On September 15, 2021, in response to the “proliferation of apps and connected devices that capture sensitive health data” the Federal Trade Commission (FTC) issued a Policy Statement (the Statement) offering guidance on the scope of the FTC’s Health Breach Notification Rule (Breach Rule). According to the Statement, the Breach Rule applies outside of the traditional health care context (e.g. health care involving diagnosis and treatment by a licensed health care provider) and the FTC intends to bring enforcement actions for noncompliance involving up to $43,792 in civil penalties per violation, per day.
The Breach Rule implements requirements for personal health records (PHR) under the American Recovery and Reinvestment Act of 2009 (ARRA) and requires notification to consumers, the FTC, and in some cases the media in the event of unauthorized acquisition or disclosure of unsecured “individually identifiable health information” as defined by HIPAA (which means among other things that the information involved would need to be created or received by a health care provider, health plan, employer or health care clearinghouse).
In the Statement, the FTC “clarifies” that under the Breach Rule health apps and connected devices that capture health data are “health care providers” because they “furnish health care services or supplies.” As a result, the Breach Rule broadly applies to a wide range of health apps and connected devices where identifiable health information is involved.
The FTC also takes an expansive view of what electronic records are subject to the Breach Rule. “Personal health record” is defined by the ARRA as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. In the Statement, the FTC explains that health apps are covered by the Breach Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (APIs) even if some sources do not contain health information, and provides the following examples:
- An app that collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker; and
- A blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar).
Finally, the FTC took the opportunity to remind PHR vendors that a “breach” is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Breach Rule.