February 2, 2023

Volume XIII, Number 33


February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis

January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis

FTC Policy Statement: Mobile Health Apps Must Comply with Health Breach Notification Rule

The FTC’s recent policy statement on the Health Breach Notification Rule (the “Rule”) substantially impacts the consumer-facing digital health industry by significantly expanding (a) the scope of entities subject to the Rule and (b) data practices that constitute a breach. Under the new guidance, any entity that collects health data from both a connected device and the consumer (excluding entities already subject to HIPAA) will be treated as a “vendor of Personal Health Records” (“PHR Vendor”) subject to the Rule. Moreover, PHR Vendors that share such information without the individual’s authorization will trigger the Rule’s breach notification requirements.

PHR Vendors Include Health Apps, Too

The Rule applies to PHR Vendors, PHR related entities, and their third party service providers that collect data about an individual from multiple sources – excluding entities that are subject to HIPAA. The “multiple sources” requirement was historically interpreted to require collecting information from more than one entity (such as from multiple distinct health apps). In its policy statement, however, the FTC explained that “multiple sources” also includes data collected from a single consumer through more than one mechanism – e.g., a health app may be a PHR Vendor if it collects information from a consumer directly and from a connected device the consumer uses in connection with the app. As another example, an app that collects health data directly from the consumer (e.g., blood sugar levels) that it combines with other non-health data from other sources (e.g., dates from the consumer’s phone calendar) is also a PHR Vendor subject to the Rule.

Sharing Consumer Data Without Authorization is a “Breach” Under the Rule

The FTC also emphasized that sharing users’ information with third parties without the user’s authorization could be a “breach” under the Rule.  Earlier in 2021, the FTC alleged that a fertility tracking app failed to safeguard users’ health data by, among other things, sharing users’ sensitive health data with third party marketing and analytics service providers. Although the FTC did not allege violations of the Rule in its complaint against the fertility tracking app, some of the commissioners at the time expressed that the fertility tracking app’s actions should have constituted a breach under the Rule. The FTC’s subsequent policy statement regarding the Rule now confirms that the FTC interprets “breach” to encompass both “cybersecurity intrusions or nefarious behavior” as well as situations involving “sharing of covered information without an individual’s authorization.”

Summary of the Rule

  1. Applicability: The Rule exempts entities subject to the HIPAA Breach Notification Rule. The Rule applies to non-U.S. based businesses that maintain data about U.S. citizens and residents.

  2. Requirements: When a qualifying vendor of PHR or PHR related entity suffers a breach of unsecured PHR, the entity must send breach notices. Businesses must also notify the FTC within 10 days if the breach impacts over 500 people (otherwise, notification is required to the FTC and individuals “without unreasonable delay” but in no event later than 60 days). Under the Rule, a breach is “discovered” on the first day it is known by any person, other than the individual committing the breach, who is an employee, officer or agent of the affected business. Third party service providers must provide breach notice to affected vendors of PHR and PHR related entities.

  3. Penalties: The FTC announced at the beginning of 2022 that it adjusted the maximum civil penalty amount to $46,517 per violation per day to account for annual inflation. The maximum civil penalty amount was previously $43,792 per violation per day.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 20

About this Author

Gicel Tomimbang Los Angeles California Associate Attorney Data Privacy Cybersecurity Squire Patton Boggs LLP

Gicel Tomimbang is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice.

A significant portion of Gicel’s practice focuses on the intersection of healthcare with privacy. Clients frequently turn to her for advice and counsel on complex issues that arise under the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), the FTC Act and the FTC Health Breach Notification Rule.

Gicel previously...

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...