FTC Broadens Health Breach Notification Rule To Include Apps

Dive Brief:

• The Federal Trade Commission solidified data breach reporting requirements on healthcare applications in a Friday final rule, with the goal of stopping companies from trafficking potentially sensitive medical information.
• The Health Breach Notification Rule requires companies holding personal health information to notify regulators, consumers and in some cases the media when that data is breached, and allows regulators to fine bad actors. The new final rule clarifies that it applies to health apps, and expands the information those covered entities need to disclose in event of a breach.
• The FTC first warned health apps that the HBNR applied to them in a 2021 policy statement, before proposing a rule last spring directly stating its case.

Dive Insight:

The FTC is aiming to keep pace with evolving health data usage in updating the HBNR, which was first issued in 2009 and has rarely been used to penalize companies for breaches. 

However, apps and other direct-to-consumer wearables like fitness trackers have become more popular, thanks in part to the COVID-19 pandemic pushing the adoption of new health technologies. The apps commonly use consumers’ data for marketing and other purposes beyond what users are aware of, while being outside of the purview of the porous HIPAA privacy law.

On its face, the final rule essentially revises existing definitions in the HBNR. But underscoring the rule’s applicability to health apps could have big ramifications on the sector, as the FTC has been pursuing more enforcement actions relying on the HBNR.

Early last year, the FTC notched its first settlement under the HBNR, forcing drug discount provider GoodRx to pay a $1.5 million civil penalty after finding it disclosed consumers’ information to third-party advertisers like Facebook and Google. Then, in May, the FTC settled with Easy Healthcare, the parent company of ovulation and period tracking app Premom, over similar concerns for $100,000.

The relatively low fine amounts, plus settlements that haven’t required companies to admit wrongdoing, suggest the FTC hasn’t been certain about its ability to enforce its new interpretation of the HBNR in court, according to experts. Friday’s final rule is likely to bolster its enforcement position, and could lead to larger civil penalties in the future.

The rule also clarifies what constitutes personally identifiable health data — the data that, when breached, triggers the HBNR’s reporting requirements. That includes traditional health information like diagnoses and medications, data generated from interacting with apps and a category called “emergent health data.”

Emergent health data includes purchase records related to healthcare and location data that can be used to make inferences about a person’s medical history.

Location data has been a particular focus for regulators following the Supreme Court’s decision overturning the constitutional right to an abortion in 2022.

The Biden administration has been trying to find novel ways to use existing tools like the HBNR and HIPAA to crack down on data sharing, over concerns that data could be used to prosecute individuals who receive, perform or help facilitate an abortion.

Recently, the FTC has taken a number of actions against data brokers, stopping them from selling location information that could be used to track consumers’ visits to medical clinics.

The final rule also expands what companies have to tell consumers in event of a breach, like which third parties acquired their personal information and information about potential harm. It also allows companies to notify consumers about a breach via email or other electronic means, and sets a deadline to report large breaches.

FTC commissioners voted 3-2 to publish the rule in the Federal Register, with the three Democrat commissioners in favor and the two Republican commissioners opposed.

In a statement dissenting with the majority, Commissioners Melissa Holyoak and Andrew Ferguson argued the rule exceeds the FTC’s authority and “puts companies at risk of perpetual non-compliance.”