June 5, 2023

Volume XIII, Number 156


June 04, 2023

Subscribe to Latest Legal News and Analysis

June 03, 2023

Subscribe to Latest Legal News and Analysis

June 02, 2023

Subscribe to Latest Legal News and Analysis

FTC Warns That Health Apps May Be Subject to the Health Breach Notification Rule

The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).

The FTC’s policy statement, entitled “On Breaches by Health Apps and Other Connected Devices,” attempts to clarify the Rule by stating that mobile health applications and interactive tools used by organizations that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are regulated by the Rule.[1] Significantly, the FTC’s guidance broadly deems developers of health care apps or connected devices to be “health care providers” subject to the Rule because they “furnish health care services or supplies.” It also clarifies that health apps that collect non-health data (such as calendar dates) are within the scope of the Rule. In the wake of the FTC’s statement, any organization that is not covered by HIPAA, but provides or uses mobile or web-based health apps to collect personal health information, should evaluate their coverage under the Rule.

The FTC’s recent expansive view of this Rule—which was initially passed pursuant to the 2009 American Recovery and Reinvestment Act—covers many popular mobile health and fitness related applications and wearables on the market. For example, the FTC explained that any application that “collects information directly from consumers” and has the “technical capacity to draw information through an API [application programming interface] that enables syncing with a consumer’s fitness tracker” is covered under its interpretation of the Rule. The FTC further stated that “an app that draws information from multiple sources is covered, even if the health app comes from only one source.” For example, an application that monitors blood sugar and also takes non-health information from a consumer’s phone’s calendar (i.e., dates) would also be covered. The FTC specifically called attention to “apps and other technologies [that] track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.” The FTC press release noted that the increased use of COVID-19 related health applications impacted its policy statement. Entities subject to the Rule may be required to provide notice, including in certain circumstances to the media, in the event of a cybersecurity breach or even in the case of “sharing of covered information without an individual’s authorization.”

The Rule contains statutory definitions that should now be read in light of the policy guidance, applying its provisions to (i) vendors of personal health records (“PHR”); (ii) “PHR related entities”; and (iii) “third party service providers.” The Rule generally requires “vendors of personal health records”, and PHR-related entities to provide notice to affected individuals and the FTC within 60 calendar days after the discovery of a “breach of security.” A provider must notify the vendor or PHR related entity of a breach.

A violation is treated as an unfair and deceptive act or practice under the FTC Act which may carry steep civil penalties of up to $43,792 per violation per day. As of the date of the FTC’s policy statement, however, the FTC has not yet enforced the Rule, and, according to the remarks of FTC Commissioner Rohit Chopra, the FTC and the public have been notified only four times about a breach under the Rule since February 2010.

It is also important to note that there remains a dispute about the scope of the Rule even among the FTC’s commissioners, especially because it has not been interpreted in the context of an FTC enforcement action. For example, Commissioner Christine Wilson wrote, in her dissenting statement, that the Rule was narrowly crafted to apply in limited, highly specific circumstances, and that its scope may depend on whether the personal health records at issue interact with personal health records held by a different vendor. In response to the FTC’s use of the moniker “health care provider” when referring to mobile health applications, Ms. Wilson asked: “How broadly does the Commission intend to read this language?” Similarly, Commissioner Noah Joshua Phillips argued in his dissenting statement that the FTC’s majority goes beyond the text of the Rule in interpreting the definition of “breach of security” to include the unauthorized sharing.

The FTC’s policy statement also comes during the ongoing rulemaking process by the FTC concerning the Rule and the Department of Health and Human Services’ ongoing rulemaking concerning the application of the HIPAA Privacy Rule to mobile health applications. As such, vendors of PHRs should monitor these ongoing rulemaking efforts, which could impact the FTC’s current interpretation of the Rule. Nevertheless, companies subject to the Rule under the current interpretation, can still take proactive measures to avoid a violation by, among other things, assessing the categories of its stored data, undertaking a cybersecurity risk assessment and comprehensive review of privacy policies, and ensuring the existence of a robust security incident response protocol. Notably, the breach notification requirement under the Rule generally only applies to a breach of unsecured PHR identifiable health information. In addition, such entities may have notification obligations under applicable state laws. You can reach out to Epstein Becker Green for further guidance as we will be monitoring the FTC’s enforcement activity closely moving forward.


[1] 16 C.F.R. §318.1 provides, the rule “applies to foreign and domestic vendors of personal health records, PHI related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission Act (FTC) Act, that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” HIPAA covered entities and business associates must instead comply with HHS’s breach notification rule. See Dissenting Statement of Commissioner Christine S. Wilson.

Nija Chappel, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s Washington, D.C. office, contributed to the preparation of this post.

©2023 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XI, Number 293

About this Author

Alexander Franchilli, Epstein Becker Law Firm, Labor and Employment Litigation Attorney

Alexander Franchilli is an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green. 

Mr. Franchilli’s experience includes:

  • Representing employers in labor and employment law litigation involving breach of employment agreements, promissory notes, wage and hour violations, wrongful termination, and WARN Act violations

  • Litigating cases concerning unfair competition and breaches of non-competition agreements

  • Providing representation to employers in federal...

Brian G. Cesaratto, Epstein Becker, Employment benefits Litigation Lawyer, Workforce Management attorney

BRIAN G. CESARATTO is a Member of the Firm in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Cesaratto's practice includes complex commercial litigation, criminal defense, internal and law enforcement investigations, employment litigation, and computer and electronic data misappropriation and forensics.

Alaap Shah Attorney Healthcare Life Sciences

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

Patricia M. Wagner, Epstein becker green, health care, life sciences

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...