Modern smartphones, wearables and internet-enabled devices are capable of monitoring heart rate, blood oxygen levels, steps taken, prescription adherence, and other vital health-related activities. Contrary to popular belief, HIPAA does not cover many of these applications and devices. On September 15, 2021, the Federal Trade Commission issued a Policy Statement attempting to assert authority to police that gap.  The Policy Statement explains the FTC’s view that the Health Breach Notification Rule applies to mobile health applications. This Policy Statement signals increasing FTC scrutiny designed to safeguard sensitive health data on a variety of modern technologies that consumers use to monitor and improve their health.

Overview of the Health Breach Notification Rule

Traditionally, when an individual sought medical care, they could find comfort in the fact that most health care providers, doctors’ offices and insurance companies were subject to HIPAA’s privacy and security requirements to protect sensitive health data. However, HIPAA’s definitions of ‘covered entity’ and ‘business associate’ are limited, and do not include many web-based businesses and mobile applications that collect and process such health data. For example, a mobile application or device that scans a person’s heart rate or other biometrics and generates health-related insights may not be subject to HIPAA. The FTC initially addressed this area by enacting the Health Breach Notification Rule (the “Rule”).

The Rule applies to the following types of entities:

  • Vendor of personal health records – An entity that offers or maintains individually identifiable health information (as defined by HIPAA) on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual (a “personal health record”).
  • PHR-related entity – An entity that interacts with a vendor of personal health records either by (i) offering products or services through such vendor’s website or mobile application, (ii) accessing information in a personal health record, or (iii) transmitting a person’s information to their personal health record.
  • Third party service provider – An entity that requires the use, maintenance, disclosure, or disposal of health information in order to provide a service to a vendor of personal health records or a PHR-related entity.

The Rule does not apply to HIPAA covered entities or business associates.  Nevertheless, the Rule cross-references HIPAA’s definition of “individually identifiable health information” which, in relevant part, is defined as information which is created or received by health care providers … and relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or payment for the provision of healthcare to an individual. 45 CFR § 160.103. This Policy Statement clarified that the developer of a health application or connected device is considered a “health care provider” because it “furnish[es] health care services or supplies.” See FTC Policy Statement, September 15, 2021, citing 16 C.F.R. § 318.2(a). Additionally, the Policy Statement provided guidance indicating that the Rule would apply to health applications or connected devices if they are “capable of drawing information directly from multiple sources, such as through a combination of consumer inputs and application programing interfaces.”

Notice Requirements

If an entity regulated by the Rule suffers an incident in which there is an unauthorized acquisition of unsecured, electronic, PHR-identifiable health information, such entity must notify (i) the affected individuals, (ii) the FTC, and (iii) in some cases, the media. Notice to individuals is due within 60 calendar days after discovery of the breach. If the breach affected 500 or more individuals, the entity must notify the FTC as soon as possible and within 10 business days after discovering the breach. If a breach involves fewer than 500 persons, notice to the FTC must be logged and the log provided annually within 60 days after the current calendar year ends.

The Rule also prescribes content requirements for the information that must be included in notices, as well as details on how to notify individuals.

Enforcement

Although the FTC has not enforced the Rule since its enactment, the Commission pointed to its recent action against the Flo Health app as a signal that it intends to bring enforcement actions under the Rule, consistent with its Policy Statement. A violation of the Rule is considered to be an unfair or deceptive act under Section 5 of the FTC Act. An entity that violates the Rule may be subject to a civil monetary penalty of up to $43,792 per violation.

Warning to Health Applications and Connected Devices

In addition to the warning that non-HIPAA covered applications and connected devices are required to report data breaches, the FTC reminded entities that the term “breach” means more than just cybersecurity intrusions or nefarious behavior. According to the FTC, a breach can include any unauthorized access or sharing of covered information without authorization. Thus, app developers and businesses that are not subject to HIPAA should (i) evaluate whether the information processed is adequately safeguarded, (ii) ensure their information sharing practices are compliant, and (iii) assess their incident response policies and procedures for compliance with the Rule.