The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).
The FTC’s policy statement, entitled “On Breaches by Health Apps and Other Connected Devices,” attempts to clarify the Rule by stating that mobile health applications and interactive tools used by organizations that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are regulated by the Rule. Significantly, the FTC’s guidance broadly deems developers of health care apps or connected devices to be “health care providers” subject to the Rule because they “furnish health care services or supplies.” It also clarifies that health apps that collect non-health data (such as calendar dates) are within the scope of the Rule. In the wake of the FTC’s statement, any organization that is not covered by HIPAA, but provides or uses mobile or web-based health apps to collect personal health information, should evaluate their coverage under the Rule.
The FTC’s recent expansive view of this Rule—which was initially passed pursuant to the 2009 American Recovery and Reinvestment Act—covers many popular mobile health and fitness related applications and wearables on the market. For example, the FTC explained that any application that “collects information directly from consumers” and has the “technical capacity to draw information through an API [application programming interface] that enables syncing with a consumer’s fitness tracker” is covered under its interpretation of the Rule. The FTC further stated that “an app that draws information from multiple sources is covered, even if the health app comes from only one source.” For example, an application that monitors blood sugar and also takes non-health information from a consumer’s phone’s calendar (i.e., dates) would also be covered. The FTC specifically called attention to “apps and other technologies [that] track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.” The FTC press release noted that the increased use of COVID-19 related health applications impacted its policy statement. Entities subject to the Rule may be required to provide notice, including in certain circumstances to the media, in the event of a cybersecurity breach or even in the case of “sharing of covered information without an individual’s authorization.”
The Rule contains statutory definitions that should now be read in light of the policy guidance, applying its provisions to (i) vendors of personal health records (“PHR”); (ii) “PHR related entities”; and (iii) “third party service providers.” The Rule generally requires “vendors of personal health records”, and PHR-related entities to provide notice to affected individuals and the FTC within 60 calendar days after the discovery of a “breach of security.” A provider must notify the vendor or PHR related entity of a breach.
A violation is treated as an unfair and deceptive act or practice under the FTC Act which may carry steep civil penalties of up to $43,792 per violation per day. As of the date of the FTC’s policy statement, however, the FTC has not yet enforced the Rule, and, according to the remarks of FTC Commissioner Rohit Chopra, the FTC and the public have been notified only four times about a breach under the Rule since February 2010.
It is also important to note that there remains a dispute about the scope of the Rule even among the FTC’s commissioners, especially because it has not been interpreted in the context of an FTC enforcement action. For example, Commissioner Christine Wilson wrote, in her dissenting statement, that the Rule was narrowly crafted to apply in limited, highly specific circumstances, and that its scope may depend on whether the personal health records at issue interact with personal health records held by a different vendor. In response to the FTC’s use of the moniker “health care provider” when referring to mobile health applications, Ms. Wilson asked: “How broadly does the Commission intend to read this language?” Similarly, Commissioner Noah Joshua Phillips argued in his dissenting statement that the FTC’s majority goes beyond the text of the Rule in interpreting the definition of “breach of security” to include the unauthorized sharing.
The FTC’s policy statement also comes during the ongoing rulemaking process by the FTC concerning the Rule and the Department of Health and Human Services’ ongoing rulemaking concerning the application of the HIPAA Privacy Rule to mobile health applications. As such, vendors of PHRs should monitor these ongoing rulemaking efforts, which could impact the FTC’s current interpretation of the Rule. Nevertheless, companies subject to the Rule under the current interpretation, can still take proactive measures to avoid a violation by, among other things, assessing the categories of its stored data, undertaking a cybersecurity risk assessment and comprehensive review of privacy policies, and ensuring the existence of a robust security incident response protocol. Notably, the breach notification requirement under the Rule generally only applies to a breach of unsecured PHR identifiable health information. In addition, such entities may have notification obligations under applicable state laws. You can reach out to Epstein Becker Green for further guidance as we will be monitoring the FTC’s enforcement activity closely moving forward.
 16 C.F.R. §318.1 provides, the rule “applies to foreign and domestic vendors of personal health records, PHI related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission Act (FTC) Act, that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” HIPAA covered entities and business associates must instead comply with HHS’s breach notification rule. See Dissenting Statement of Commissioner Christine S. Wilson.
Nija Chappel, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s Washington, D.C. office, contributed to the preparation of this post.