Health App and Device Providers Take Note: Health Breach Notification Rule Enforcement Is Coming

As the mobile health and connected device market continues to grow at an exponential pace, the Federal Trade Commission (“FTC”) has issued a Policy Statement that emphasizes its commitment to ensuring the protection of sensitive information collected by these apps and devices. On September 15, 2021, the FTC issued its “Statement on the Commission of Breaches by Health Apps and Other Connected Devices,” which offers guidance on the FTC’s Health Breach Notification Rule (the “Rule”), including guidance as to the Rule’s scope, and makes clear that the FTC intends to bring actions to enforce the Rule consistent with the Policy Statement.

Key Takeaways

Mobile health app developers and connected device companies should take note of the Policy Statement and analyze whether the Rule applies to the services they provide. If it applies, to avoid the penalties associated with noncompliance with the Rule, these companies should (i) assess their current security measures, and (ii) if they have not done so already, implement appropriate policies and procedures to comply with the Rule and other applicable laws in the event they experience a breach of security.

Overview of the Rule

The Rule, which was issued pursuant to the American Recovery and Reinvestment Act of 2009 and became effective on September 24, 2009, applies to (i) vendors of personal health records (“PHRs”),[1] (ii) PHR related entities who interact with vendors of PHRs or HIPAA-covered entities by offering products or services through their sites or who access information in or send information to a PHR, and (iii) third-party service providers for vendors of PHRs or PHR related entities who process unsecured PHR identifiable health information[2] as part of providing their services. The Rule does not apply to HIPAA-covered entities or any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.

Under the Rule, vendors of PHRs and PHR related entities are required to report a “breach of security” involving PHRs to the FTC, the media (in some cases), and directly to consumers. Service providers to such entities that process information contained in PHRs (e.g., for billing or data storage purposes) also have notice obligations to report such breaches to their business customers. The Rule defines a “breach of security” as the acquisition of unsecured, PHR identifiable health information that is in a PHR, without the authorization of the individual. Notice is required no later than 60 days of discovering the breach, unless more than 500 people are impacted (in which case, the FTC must be notified within 10 business days). If covered entities fail to comply, violations of the Rule are subject to civil penalties of $43,792 per violation per day.

Change in Enforcement

To date, the FTC has not enforced the Rule despite enacting it more than a decade ago. During the recent review and comment period for the Rule, the FTC acknowledged that the Rule had fallen into disuse, but the recent Policy Statement emphasizes that the explosion in health apps and connected devices makes the Rule’s breach notification requirements more important than ever. The Policy Statement explicitly states that it is intended to place entities on notice of their ongoing obligation to “come clean” about breaches and signals that the FTC will ramp up enforcement actions moving forward.

Clarifications of the Rule

In addition to putting entities on notice of the FTC’s change in enforcement approach, the Policy Statement also seeks to clarify the scope of entities that are covered by the Rule, as well as what constitutes a PHR and a “breach of security” triggering notification obligations under the Rule.

With respect to the Rule’s applicability, the Policy Statement highlights that the Rule covers vendors of PHRs that contain individually identifiable health information created or received by health care providers. Because health app and connected device developers “furnish health care services or supplies,” the Policy Statement notes that they are considered “health care providers” under the definitions cross-referenced in the Rule, such that any personally identifiable information such developers create or receive that relates to (i) the past, present, or future physical or mental condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the past, present, or future payment for health care to an individual would be subject to the Rule’s protections when contained in a PHR.

The Policy Statement further notes that, in order for an electronic health record to be considered a PHR under the Rule, it must draw information from multiple sources and be managed, shared, or controlled by or primarily for the individual. Regarding whether an electronic health record draws information from multiple sources, the Policy Statement clarifies that in the context of a health app, this may occur through a combination of consumer inputs and application programming interfaces (“APIs”). For example, an app would be subject to the Rule if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. This would be true even if the health information came from only one source. For example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it would still be covered under the Rule.

Finally, the Policy Statement also seeks to clarify what constitutes a “breach of security” under the Rule by reminding entities that a breach of security is not limited to cybersecurity intrusions or nefarious behavior. Rather, any incident of unauthorized access will trigger notification obligations under the Rule, similar to HIPAA. Hence, if a health app discloses sensitive health information without its users’ authorization to a third party, such an incident would qualify as a “breach of security.”

Please let us know if you have any questions regarding the applicability of or compliance with the Rule.

[1] A PHR is an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. See 16 C.F.R. § 318.2(d).

[2] “PHR identifiable health information” includes “individually identifiable health information,” as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information:

(1) that is provided by or on behalf of the individual; and

(2) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

See 16 C.F.R. § 318.2(e).