If you are not familiar with the FTC’s Health Breach Notification Rule, you are not alone. Issued in 2009, it has never been enforced. That may now change. In a recent Policy Statement, the FTC is putting a new spotlight on the Rule, explaining that the Rule applies to health apps and connected devices that are not otherwise covered by the Health Insurance Portability and Accountability Act (“HIPAA”). The “explosion in health apps and connected devices makes [the Rule’s] requirements with respect to [health apps and connected devices] more important than ever,” the FTC said, in a clear push to make the Rule relevant again. If enforced, it would fill a significant gap in notification requirements affecting the vast health app ecosystem not otherwise within the scope of HIPAA.
Scope of the Rule
The FTC’s Policy Statement explains that the Rule covers apps and connected devices if they (i) collect information directly from consumers, and (ii) have the technical capacity to draw information through an API that enables syncing with a consumer’s connected device (i.e., multiple sources). The FTC further clarified that the Rule applies even if the app or connected device draws health information from only one source (e.g., the consumer’s input), and non-health information from another (e.g., dates from your phone’s calendar).
The FTC’s new read of the Rule is surprising in its timing, lagging years behind the digital health revolution. But the Commission’s interpretation is arguably not inconsistent with the Rule’s language. Before the FTC’s announcement, the Rule already applied to (i) businesses that offered or maintained electronic personally identifiable health information, managed, shared, and controlled by or for the individual, (ii) entities that interacted with such businesses, by offering products or services through the business’s website or by accessing the personally identifiable health information, and (iii) relevant service providers of the entities described in (i) and (ii).
Rule Requirements
The Rule is a breach notification rule – substantively similar to HIPAA’s breach notification rule as well as the myriad state breach notification laws. The key difference under the Rule is that if a health app or a connected device suffers a breach, they will no longer be able to avoid notification obligations by arguing that the affected elements of personal data are not in scope of state breach notification laws (which define personal information very narrowly). Under the Rule, so long as the app or connected device is in scope of the Rule, any personal information the app or device processes is in scope of the Rule’s breach notification requirement.
The Rule requires entities that experience a breach of security to notify impacted individuals, the FTC, and in some cases the media if the breach is sufficiently widespread. The FTC has highlighted the fact that a “breach of security” is not limited to cybersecurity intrusions or malicious activity, but also includes incidents of unauthorized access and the sharing of personal health records without an individual’s authorization.
Should a company covered by the Rule discover it has experienced a breach of security, it must provide notice to impacted individuals without unreasonable delay, and in no case later than 60 days after the discovery of the breach. Notice must be made by written mail, or by email if the individual is given a clear, conspicuous, and reasonable opportunity to receive notification by first-class mail, and the individual does not exercise that choice. Notices to individuals must include (i) a description of the incident and types of personal information compromised, (ii) the date of the breach, (iii) breach remediation efforts, (iv) information for individuals to protect themselves from potential harm, and (v) contact details.
Companies are also required to provide notice of a breach to the FTC if the breach impacts more than 500 or more residents of a certain State, notice must also be given to prominent media outlets that service such State.
Third-party service providers subject to the Rule will have to provide notice to their business customers within 60 days of discovery of the breach. The notices must include the identification of each individual whose unsecured personal information has been, or is reasonably believed to have been, acquired due to the breach.
Enforcement
A violation of Rule can constitute an unfair or deceptive act or practice in violation of the FTC Act. The Commission stated that it intends to bring actions to enforce the Rule consistent with the Policy Statement, which can carry civil penalties of up to $43,792 per violation, per day.
Key Takeaways
The FTC’s Policy Statement clarifying the scope of the Rule to regulate health apps and connected devices further illustrates the FTC’s increased focus on data privacy and cybersecurity as well as the Commission’s willingness to regulate sensitive information more aggressively. Just recently, some members of congress proposed new funding to support a new privacy and data security division, President Biden has nominated a privacy law expert to be a Commissioner on the FTC, and the FTC has published a list of enforcement priority areas that include several data privacy specific categories and is considering implementing new rules to strengthen online privacy protections.
The FTC’s broad interpretation of personal health records and health service providers will likely capture a broad array of the health based apps and connected device developers, and businesses offering services covered by the Rule should take appropriate care to secure and protect consumer data from breaches and unauthorized access. Per guidance from the FTC, and best practices, entities covered by the Rule should confirm they:
- Minimize data collection;
- Maintain accurate data mapping records to understand the data collected;
- Limit data access and permissions;
- Maintain robust user authentication methods;
- Implement and document mobile and industry-standard information security controls;
- Conduct and document incident detection and response capabilities and processes; and
- Regularly review and update cybersecurity programs.
Through the Policy Statement, the FTC has put health apps and connected devices on notice. Companies operating in this significant space should ensure their information and cybersecurity programs are up to date and that their policies take into account the Health Breach Notification Rule’s requirements.