Does your app, device, or website collect information relating to users’ health? If so, the FTC wants to make clear that you still have breach-reporting obligations even if HIPAA doesn’t apply.
On May 18, the FTC requested comments on proposed amendments to the Health Breach Notification Rule (“HBNR”) that would strengthen its applicability to health-related apps and similar technologies. The proposed amendments would affirm the FTC’s September 2021 Policy Statement that apps and connected devices that collect or use consumers’ health information must comply with the HBNR.
The notification requirements are broad. The HBNR currently requires vendors of personal health records and related entities following discovery of a breach of security with respect to “[personal health records] identifiable health information” to provide (1) notice to all affected U.S. citizens, (2) notice to the FTC, and (3) notice to prominent media outlets serving a state or jurisdiction where 500 or more residents are reasonably believed to have been affected. The HBNR also requires third-party service providers (i.e., companies that provide billing, data storage, attribution, analytics services) to vendors of personal health records and related entities to provide notification to such vendors and entities following the discovery of a breach.
The HBNR applies only to entities not covered by HIPAA. HIPAA-covered entities have separate breach-notification requirements to the Department of Health and Human Services.
The proposed scope of coverage is also broad. Under the proposed amendments to the HBNR, “PHR identifiable health information” would include individually identifiable information relating to a past, present, or future health condition given by users to providers of “any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”
The proposed amendments also include changes to the definition of “breach of security” to include unauthorized acquisitions of identifiable health information occurring a result of a data security breach or an unauthorized disclosure, and expanded authorization of the use of email and other electronic means to notify affected persons.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, noted in a coinciding press release that “[t]he proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology . . . We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the [HBNR] provide consumers and the FTC with timely notice about what happened.”
The FTC’s request for comments comes soon after its first enforcement action under the HBNR against GoodRx for failing to notify users about the unauthorized disclosure of their personally identifiable health information with advertisers like Google and Facebook. In February, GoodRx agreed to pay a $1.5 million fine and is now permanently banned from disclosing user health data with third parties for advertising purposes. Earlier this week, the FTC also announced a proposed order settling allegations that the ovulation-tracking app Premom similarly violated the HBNR by disclosing sensitive health data to AppsFlyer, Google, and several China-based firms without notifying users.
All organizations should regularly evaluate their data-security practices and breach-reporting procedures, especially in light of the FTC’s proposed rule and recent enforcement actions. Please contact our firm if you have any questions about how the HBNR, HIPAA, or state and local laws might apply to your business.