A recent policy statement by the Federal Trade Commission (FTC) has dramatically expanded coverage and penalties under the FTC Breach Notification Rule for companies that develop and offer mobile health applications and services for consumers.
History of the FTC Breach Notification Rule
As issued by the FTC in 2009, the Breach Notification Rule required PHR vendors to notify the Federal Trade Commission and any affected individuals upon:
“…the discovery of a breach of security of unsecured PHR (Personal Health Records) identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity….”
The Rule applies to PHR Vendors, PHR-related entities, and their third-party service providers that collect data about an individual from multiple sources but specifically exempts entities subject to HIPAA.
Changes to the FTC Breach Notification Rule
The policy statement issued on September 15, 2021, acknowledged that the FTC “has never enforced the Rule, and many appear to misunderstand its requirements.”
The focus of these substantial changes is mobile health applications and services that are currently not subject to HIPAA compliance. HIPAA regulations provide healthcare providers and business associates with defined guidelines that dictate how protected health information (PHI) must be used and secured for patient privacy.
The FTC Breach Rule did not define these guidelines as clearly for consumer-oriented health applications and services such as glucose meters and fertility trackers.
The recent policy statement clarifies and changes several interpretations of the FTC Breach Notification Rule.
The rule’s term “multiple sources” has expanded from its historical meaning of collecting information from multiple applications or services due to the policy statement. The FTC now interprets the term to include numerous mechanisms from a single consumer:
“Similarly, an app that draws information from multiple sources is covered, even if the health information comes from only one source. For example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it is covered under the Rule.”
Applications that meet these criteria are now considered PHR vendors and must follow the FTC Breach Notification Rule.
The policy statement also indicates that sharing information with third parties without the user’s consent is now likely to be considered a breach as well:
“In addition, the Commission reminds entities offering services covered by the Rule that a “breach” is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.”
Requirements of the FTC Breach Notification Rule
In the event of a breach of PHR, the FTC Breach Notification Rule requires the following:
- Breach notices must be sent to affected individuals when a qualifying vendor of PHR or PHR-related entity suffers a breach of unsecured PHR.
- Qualifying vendors of PHR or PHR-related entities must also notify the FTC within ten (10) days of discovery if the breach affects over 500 people (otherwise, notification is required to the FTC and individuals “without unreasonable delay” but in no event later than 60 days).
- Under the Rule, a breach is “discovered” on the first day it is known by anyone other than the individual committing the violation, who is an employee, officer, or agent of the affected business.
- Third-party service providers must provide breach notification to affected vendors of PHR and PHR-related entities.
The maximum fine for violations of the breach notification rule is $46,517 per violation per day.
Future of the FTC Breach Notification Rule
It’s reasonable to assume that this rule will continue to expand as technology enable more health tracking information to be collected from users unobtrusively.
The FTC could decide to make their regulations mirror the requirements of HIPAA, including requirements to sign business associate agreements, adding additional provisions regarding the use and storage of user data, and requiring Security Risk Analysis at regular intervals.
Users of these products should become aware of their rights and responsibilities regarding health applications and devices. Developers can continue to innovate, but they should keep an eye on the regulatory environment and be prepared to meet the compliance requirements as they evolve in the future.
The FTC press release and an official statement regarding these changes are available on the Federal Trade Commission website.