FTC: Health App, Device Makers Must Report BreachesBut Does the 'Policy Statement' Warning Overstep the Intention of the Rule?
The Federal Trade Commission is warning makers of personal health records, mobile health apps, fitness devices and a variety of similar products and services that they will face monetary penalties for failure to comply with the commission's 12-year-old - but never-yet enforced - Health Breach Notification Rule.
The FTC's policy statement released Wednesday says companies will face civil monetary penalties of up to nearly $44,000 per violation per day for noncompliance.
"The Commission will enforce this Rule with vigor," said FTC Chair Lina Khan in written remarks. The rule applies to a variety of vendors - as well as their third-party service providers - who are not covered by the HIPAA breach notification rule yet face accountability when consumers’ sensitive health information is compromised, the FTC says.
Under the rule’s requirements, vendors of personal health records and PHR-related entities must notify U.S. consumers and the FTC when there has been a breach of unsecured identifiable health information, or face civil penalties for violations, the FTC says.
"In practical terms, this means that entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information," the FTC says.
Pace of Change
The move by the FTC to issue the warning comes as the use of wearable health technologies and health apps has proliferated in recent years, along with controversies over incidents involving the alleged mishandling, misuse or unauthorized sharing of consumers' sensitive health data collected by or contained in these products.
When the FTC first issued the rule more than a decade ago, there were few apps, wearables and other technologies for health advice, information and tracking. The policy statement explains how the rule will be enforced to keep pace with changing technology.
Apps and connected devices, such as wearable fitness tracking devices that collect consumers’ health information, are covered by the Health Breach Notification Rule if they can draw data from multiple sources, and are not covered by HIPAA, the FTC notes.
"For example, a health app would be covered under the FTC’s rule if it collects health information from a consumer and has the technical capacity to draw information through an application programming interface that enables synching with a consumer’s fitness tracker," the FTC says.
Also covered are apps that draw information from multiple sources but collect health information from only one source. That could include a diabetes monitoring app that collects the sugar levels a user enters, along with dates and times from the user's phone, the FTC says.
In addition, the FTC in its statement said a “breach” is not limited to cybersecurity intrusions or nefarious behavior.
"Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule," the FTC says.
Jumping the Gun?
But within FTC's leadership, not everyone agrees with the decision to issue the policy statement, especially at this time.
The FTC notes that its commissioners voted 3-2 to issue the breach notification policy statement.
Joshua Phillips, one of two FTC commissioners who voted against issuing the statement, noted in a dissent statement that the FTC is in the midst of two related rulemaking processes.
One includes rulemaking pertaining to the Health Breach Notification Rule itself, the types of products it covers, and a review of public comments.
The other rulemaking process involves the Department of Health and Human Services and pertains to possible changes to the HIPAA privacy rule, including how to define and treat mobile health apps under those regulations.
"The Statement end runs not one but two ongoing rulemaking processes and relies on a convoluted statutory interpretation to apply civil penalties to a broad swath of conduct never contemplated by Congress," Phillips wrote in his dissent.
The FTC warning comes on the heels of a settlement finalized in June between the commission and fertility mobile app vendor Flo Health over data-sharing privacy issues (see: FTC Orders Health App Vendor to Revamp Privacy Practices).
The commission alleged the startup company violated the FTC Act by misrepresenting to millions of women how it shared their sensitive health data with third-party analytics firms, including Facebook and Google.
The Wilmington, Delaware-based app vendor agreed to a major revamp of its privacy practices and a number of other actions under the settlement with the FTC - but did not face a civil monetary fine.
In addition to the FTC settlement, Flo Health also faces a proposed civil class action lawsuit alleging violations of several state and federal privacy laws pertaining to the company sharing users' health data with third-parties.
The FTC's moves this week pertaining to the Health Breach Notification Rule "are an interesting effort to expand how that rule has been viewed since it was implemented," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"It is focusing attention on a much larger group of health-related companies, and changing how the FTC has looked at that rule and how the industry has perceived it," he notes.
"I expect meaningful challenges to this 'clarification' if it is put into play," Nahra says.
"This is, in general, part of an ongoing effort to expand enforcement opportunities, and is consistent with some previous statements … on how this rule should be applied."
Regulatory attorney Nancy Perkins of the law firm Arnold Perkins says the most significant part of the FTC's policy statement is about clarifying which types of entities must comply with the Health Breach Notification Rule.
"Because the FTC has taken so little action under the rule since its promulgation in 2009, this is something of a wake-up call to entities that may be subject to the rule but might not realize that," she says.
"The FTC is flexing its muscle to say it would enforce this rule against a health app developer that collects personal health information if the developer failed to notify individuals of a security breach."