FTC tightens restrictions on health apps

The Federal Trade Commission (FTC) has proposed significant amendments to the Health Breach Notification Rule that would clarify and possibly expand the rule’s jurisdiction in relation to health apps and similar technologies.  

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Director of the FTC’s Bureau of Consumer Protection, Samuel Levine in a press release. 

 “The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.” 

Currently, the rule mandates that vendors of personal health records (PHR), not subject to the Health Insurance Portability and Accountability Act (HIPAA), notify affected individuals, the FTC, and potentially the media in the event of a breach involving unsecured personally identifiable health data.  

According to the FTC, personally identifiable health data encompasses not only conventional health information like diagnoses and medications but also includes data obtained from fitness trackers and what they refer to as “emergent health data,” which is health information inferred from location data and health-related purchases. 

The proposed amendments aim to strengthen and modernize the rule, ensuring that it remains robust and effective in the face of emerging challenges in the digital health sphere.   

The FTC proposes the following changes: 

• Updating definitions to specify how the rule will apply to health apps and related technologies that aren’t currently covered by HIPAA. The FTC proposes to update the definition of “PHR identifiable health information” and introduce two new definitions for “health care provider” and “health care services or supplies.” These changes aim to enhance the rule’s effectiveness in addressing the unique characteristics and challenges posed by these emerging technologies. 
• Provide clarity by explicitly stating that a “breach of security” under the rule encompasses both unauthorized acquisition of identifiable health information resulting from a data security breach and unauthorized disclosure. This clarification ensures that any unauthorized access or disclosure of personal health information, whether through a breach in data security or other means, falls within the purview of the rule. 
• Modify the definition of “PHR related entity” to clarify the scope of the rule. The new definition of “PHR related entity” would include entities that “access or send unsecured PHR identifiable health information to a personal health record” as well as “entities that access or send any information to a personal health record.” 
• Define what it means for a personal health record to collect PHR identifiable health information from multiple sources. 
• Codify the use of email and electronic messaging to notify consumers of a breach. 
• Require that consumers be notified that a breach occurred, the potential risks and harm associated, and the identities of any third parties who may have obtained unsecured personally identifiable health information. 
• Improve the rule’s readability. 

 Beefing up consumer protection

 The FTC’s proposed amendments to the Health Breach Notification Rule represent a significant step towards strengthening consumer protection in the digital health era – especially when it comes to third party data trackers and the legal gray area they have operated in.  

In February, the FTC took action against GoodRx, a telehealth and prescription drug discount provider, for allegedly sharing  personal health information with advertising entities without notifying users.  

The first-of-its-kind legal case resulted in a $1.5 million settlement in which GoodRx admitted to no wrongdoing.  

Last week, the FTC accused fertility app Prenom for sharing users’ health data to Google, AppsFlyer, and two unnamed firms in China. The developer for Prenom, Easy Healthcare, was slapped with a $100,000 fine.  

The proposed rule would not prevent health apps and similar technologies from sharing any information with third party data trackers, but it would empower the FTC to penalize entities that share health data with third-party data trackers without first notifying consumers.  

Further, it would better define privacy laws for healthcare-adjacent entities by clarifying that a “breach” is not limited to cybersecurity intrusions or nefarious behavior,” but includes third-party data tracking tools.  

The Centers for Medicare and Medicaid Services recently released a bulletin expressing growing concern over breaches occurring through third-party data tracking tools. The bulletin follows a similar announcement from the Office of Civil Rights (OCR) of the Health and Human Services (HHS), who clarify that, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” 

Currently, a record 98.6% of hospital websites use third-party data trackers. Cedars-Sinai, Advocate Aurora, WakeMed, and Novant Health have all been involved with lawsuits related to third-party data tracker data breaches. 

The proposed amendments will take an important step toward better healthcare privacy regulation in the quickly –evolving digital healthcare landscape.