Privacy & Information Security Law Blog

On September 15, 2021, the Federal Trade Commission issued a Policy Statement to clarify the scope of the FTC’s Health Breach Notification Rule (the “Rule”) as it relates to health apps and connected devices. In its Policy Statement, the FTC emphasized that the Rule was designed to ensure that entities not covered under HIPAA must still be held accountable in the event of a breach of consumers’ sensitive health information. The Rule requires vendors of personal health records (“PHR”), PHR related entities, and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information. Failure to provide such notice can result in civil penalties under the Rule. While the Rule was established more than a decade ago, in 2009, it has never been enforced by the FTC.

The Rule covers vendors of PHR that contain individually identifiable health information created or received by “health care providers.” According to the Policy Statement, the developer of a health app or connected device is a “health care provider” under the definitions cross-referenced by the Rule because the developer “furnish[es] health care services or supplies.” The Policy Statement highlights that the definition of “personal health record” (for purposes of determining if an entity is a vendor of PHR) must be an electronic record that can be drawn from multiple sources. The Policy Statement clarifies that the FTC considers apps to be covered by the Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and APIs. The Policy Statement states, for example, that if an app collects information directly from consumers and has the technical capability to draw information through an API that enables syncing with a consumer’s fitness tracker, it would be covered under the Rule. The Policy Statement clarifies that even an app that obtains health information from only one source, but can obtain non-health information from other sources, would be covered under the Rule. A cited example of such an app is a blood monitoring app that collects blood sugar levels directly from consumers and obtains calendar dates from the mobile device’s calendar.

The Policy Statement specifically states that a health app’s unauthorized disclosure of sensitive health information would be a “breach of security” under the Rule.  The FTC reminds covered entities that a “breach of security” under the Rule is not limited to cybersecurity intrusions or nefarious behavior, but also includes unauthorized access to covered information, including the sharing of covered information without an individual’s authorization.

The FTC put entities on notice that the agency intends to bring actions to enforce the Rule consistent with the Policy Statement, with potential civil penalties of up to $43,792 per violation per day. The Policy Statement specifically mentions apps that track diseases, diagnoses, treatment, medications, fitness, fertility, sleep mental health, diet and “other vital areas,” noting that companies offering these services “should take appropriate care to secure and protect consumer data.”