Important Update: FTC Clarifies Health Breach Notification Rule

Healthcare Apps and Vendors Are Included

By Susan Walberg, JD MPA CHC, Principal Consultant, Compliance Ala Carte
Twitter: @AlaCompliance

As I have written in previous articles about HIPAA and health-tech, many apps in the marketplace have been largely unregulated with respect to the privacy and security of healthcare data. In order for healthcare-related apps to be regulated, for the most part, they needed to be covered under HIPAA. As a result, only the apps that were directly related to providing or billing for healthcare services, or those companies’ ‘Business Associates,’ were required to put specific controls and notifications in place. All the rest were not. The Federal Trade Commission (FTC), the agency responsible for consumer protection, hasn’t really been on the radar in terms of regulatory oversight in this arena.

The many thousands of apps that are selected and used by consumers to manage illnesses, track fitness, and other health-related services do not fall under HIPAA’s requirements and were, for the most part, unregulated. All of this has changed with a September 15, 2021, Policy Statement by the FTC.

According to the Statement, the Health Breach Notification Rule ‘Helps to ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (HIPAA) nevertheless face accountability when consumers’ sensitive health information is compromised.’ The Breach Notification Rule is not new, but this clarification is, and signals likely enforcement of a rule that has largely gone unenforced to date. The push to regulate apps came from Congress, and further legislation is likely.

Who is Affected?

The FTC clarifies that vendors of ‘personal health records (PHRs) and PHR-related entities’ have to follow the breach notification procedures outlined in the Rule, which includes notification of consumers, the FTC, and even the media in some cases. These are not HIPAA ‘Covered Entities.’

The Rule covers vendors of PHRs that contain individually identifiable health information ‘created or received by health care providers.’ More specifically, PHRs are defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”

The part that may be misunderstood is who the FTC considers a ‘health care provider.’ The FTC considers the developer of a health app or connected device as a ‘health care provider’ because it “furnishes healthcare services or supplies.”

According to the recent Statement, and the definition itself, the rule applies to any app that is capable of drawing information from multiple sources, such as from a consumer and an application programming interface (API). What are some examples? The FTC cites a blood sugar monitoring app that gets information entered by the consumer but also accesses data from the phone, such as the calendar. So all those apps that are previously considered exempt, such as fitness trackers, now need to take note.

What is a Breach?

The second critical aspect of the Statement pertains to what constitutes a breach. While most people consider a breach to be an intrusion, ransomware, or an attack by a hacker, the FTC takes a broader view. Now, it has been clarified, a breach includes unauthorized access, including sharing of information without an individual’s authorization. This is potentially a very big deal for all those apps that fell outside of HIPAA and were not hesitant about sharing consumer data with advertisers, investor-companies, or ‘big tech,’ where such data is often used to build user profiles. If you read my previous article on this topic, it hasn’t been illegal to sell or share consumer information that consumers voluntarily enter into many healthcare apps (unless they fit within HIPAA). Those activities, if not authorized by the consumer, are considered a breach and the FTC has put everyone on notice that more active enforcement of this rule can be expected. And the penalties? Penalties can be up to $43,792 per violation.

What to Do?

If you are an app developer or own a company involved in developing healthcare apps, you need to review the policies, consumer consent and authorizations, and the technical controls in place. Evaluate where you share consumer data. Look at any data sharing agreements and contracts where sharing data might be part of the deal.

Make sure you review the various rules and regulations that apply to you as well as the various guidance put out by the FTC. You can find their guidance, enforcement activities, and press releases on their website, If you’re not sure, get help in figuring out which laws and regulations apply to your organization.

Take note that this area of compliance and enforcement is changing rapidly. Technology got ahead of regulations, especially with changing needs due to COVID. I will continue monitoring these developments and posting articles on my website and on LinkedIn. I’m also working on my third compliance book, ‘Compliance and Healthcare Technology’, as this is a new and complex arena for many developers who now find themselves regulated as healthcare providers.

This article was originally published on the Compliance Ala Carte blog and is republished here with permission.