The U.S. Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, warning that the decade-old Health Breach Notification Rule (the rule) – which applies to companies that handle personal health records or collect health data – to notify consumers, the FTC and, in some cases, the media about data breaches. “In practical terms, this means that entities covered by the rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information.”
Introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009, the rule extends to entities that are not subject to the Health Insurance Portability and Accountability Act but may operate in the healthcare space. During an open meeting on Wednesday, by a vote of 3-2, the FTC clarified the reach of the rule, indicating that it applies to health apps and devices that often “fail to invest in data security, leaving users exposed.” The FTC specifically called out health apps and wearable devices that track diseases, diagnoses, treatments, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.
Generally, apps are subject to the rule if they are capable of obtaining health records from multiple sources. For example, if an app uses information that has been input by a user, along with data retrieved through an application programming interface from the fitness tracker or calendar on that person’s phone, it would be covered by the rule. The policy statement comes at a time when, as the FTC points out, the COVID-19 pandemic has caused an increase in telemedicine and the general use of Internet-based health tracking. “While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics.”
The lack of consensus on the policy, demonstrated by the 3-2 vote, saw the two opposing Commissioners issuing dissenting opinions against the policy. Commissioner Noah Phillips raised concerns that the rule was issued as the FTC is in the midst of a larger, more complicated rulemaking process. “The majority surely believe the result they adopt is what consumers of health apps want and need,” Phillips wrote. “But the right way to go about it is to conclude the ongoing rulemaking process, especially when the statutory and regulatory interpretation on which the majority rely is far from clear.”
The FTC plans to enforce compliance with the rule by imposing financial penalties that can be as high as $43,792 per violation per day. The planned enforcement with penalties is seemingly more than a threat, because a Sept. 14, 2021 vote in the U.S. House Committee on Energy and Commerce saw the FTC being awarded $1 billion over 10 years to address “unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses and similar matters.”