FTC Warns Health Apps to Comply with its Health Breach Notification Rule | Practical Law

FTC Warns Health Apps to Comply with its Health Breach Notification Rule | Practical Law

The FTC has issued a policy statement warning makers of health apps and connected devices that they must comply with the Health Breach Notification Rule's requirements or face enforcement actions for violations. The policy statement clarifies how the Rule applies to these apps and what events trigger the Rule's breach notification requirements.

FTC Warns Health Apps to Comply with its Health Breach Notification Rule

Practical Law Legal Update w-032-6273 (Approx. 4 pages)

FTC Warns Health Apps to Comply with its Health Breach Notification Rule

by Practical Law Data Privacy Advisor
Published on 16 Sep 2021USA (National/Federal)
The FTC has issued a policy statement warning makers of health apps and connected devices that they must comply with the Health Breach Notification Rule's requirements or face enforcement actions for violations. The policy statement clarifies how the Rule applies to these apps and what events trigger the Rule's breach notification requirements.
On September 15, 2021, the FTC published a policy statement and accompanying press release clarifying the scope of the FTC's Health Breach Notification Rule for makers of apps and connected devices collecting sensitive health data and warning of upcoming enforcement actions (16 C.F.R. §§ 318.1 to 318.9). The Rule:
  • Applies to vendors of personal health records (PHR) that contain individually identifiable health information drawn from multiple sources, their service providers, and PHR-related entities that are not covered entities under HIPAA (16 C.F.R. § 318.2).
  • Requires these entities to report breaches of unsecured, individually identifiable health information to affected individuals, the FTC, and in certain circumstances, the media (16 C.F.R. §§ 318.2 to 318.6).
The FTC's policy statement clarifies that:
  • The Rule covers health apps capable of drawing information from multiple sources, including apps that collect information:
    • directly from consumers, but also have the technical capability to collect information through application programming interfaces (APIs), for example, an API that enables the app to sync with a consumer's fitness tracker; and
    • from one source related to the consumer's health and another source not related to the consumer's health, for example, an app that collects blood sugar levels entered by the consumer along with dates from their calendar.
  • A breach triggering the Rule's notification requirements is not limited to cybersecurity incidents and intrusions by bad actors, but can also mean unauthorized access to PHR or sharing an individual's identifiable health information without their consent.
  • Health app makers and other collectors and users of health information must secure and protect user data.
The FTC intends to bring enforcement actions for Rule violations, which carry civil penalties of $43,792 per violation per day.
The FTC provides guidance for mobile health app developers on its website.