Last week, the FTC came out with a statement clarifying the intent of their Health Breach Notification Rule when it came to health apps and connected devices. The key point is that health apps and other connected health devices that are breached are going to be subject to similar notification requirements as a HIPAA covered entity would have to do.
What many people miss in this is that HIPAA only applies to covered entities and their business associates. This largely means provider organizations and payers and the companies that house patients PHI (Protected Health Information) for them. This means that the HIPAA protections don’t apply to something like a direct to consumer health app. With this FTC statement, these types of health apps would now be subject to disclosing when a breach occurs to patients and the media similar to HIPAA.
The statement does require the app to be an electronic health record that “can be drawn from multiple sources.” This basically applies to almost every digital health app out there since user input and any sort of external data input including a wearable device would constitute two sources. They also clarify ‘Under the definitions cross-referenced by the Rule, the developer of a health app or connected device is a “health care provider” because it “furnish[es] health care services or supplies.”’
The statement also clarifies that “When a health app, for example, discloses sensitive health information without users’ authorization, this is a “breach of security” under the Rule.” That means it doesn’t have to just be breach by a hacker. It could also be an internal breach of the information similar to HIPAA breaches.
Companies that fail to comply with this rule could be subject to penalties of up to $43,792 per violation per day. I wonder if the FTC will work with OCR to add these breaches to the HHS Wall of Shame (Officially called the Breach Portal).
Long story short, if your a health app provider or have a connected device, you better take security seriously and notify your users when a breach occurs. Otherwise, you’ll be subject to penalties from the FTC. I have little doubt that this is just the first of many steps to apply HIPAA like protections to health data outside of a HIPAA covered entity.
In fact, Lina M. Khan, FTC Chair said:
“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics. Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
While this is the start of the conversation, it’s a clear indication of where it’s heading.
