FTC Warns Health Apps, Connected Device Companies to Comply with Health Breach Notification Rule

September 22, 2021 On September 15, 2021, the Federal Trade Commission (FTC) released a policy statement to offer guidance on the scope of its Health Breach Notification Rule (the Rule) in relation to health applications and connected devices. The Rule, issued in 2009, helps ensure entities not covered under the Health Insurance Portability and Accountability Act (HIPAA) are held accountable when consumers’ sensitive health information that has been entrusted to them is compromised.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

On September 15, 2021, the Federal Trade Commission (FTC) released a policy statement to offer guidance on the scope of its Health Breach Notification Rule (the Rule) in relation to health applications and connected devices. The Rule, issued in 2009, helps ensure entities not covered under the Health Insurance Portability and Accountability Act (HIPAA) are held accountable when consumers’ sensitive health information that has been entrusted to them is compromised. The recent policy statement clarifies the Rule’s application to mobile health applications and connected devices and places these entities on notice of their obligation to disclose breaches.

The Rule covers vendors of personal health records that contain “individually identifiable health information” created or received by healthcare providers. The Rule is triggered when covered entities experience a breach of security, which is defined as the acquisition of such information without the authorization of the individual. The developer of a health application or connected device falls under the definition of a “healthcare provider” because it furnishes healthcare services or supplies. Altogether, this means that when a health application discloses a user’s sensitive health information without obtaining the authorization of the user, such an act would constitute a breach of security under the Rule.

The FTC considers applications to be covered by the Rule if they are capable of drawing information from multiple sources. Therefore, a mobile application is covered if it collects information directly from a consumer and can draw information from a synced device, such as a fitness tracker. An application that draws from multiple sources remains covered even if the personal health information is only taken from a single source.

Ultimately, the FTC has warned that it is prepared to bring actions to enforce the Rule’s application to these health apps and connected devices. As more Americans turn to mobile apps to track health information, entities offering these services should take appropriate care to protect consumer health information.

For more information on this policy statement, contact the author of this post. You can also subscribe to this blog to receive email alerts when new posts go up.