The Federal Trade Commission (FTC) just released a Policy Statement emphasizing how telemedicine and digital health apps can be held accountable under the Health Breach Notification Rule, even if the company is not subject to HIPAA. Digital health breaches are not limited solely to hacks and cybersecurity intrusions, but also occur when companies share user health information without the user’s consent. The Policy Statement was issued at the heels of a recent FTC enforcement action and settlement, where FTC alleged the company misrepresented how it would not share users’ sensitive personal health information with third parties. Members of Congress have also pressured the FTC to use the Health Breach Notification Rule as a tool to protect users from having their sensitive information exploited.
When a health app, for example, discloses sensitive health information without users’ authorization, this is a ‘breach of security’ under the Rule.
– Federal Trade Commission (Sep 15, 2021)
The FTC’s new Policy Statement is not subtle; it’s an overt warning to digital health companies that the federal government will investigate and sanction those who share personal health information without obtaining the user’s authorization. Given the FTC’s position in the Policy Statement, the greatest attention will be paid to those health apps that share health data with third party analytics services or for purposes of behavioral advertising. Fortunately, companies can take steps now to address their privacy and e-commerce practices and ensure their policies, terms of use, and patient consent forms all align with these federal requirements.
Want to Learn More?
For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, including the team, publications, and representative experience, visit Foley’s Telemedicine & Digital Health Industry Team.