The Federal Trade Commission (FTC) just released a Policy Statement emphasizing how telemedicine and digital health apps can be held accountable under the Health Breach Notification Rule, even if the company is not subject to HIPAA. Digital health breaches are not limited solely to hacks and cybersecurity intrusions, but also occur when companies share user health information without the user’s consent. The Policy Statement was issued at the heels of a recent FTC enforcement action and settlement, where FTC alleged the company misrepresented how it would not share users’ sensitive personal health information with third parties. Members of Congress have also pressured the FTC to use the Health Breach Notification Rule as a tool to protect users from having their sensitive information exploited.
When a health app, for example, discloses sensitive health information without users’ authorization, this is a ‘breach of security’ under the Rule.
– Federal Trade Commission (Sep 15, 2021)
Frequently Asked Questions for Telemedicine & Digital Health Companies under the FTC Health Breach Notification Rule
-
What information is covered by the Rule? The Rule covers personal health records (PHRs), defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”
-
To whom does the Rule apply? The Rule applies to vendors of PHR, PHR-related entities, and their service providers. A vendor of PHR is a business that offers or maintains a PHR, such as a company that collects and stores medical records on behalf of individuals. A PHR-related entity is a business that interacts with vendors of PHR, such as a company that offers an app that helps consumers manage their diabetes by collecting data from a smart glucose meter. Any company that is a HIPAA-covered entity or business associate will not be considered a vendor of PHR or a PHR-related entity. The Rule also applies to service providers, such as data hosting providers.
-
What does the Rule require? Service providers must notify the vendor of PHR or PHR-related entity of any breach. Entities covered by the Rule must report breaches of unsecured identifiable health information to the impacted individuals, the FTC, and if the breach involves the information of 500+ people of a particular state, the media must be notified. Notice must be made within 60 calendar days of discovery of the breach.
-
Does “breach” mean a cybersecurity incident? The definition is not limited to cybersecurity incidents. The Rule defines “breach of security” as the acquisition of individually identifiable health information without the authorization of the individual. While cybersecurity incidents are included within that definition, the Policy Statement makes clear that sharing individually identifiable health information without an individual’s authorization is a breach that triggers the notification requirements of the Rule. For example, a health app that collects identifiable health information from an individual, such as their unique device identifier along with body mass index, and shares the identifiable information with third parties without adequate authorization from the individual has most likely triggered the Rule.
-
What should digital health app companies do? Digital health companies who previously may not have considered themselves subject to federal breach notification requirements should re-evaluate their privacy and security policies and procedures, as well as audit their data use and sharing practices. If the app or company is sharing health data with a third party, such as a data analytics firm, the company must ensure that it is properly providing notice to consumers and obtaining clear authorization to share data with any such recipients. Companies should review their online privacy policy and terms of use to ensure that individuals are properly notified of the app’s data sharing practices and that the company is properly documenting the individual’s consent.
The FTC’s new Policy Statement is not subtle; it’s an overt warning to digital health companies that the federal government will investigate and sanction those who share personal health information without obtaining the user’s authorization. Given the FTC’s position in the Policy Statement, the greatest attention will be paid to those health apps that share health data with third party analytics services or for purposes of behavioral advertising. Fortunately, companies can take steps now to address their privacy and e-commerce practices and ensure their policies, terms of use, and patient consent forms all align with these federal requirements.