This audio is automatically generated. Please let us know if you have back.
Diving brief:
- The Federal Trade Commission consolidated requirements for reporting data breaches on health care apps in a final rule Friday, aiming to prevent companies from tampering with potentially sensitive medical information.
- The Health Breach Notification Rule requires companies with personal health information to notify regulators, consumers, and, in some cases, the media when that data is breached, and allows regulators to fine bad actors. The new final rule clarifies that it applies to health apps and expands the information that covered entities must disclose in the event of a breach.
- The FTC was the first to warn health apps that the HBNR applied to them in a 2021 policy statement, before proposed a rule last spring directly stating his case.
Dive overview:
The FTC aims to track changes in health data use by updating the HBNR, which was first published in 2009 and has rarely been used to penalize companies for violations.
However, apps and other direct-to-consumer wearables, like fitness trackers, have become more popular, thanks in part to the COVID-19 pandemic promote the adoption of new health technologies. Apps typically use consumer data for marketing and other purposes beyond what users are aware of, while falling outside the scope of the porous HIPAA privacy law.
On its face, the final rule essentially revises existing definitions in the HBNR. But emphasizing the rule's applicability to healthcare apps could have big ramifications for the industry, as the FTC pursues more enforcement actions relying on the HBNR.
Early last year, the FTC reached its first settlement under the HBNR, requiring drug discount provider GoodRx to pay a $1.5 million civil penalty after it was found to have disclosed consumer information to third-party advertisers like Facebook and Google. Then, in May, the FTC settled with Easy Healthcarethe parent company of ovulation and period tracking app Premom, over similar concerns for $100,000.
The relatively low fine amounts, as well as regulations that do not require companies to admit wrongdoing, suggest the FTC isn't sure on its ability to enforce its new interpretation of the HBNR in court, according to experts. Friday's final rule will likely strengthen its enforcement position and could lead to heavier civil penalties in the future.
The rule also clarifies what constitutes personally identifiable health data – data that, if breached, triggers the HBNR reporting requirements. This includes traditional health information such as diagnostics and medications, data generated through interaction with apps, and a category called “emerging health data.”
Emerging health data includes records of healthcare-related purchases and location data that can be used to draw conclusions about a person's medical history.
Location data has been the subject of particular attention for regulators following the Supreme Court decision overturning constitutional right to abortion in 2022.
The Biden administration has tried to find new ways to use existing tools like the HBNR. and HIPAA to crack down on data sharing, fearing that the data could be used to sue people who receive, perform or help facilitate an abortion.
Recently, the FTC taken a number of measures against data brokerspreventing them from selling location information that could be used to track consumers' visits to medical clinics.
The final rule also expands what companies must tell consumers in the event of a breach, such as which third parties acquired their personal information and information about potential harm. It also allows businesses to notify consumers of a violation by email or other electronic means, and establishes a deadline for reporting material violations.
FTC commissioners voted 3-2 in favor of publishing the rule in the Federal Register, with the three Democratic commissioners in favor and the two Republican commissioners opposing it.
In a statement disagreeing with the majorityCommissioners Melissa Holyoak and Andrew Ferguson argued that the rule overstepped the FTC's authority and “puts companies at risk of perpetual noncompliance.”