Top 5 FAQs on the FTC’s Warning to Health Apps to Report Breaches of Health Data

20 September 2021 Health Care Law Today Blog
Author(s): Jennifer J. Hennessy Aaron T. Maguregui Nathaniel M. Lacktman

The Federal Trade Commission (FTC) just released a Policy Statement emphasizing how telemedicine and digital health apps can be held accountable under the Health Breach Notification Rule, even if the company is not subject to HIPAA. Digital health breaches are not limited solely to hacks and cybersecurity intrusions, but also occur when companies share user health information without the user’s consent. The Policy Statement was issued at the heels of a recent FTC enforcement action and settlement, where FTC alleged the company misrepresented how it would not share users’ sensitive personal health information with third parties. Members of Congress have also pressured the FTC to use the Health Breach Notification Rule as a tool to protect users from having their sensitive information exploited.

When a health app, for example, discloses sensitive health information without users’ authorization, this is a ‘breach of security’ under the Rule.

– Federal Trade Commission (Sep 15, 2021)

Frequently Asked Questions for Telemedicine & Digital Health Companies under the FTC Health Breach Notification Rule

  1. What information is covered by the Rule? The Rule covers personal health records (PHRs), defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”

  2. To whom does the Rule apply? The Rule applies to vendors of PHR, PHR-related entities, and their service providers. A vendor of PHR is a business that offers or maintains a PHR, such as a company that collects and stores medical records on behalf of individuals. A PHR-related entity is a business that interacts with vendors of PHR, such as a company that offers an app that helps consumers manage their diabetes by collecting data from a smart glucose meter. Any company that is a HIPAA-covered entity or business associate will not be considered a vendor of PHR or a PHR-related entity. The Rule also applies to service providers, such as data hosting providers.

  3. What does the Rule require? Service providers must notify the vendor of PHR or PHR-related entity of any breach. Entities covered by the Rule must report breaches of unsecured identifiable health information to the impacted individuals, the FTC, and if the breach involves the information of 500+ people of a particular state, the media must be notified. Notice must be made within 60 calendar days of discovery of the breach.

  4. Does “breach” mean a cybersecurity incident? The definition is not limited to cybersecurity incidents. The Rule defines “breach of security” as the acquisition of individually identifiable health information without the authorization of the individual. While cybersecurity incidents are included within that definition, the Policy Statement makes clear that sharing individually identifiable health information without an individual’s authorization is a breach that triggers the notification requirements of the Rule. For example, a health app that collects identifiable health information from an individual, such as their unique device identifier along with body mass index, and shares the identifiable information with third parties without adequate authorization from the individual has most likely triggered the Rule.

  5. What should digital health app companies do? Digital health companies who previously may not have considered themselves subject to federal breach notification requirements should re-evaluate their privacy and security policies and procedures, as well as audit their data use and sharing practices. If the app or company is sharing health data with a third party, such as a data analytics firm, the company must ensure that it is properly providing notice to consumers and obtaining clear authorization to share data with any such recipients. Companies should review their online privacy policy and terms of use to ensure that individuals are properly notified of the app’s data sharing practices and that the company is properly documenting the individual’s consent.

The FTC’s new Policy Statement is not subtle; it’s an overt warning to digital health companies that the federal government will investigate and sanction those who share personal health information without obtaining the user’s authorization. Given the FTC’s position in the Policy Statement, the greatest attention will be paid to those health apps that share health data with third party analytics services or for purposes of behavioral advertising. Fortunately, companies can take steps now to address their privacy and e-commerce practices and ensure their policies, terms of use, and patient consent forms all align with these federal requirements.

Want to Learn More?

For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, including the team, publications, and representative experience, visit Foley’s Telemedicine & Digital Health Industry Team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.