The use of apps, wearables, and other devices used to track health and wellness data have continued to rise. The FTC again signaled its focus on this growing industry in a statement on the scope of the Health Breach Notification Rule. In the statement, the FTC called out specific types of apps and trackers that it views as having notification obligations under this rule.
The rule is intended to address those entities that collect health information, but are not covered by HIPAA. Under the rule, vendors of personal health records (PHR) and PHR-related entities must notify consumers, the FTC, and, in some cases, the media, if there has been a breach of unsecured identifiable health information. The statement provides guidance on which health-related apps are subject to the rule, clarifying that newer health apps and fitness trackers would be covered under the rule. Based on this statement, the FTC views developers of health apps or connected devices to be a “health care provider” because it “furnishes health care services of supplies.” As an example, the FTC said a blood sugar monitoring app drawing health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also taking non-health information from another source (e.g., dates from your phone’s calendar), would be covered under the rule. The FTC also clarified that a “breach” includes not only incidents of unauthorized access, but sharing of covered information without an individual’s authorization. In two different dissenting statements, Commissioners Wilson and Phillips generally argued that the FTC is broadly expanding the scope of key terms under the rule (PHR, “multiple source” and breach) and circumventing the rulemaking processes.
Putting it into Practice. The FTC has not enforced the Health Breach Notification Rule since it went into effect. However, this statement, coupled with statements in a more recent FTC enforcement action involving a digital health app, and other enforcement priorities suggests that enforcement is forthcoming. While many of these companies collecting “health” or “medical” information may have otherwise had notification obligations to individuals and/or state attorneys’ general under state data breach notification laws, companies are reminded that they may also have notification obligations to the FTC, and in some cases, the media. Companies that don’t comply with the Health Breach Notification Rule could be subject to up to $43,792 in monetary penalties per violation per day.