The Federal Trade Commission (FTC) has announced a policy statement confirming that health apps and connected devices that collect or use health information must abide by the Health Breach Notification Rule. This rule requires that consumers, and others, must be notified if their health information has been breached.
At an open meeting, the Commission declared that health apps, which are capable of tracking glucose levels, heart health, fertility, and sleep of consumers, have been collecting sensitive and personal data. Therefore, the Commision has urged the apps developers to guarantee the security of the data that they acquire, which involves prohibiting any unauthorized access to the information. In 2009, Congress passed the American Recovery and Reinvestment Act, which included provisions to strengthen privacy and security for web-based businesses. The FTC was mandated to ensure companies contacted customers in the event of a security breach, resulting in the Health Breach Notification Rule. Under this Rule, vendors of personal health records, as well as related entities, must alert consumers, the Federal Trade Commission, and in certain instances, the media, in the event of data being accessed or revealed without the consumer’s permission. In the decade since, health apps and other connected devices have become commonplace, with an increase in use due to the pandemic. Unfortunately, these apps have become a target for cyber hacks, and there are still not enough privacy protections in place.
The Commission has issued a policy statement that states entities not regulated by the Health Insurance Portability and Accountability Act (HIPAA) must be accountable if consumers’ sensitive health data is breached. Health apps and connected devices such as fitness trackers are covered by the FTC’s Health Breach Notification Rule if they can draw data from multiple sources, and are not subject to a similar HHS rule. For example, a health app that collects health information from a user and has the ability to sync with a fitness tracker via an API would be subject to the FTC’s rule. Companies that fail to comply may be subject to a penalty of up to $43,792 per violation per day. The Commission voted 3-2 to approve the policy statement, with Chair Khan and Commissioners Rohit Chopra and Rebecca Kelly Slaughter issuing separate statements. Commissioners Noah Joshua Phillips and Christine S. Wilson voted against it and issued dissenting statements.