Share this article on:
Developers of health apps and wearable devices such as fitness trackers that collect health data have been warned by the Federal Trade Commission (FTC) that they are required to comply with the FTC Health Breach Notification Rule and must notify consumers about data breaches.
The FTC Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009, and requires individuals to be notified if there is a breach of their health data. The Health Breach Notification Rule applies to vendors of personal health records and associated companies, but in a policy statement issued on September 16, 2021, the FTC said health apps and other connected devices that collect or use the health information of U.S. consumers are also covered by Rule. The policy statement was approved during an open meeting on Wednesday by a vote of 3-2.
The FTC Health Breach Notification Rule applies to health apps and wearable devices that collect health information from a consumer and can draw information from multiple sources, such as through an API that allows synching with a device such as a fitness tracker. Compliance will be enforced by the FTC, which has the authority to impose financial penalties. Those penalties can be as high as $43,792 for each day that notifications have not been issued.
Health apps can collect a wide range of sensitive personal and health data, either by directly recording the information through paired sensors, or by individuals entering the data into the apps manually. Health apps have been growing in popularity and usage has increased during the pandemic. Given the wide range of sensitive data stored by the apps, they are an attractive target for cybercriminals.
“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” said the FTC in the policy statement.
A lot of the data collected by health apps would be considered protected health information if collected by a healthcare provider, which would mean the information would be subject to the restrictions on uses and disclosures stipulated by the HIPAA Privacy Rule. Safeguards would need to be implemented to secure the data, in accordance with the HIPAA Security Rule, and a breach of health data would require notifications per the HIPAA Breach Notification Rule. However, unless a health app is developed for use by a HIPAA-covered entity, it falls outside of HIPAA protections.
Health apps often have security features to protect the privacy of users, but they are often limited. There have been calls for HIPAA to be extended to cover health app developers to improve privacy protections for users, or to implement new legislation covering these apps that requires certain standards of privacy and security to be adopted.
The FTC policy statement will at least help to ensure that users of health apps and wearable devices will be notified should a data breach occur, which will allow them to take steps to protect their identities and prevent fraud.
“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”