FTC’s health data breach rule covers apps, fitness trackers, agency says

The Federal Trade Commission is taking a closer look at how health apps and internet-connected medical devices handle and safeguard the data they collect, the agency made clear Wednesday.
The FTC issued a policy statement on the scope of its Health Breach Notification Rule, a regulation from 2009 that requires personal health records vendors and related companies that collect health data but aren’t covered by the Health Insurance Portability and Accountability Act to notify users of data breaches.
The new guidance clarifies that the rule not only covers personal health records but also newer health apps and fitness trackers.
Apps that collect fertility, glucose, heart, and other health data have proliferated in recent years, without the safeguards afforded by HIPAA.
Digital health companies collectively raised $14.9 billion in the first half of 2021, a record for the sector, according to data from Mercom Capital Group. Health app companies collected $1.6 billion from those investments.
The FTC may look beyond cybersecurity incidents and investigate how the companies themselves use the information they gather on their customers, FTC Chair Lina Khan said in a news release.
“While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan said. “The commission should be scrutinizing what data is being collected in the first place.”
Under the FTC’s Health Breach Notification Rule, companies are required to notify customers and the agency within 60 days of an incident. When breaches affect more than 500 people, companies must notify the FTC within 10 business days. That’s separate from HIPAA, which only applies to healthcare providers, insurers, and their business associates.
The policy statement “seems to be a pretty clear statement that enforcement is coming,” said Valerie Montague, a partner at the law firm Nixon Peabody who focuses on health data privacy and security. And breaches aren’t limited to security incidents or hacks because the FTC also defines a “breach” as a company disclosing a user’s health data without permission, she said.
Companies covered by the rule should review their practices to determine how they’re using health data and ensure they have permission from users where needed, Montague said.
“Patient authorization or individual authorization is always the gold standard, and gives you the greatest flexibility to use information in the way that you want to,” Montague said.
Companies that don’t comply with the Health Breach Notification Rule could be subject to up to $43,792 in monetary penalties per violation per day.
The FTC has not enforced the Health Breach Notification Rule since it went into effect. But the agency plans to do so, consistent with the new policy statement.
The fact that the FTC has fallen behind in enforcing the rule is “disheartening,” said Lani Dornfeld, an attorney at the law firm Brach Eichler who focuses on healthcare regulations and compliance. Without notifications about data breaches, customers don’t have opportunities to protect themselves, she said.
The FTC could already be eying companies that may not be in compliance, Dornfeld said. “They issued this because they have concerns,” she said. “I think we’re going to see some activity.”
The FTC voted 3-2 to approve the policy statement, with the agency’s three Democratic commissioners voting in favor and the two Republican commissioners opposing.
Noah Joshua Phillips and Christine Wilson, the commissioners who voted against the policy statement, argued it broadened the scope of health tools covered by the rule without statutory authority. The commissioners also said the new policy statement interferes with an ongoing process to update the Health Breach Notification Rule, which the FTC requested public comments on last year.
Privacy has been a growing area of concern about apps and other technology tools.
In June, the FTC finalized a settlement with fertility tracker Flo Health, which allegedly shared personal health data with marketing and analytics firms like Facebook and Google.
The following month, an investigation by a software company found several popular opioid treatment recovery apps were sharing sensitive user data with third parties. And ahead of data-sharing regulations from the Health and Human Services Department going into effect earlier this year, provider groups raised concerns about patients using apps that aren’t covered by HIPAA to access health data.