The FTC Continues to Draw Attention to the Health Breach Notification Rule
This year has started with the Federal Trade Commission's (FTC) renewed attention to its Health Breach Notification Rule (Breach Rule) and the publication of the Health Privacy resource page to help companies with their compliance efforts. This announcement follows the agency's most recent policy statement clarifying that makers of health and wellness apps that hold consumers' health information generated from consumers and connected devices must comply with the rule.
The FTC's expansive approach extends to the definition of a breach, which, in addition to cybersecurity incidents, would include an app developer's disclosure of an individual's health information without the individual's consent.
Types of Entities Covered Under the Rule
The rule applies to foreign and domestic non-HIPAA covered vendors of "personal health records that contain individually identifiable health information created or received by health care providers." More specifically, the rule applies to:
- (1) Vendors of personal health records (PHRs);
- (2) PHR-related entities; or
- (3) Third-party service providers for a vendor of PHRs or a PHR-related entity.
The FTC also specified that, according to the Health Insurance Portability & Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act definitions that the rule cross-references, each of the above-mentioned entities is a "health care provider" because they furnish "health care services or supplies."
By classifying the makers of health apps and connected devices as a "healthcare provider," the FTC departs from the definition of the term—which includes doctors, clinics, psychologists, dentists, pharmacies, and other similar providers of medical and healthcare services, and seemingly identifies every app or device in the health and wellness space as a "health care service."
Personal Health Records Covered Under the Rule
Along with its broad definition of healthcare providers, the FTC's interpretation of PHR also departs from the mainstream understanding of this term. The FTC defines PHRs as "an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual." The FTC interprets that apps that are capable of drawing information from multiple sources, for example, a health app that collects information directly from a consumer and can sync with the consumer's fitness tracker, are covered under this rule.
In addition, the FTC interprets that an app is covered under the rule if it draws any information from multiple sources, even though the health information comes from only one source. Therefore, if an app collects health data directly from a consumer (e.g., a consumer's blood sugar levels) and combines such data with non-health information (e.g., dates from the consumer's phone calendar) from another source, the FTC interprets that the app is subject to the Breach Rule.
The FTC's interpretation of a "PHR" deviates from the historic interpretation of this term, which was understood to mean an app that stores medical information from multiple sources (e.g., multiple health care providers' electronic health records) on the individual's behalf. In contrast, the FTC interprets that most health and fitness apps will fall under the definition.
Compliance Requirements and Penalties
Entities subject to the Breach Rule must provide notice when there has been an unauthorized acquisition of unsecured PHR identifiable health information. According to the FTC, it is a breach of PHR identifiable health information not only when there are cybersecurity intrusions, but also when a consumer's unsecured, individually identifiable health information is disclosed without the consumer's consent.
In case of a breach, the notice must be provided to affected consumers, the FTC, and, in certain cases, the media. Failure to comply with these requirements may result in an enforcement action and civil penalties. In January of this year, the agency announced an increase in the maximum penalty amount from $43,792 to $46,517 per violation per day to account for annual inflation.
Resources
The FTC has compiled resources in the Health Privacy page to provide guidance on the legal obligations of the entities subject to the Breach Rule, applicable cases, blog posts, and other materials.
The page also includes the form that entities covered by the rule may use to report breaches of health information. In the FAQ section, the agency provides further details related to its interpretation of the Breach Rule by answering some questions various businesses have raised regarding the rule, highlighting the widespread implications of the FTC's policy statement.
Considering the extensive use of health and wellness apps that are not subject to HIPAA, and the privacy and security risks they carry, the FTC will likely continue to focus on this area. Health and wellness apps must carefully consider their risks when dealing with a potential "breach," as defined in the FTC's policy statement. We will continue to monitor the FTC's enforcement and any related activity associated with the Breach Rule.