health app is covered by the Rule if it is capable of drawing information from multiple sources, even if health information is collected from only one source.

The FTC provided specific examples of apps subject to the Rule, explaining that an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. The FTC also clarified that the Rule applies to apps that pull information from multiple sources, even if only one of those sources provides health information (e.g., an app that collects health information inputted by a consumer and also gathers non-health information from another source, such as dates from the consumer’s phone calendar).

The policy statement also reminds developers of mobile health apps or connected devices that a breach under the Rule is not limited to cybersecurity intrusions or nefarious behavior, but can also include incidents of unauthorized access, such as sharing of covered information without an individual’s authorization.

The policy statement concludes by stating that the FTC expects to begin enforcing the Rule consistent with this new guidance.

In separate statements, the dissenting Republican FTC commissioners asserted that the FTC’s interpretation was too expansive and raised procedural concerns about the use of a policy statement to outline the scope of the Rule. The dissenting commissioners argued that the statement served as an “end run” around ongoing rulemaking processes, including a public comment period the FTC opened in May 2020 regarding potential modifications to the Rule that specifically requested comments on whether the Rule’s definitions should be modified and potential enforcement implications raised by the proliferation of direct-to-consumer mobile health apps and platform health tools.

Next Steps

The policy statement has broad implications for mobile health, fitness and other apps that fall within the scope of this new guidance. For example, a covered app developer’s disclosure of individually identifiable health information to a third-party analytics provider without the consumer’s authorization likely triggers the breach notification provisions of the Rule, unless the entity “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”

Developers of mobile health apps and connected devices should evaluate their products and services in light of this policy statement, including whether to obtain individual authorization for disclosures of individually identifiable health information made by the developer.

The policy statement will likely gain considerable attention in the digital health community. We will continue to monitor FTC enforcement activity and any related litigation.

© 2024 McDermott Will & Emery

Current Legal Analysis

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC