October 25, 2021

Volume XI, Number 298

Advertisement
Advertisement

October 25, 2021

Subscribe to Latest Legal News and Analysis

Top 5 FAQs on the FTC’s Warning to Health Apps to Report Breaches of Health Data

The Federal Trade Commission (FTC) just released a Policy Statement emphasizing how telemedicine and digital health apps can be held accountable under the Health Breach Notification Rule, even if the company is not subject to HIPAA. Digital health breaches are not limited solely to hacks and cybersecurity intrusions, but also occur when companies share user health information without the user’s consent. The Policy Statement was issued at the heels of a recent FTC enforcement action and settlement, where FTC alleged the company misrepresented how it would not share users’ sensitive personal health information with third parties. Members of Congress have also pressured the FTC to use the Health Breach Notification Rule as a tool to protect users from having their sensitive information exploited.

When a health app, for example, discloses sensitive health information without users’ authorization, this is a ‘breach of security’ under the Rule.

– Federal Trade Commission (Sep 15, 2021)

Frequently Asked Questions for Telemedicine & Digital Health Companies under the FTC Health Breach Notification Rule

  1. What information is covered by the Rule? The Rule covers personal health records (PHRs), defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”

  2. To whom does the Rule apply? The Rule applies to vendors of PHR, PHR-related entities, and their service providers. A vendor of PHR is a business that offers or maintains a PHR, such as a company that collects and stores medical records on behalf of individuals. A PHR-related entity is a business that interacts with vendors of PHR, such as a company that offers an app that helps consumers manage their diabetes by collecting data from a smart glucose meter. Any company that is a HIPAA-covered entity or business associate will not be considered a vendor of PHR or a PHR-related entity. The Rule also applies to service providers, such as data hosting providers.

  3. What does the Rule require? Service providers must notify the vendor of PHR or PHR-related entity of any breach. Entities covered by the Rule must report breaches of unsecured identifiable health information to the impacted individuals, the FTC, and if the breach involves the information of 500+ people of a particular state, the media must be notified. Notice must be made within 60 calendar days of discovery of the breach.

  4. Does “breach” mean a cybersecurity incident? The definition is not limited to cybersecurity incidents. The Rule defines “breach of security” as the acquisition of individually identifiable health information without the authorization of the individual. While cybersecurity incidents are included within that definition, the Policy Statement makes clear that sharing individually identifiable health information without an individual’s authorization is a breach that triggers the notification requirements of the Rule. For example, a health app that collects identifiable health information from an individual, such as their unique device identifier along with body mass index, and shares the identifiable information with third parties without adequate authorization from the individual has most likely triggered the Rule.

  5. What should digital health app companies do? Digital health companies who previously may not have considered themselves subject to federal breach notification requirements should re-evaluate their privacy and security policies and procedures, as well as audit their data use and sharing practices. If the app or company is sharing health data with a third party, such as a data analytics firm, the company must ensure that it is properly providing notice to consumers and obtaining clear authorization to share data with any such recipients. Companies should review their online privacy policy and terms of use to ensure that individuals are properly notified of the app’s data sharing practices and that the company is properly documenting the individual’s consent.

The FTC’s new Policy Statement is not subtle; it’s an overt warning to digital health companies that the federal government will investigate and sanction those who share personal health information without obtaining the user’s authorization. Given the FTC’s position in the Policy Statement, the greatest attention will be paid to those health apps that share health data with third party analytics services or for purposes of behavioral advertising. Fortunately, companies can take steps now to address their privacy and e-commerce practices and ensure their policies, terms of use, and patient consent forms all align with these federal requirements.

© 2021 Foley & Lardner LLPNational Law Review, Volume XI, Number 263
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney
Associate

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

617-502-3211
Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...

813-225-4129
Nathaniel Lacktman, Health Care Attorney, Foley and Lardner Law Firm
Partner

Nathaniel (Nate) Lacktman is a partner and health care lawyer with Foley & Lardner LLP, and a Certified Compliance & Ethics Professional (CCEP). His practice focuses on health care compliance, counseling, enforcement and litigation, as well as telemedicine and telehealth. Mr. Lacktman is a member of the firm’s Health Care Industry Team which was named “Law Firm of the Year — Health Care Law” for three of the past four years on the U.S. News – Best Lawyers® “Best Law Firms” list. 

813-225-4127
Advertisement
Advertisement
Advertisement