October 20, 2021

Volume XI, Number 293

Advertisement
Advertisement

October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

FTC Personal Health Records Breach Rule Applies to Health App and Connected Device Developers

On September 15, 2021, in response to the “proliferation of apps and connected devices that capture sensitive health data” the Federal Trade Commission (FTC) issued a Policy Statement (the Statement) offering guidance on the scope of the FTC’s Health Breach Notification Rule (Breach Rule).  According to the Statement, the Breach Rule applies outside of the traditional health care context (e.g. health care involving diagnosis and treatment by a licensed health care provider) and the FTC intends to bring enforcement actions for noncompliance involving up to $43,792 in civil penalties per violation, per day.

The Breach Rule implements requirements for personal health records (PHR) under the American Recovery and Reinvestment Act of 2009 (ARRA) and requires notification to consumers, the FTC, and in some cases the media in the event of unauthorized acquisition or disclosure of unsecured “individually identifiable health information” as defined by HIPAA (which means among other things that the information involved would need to be created or received by a health care provider, health plan, employer or health care clearinghouse).

In the Statement, the FTC “clarifies” that under the Breach Rule health apps and connected devices that capture health data are “health care providers” because they “furnish health care services or supplies.” As a result, the Breach Rule broadly applies to a wide range of health apps and connected devices where identifiable health information is involved.    

The FTC also takes an expansive view of what electronic records are subject to the Breach Rule. “Personal health record” is defined by the ARRA as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. In the Statement, the FTC explains that health apps are covered by the Breach Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (APIs) even if some sources do not contain health information, and provides the following examples:

  • An app that collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker; and

  • A blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar).

Finally, the FTC took the opportunity to remind PHR vendors that a “breach” is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Breach Rule.

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XI, Number 264
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Lara Compton Health Care Lawyer Mintz
Member

Lara is a trusted advisor to clients ranging from traditional health care providers to disrupter digital health platforms as they navigate the practical and regulatory challenges of health care innovation. Her unique depth of knowledge across HIPAA privacy and other regulatory issues governing the use of data, state and federal fraud and abuse laws, business planning and operational issues has led colleagues to describe Lara as the “Swiss Army knife” of health care problem-solving.

Working at the intersection of health care and technology, Lara counsels telemedicine and other...

212.692.6288
Advertisement
Advertisement
Advertisement