A recent policy statement by the Federal Trade Commission (FTC) has dramatically expanded coverage and penalties under the FTC Breach Notification Rule for companies that develop and offer mobile health applications and services for consumers.

History of the FTC Breach Notification Rule

As issued by the FTC in 2009, the Breach Notification Rule required PHR vendors to notify the Federal Trade Commission and any affected individuals upon: 

FTC Health Data Breach Notification Rule

“…the discovery of a breach of security of unsecured PHR (Personal Health Records) identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity….”

The Rule applies to PHR Vendors, PHR-related entities, and their third-party service providers that collect data about an individual from multiple sources but specifically exempts entities subject to HIPAA.

Changes to the FTC Breach Notification Rule

The policy statement issued on September 15, 2021, acknowledged that the FTC “has never enforced the Rule, and many appear to misunderstand its requirements.” 

The focus of these substantial changes is mobile health applications and services that are currently not subject to HIPAA compliance. HIPAA regulations provide healthcare providers and business associates with defined guidelines that dictate how protected health information (PHI) must be used and secured for patient privacy.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

The FTC Breach Rule did not define these guidelines as clearly for consumer-oriented health applications and services such as glucose meters and fertility trackers.

The recent policy statement clarifies and changes several interpretations of the FTC Breach Notification Rule.

The rule’s term “multiple sources” has expanded from its historical meaning of collecting information from multiple applications or services due to the policy statement. The FTC now interprets the term to include numerous mechanisms from a single consumer:

“Similarly, an app that draws information from multiple s