According to recent guidance from the US Federal Trade Commission (FTC), providers of health apps and connected devices that collect consumers’ health information must comply with the FTC’s Health Breach Notification Rule, 16 CFR Part 318, and therefore are required to notify consumers and others when their health data is breached.
The FTC policy statement, issued on September 15, 2021, is intended to clarify the scope of the Health Breach Notification Rule as it relates to health apps and connected devices such as wearable fitness tracking devices, and notes that those apps and devices that collect consumers’ health information are generally covered by the Health Breach Notification Rule if they have the capability to draw data from multiple sources. As the FTC explains, an example of this would be an app that collects health information directly from a consumer while having the technical capacity to draw information through an application programming interface (API) that enables synching with the consumer’s fitness tracker. The Health Breach Notification Rule requires that providers that are subject to the rule notify US consumers as well as the FTC, and, in some cases, the media, if there has been a breach of unsecured identifiable health information, or face civil penalties for violations.
The Health Breach Notification Rule applies to vendors of personal health records (PHRs), PHR-related entities, and third-party service providers of PHRs or PHR-related entities. The FTC policy statement clarifies how broadly the agency will interpret those terms to apply health apps and connected devices.
The FTC noted that while the Health Breach Notification Rule is now more than 10 years old, the “explosion in health apps and connected devices makes its requirements with respect to them more important than ever.” The Health Breach Notification has not been previously enforced, but the FTC’s policy statement suggests that is likely to change. The FTC added, “As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever. Firms offering these services should take appropriate care to secure and protect consumer data.”
View the full policy statement for additional guidance from the FTC.