Providers of health applications (“health applications”) and connected devices that collect or use information about the health of individuals, as well as their service providers, are now instructed to inform them in a timely manner. consumers and the Federal Trade Commission (FTC) in the event of a security breach compromising health information. In response to the proliferation of health apps and connected devices that aggregate large volumes of individually identifiable health information, the FTC recently issued a policy statement explaining the scope of its health breach notification rule (the “Rule” or “HBNR”), the types of incidents that may trigger notification obligations, and that it intends to take action to enforce the Rule in accordance with the Policy Statement. Specifically, some healthcare apps may be subject to the rule, and sharing covered information without an individual’s permission may trigger rule violation notification requirements.

The rule of notification of damage to health

The FTC published the HBNR in 2009 and it was intended to address certain entities that collect or use personal health information, but that are not regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) . The Rule applies to providers of personal health records (“PSRs”), which are an electronic record of an individual’s identifiable health information that can be retrieved from multiple sources and is managed, shared and controlled by or primarily for the individual. The HBNR requires entities related to PHRs to notify U.S. consumers, the FTC, and in some cases the media, of breaches of insecure identifiable health information. Violations of the rule are treated as an unfair or deceptive act or practice, and entities subject to the rule may face civil penalties of up to $ 43,792 per violation per day. The HBNR does not apply to HIPAA Covered Entities or any other entity as long as it operates as a business associate of a HIPAA Covered Entity, but its requirements are similar to those of the HIPAA violation notification rule. To date, the FTC has not taken legal action under the HBNR.

The policy statement

The policy statement states that the FTC considers healthcare applications capable of extracting information from multiple sources as PHRs submitted to HBNR. Examples of such applications are:

  • an application that collects information directly from consumers and can extract information through an application programming interface (API) that allows synchronization with a person’s fitness tracker; and
  • an app that pulls information from multiple sources even if the health information comes from only one source, such as a blood sugar monitoring app that pulls health information from blood sugar levels blood entered by the individual and pulls dates (non-health related information) from the individual’s calendar on their phone.

Further, the FTC says that a security breach triggering the rule’s notification requirements includes not only a cyber event involving health information, but also when a health application discloses or shares sensitive health information wirelessly. authorization of the individual.

The hint from the policy statement that health apps can be PHRs is notable because last year the Commission started the rulemaking process to update the HBNR by issuing a request for public comment. soliciting feedback on the rule, including whether the rule applies and should apply to health issues. applications. The Commission has considered the comments, but has not yet published a notice of proposed regulation. In addition, the US Department of Health and Human Services is engaged in developing rules to update the HIPAA privacy rule, including defining the term “personal health app” as part of the law revisions. access.

Dissenting FTC commissioners said the policy statement impermissibly extends the reach of the HBNR beyond providers of personal health records and conflicts with previously issued trade guidelines the FTC has issued regarding compliance with the HBNR. rule, including who is a PHR related entity. Dissenting Commissioners also argued that the policy statement interferes with the ongoing FTC and HHS rule-making processes, especially since addressing privacy concerns related to healthcare applications requires a coordinated approach between federal agencies.

Due to the policy statement, the provider or its service providers may be subject to the HBNR, HIPAA, and various state laws regarding data breach notification for cybersecurity breach involving health information. This is because healthcare app providers and their service providers may find that HBNR, HIPAA, and state data breach notification laws may vary in their application, and even overlap, depending on who uses the apps and for the benefit of whom.

Next steps

To minimize exposure under the FTC Policy Statement and other violation notification laws, providers of health apps and connected devices and their service providers should:

  1. Ensure that they have policies and procedures in place to comply with the notification and reporting requirements of the Rule and that they obtain the appropriate permission from individuals to use and share health information;
  2. Implement accepted industry standard data security practices to minimize the risk of a security breach under any applicable breach notification law and require their service providers to do the same;
  3. Take into account data security and privacy practices by design that may function as a “safe harbor” under different rules, such as encryption, anonymization or pseudonymization;
  4. Assess whether they may also be subject to the HIPAA breach notification rule and state breach notification requirements; and
  5. Monitor developments with the HBNR rule development process, pending HIPAA privacy rule development with respect to requirements for mobile health applications and FTC enforcement activity with respect to policy statement.