The Federal Trade Commission (FTC) has a Health Breach Notification Rule, similar to the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA). The FTC has recently released a Policy Statement confirming digital health app and wearable device companies are required to comply with the Health Breach Notification Rule.
The HIPAA Breach Notification Rule only applies to HIPAA regulated entities, which are healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. When there is a breach of Protected Health Information (PHI), HIPAA regulated entities are required to issue notifications to consumers within 60 days of the discovery of the breach. The HHS must also be notified in the same time frame.
The FTC Rule covers personal health records (PHRs). The FTC defines PHRs as “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” PHR vendors are businesses that provide or maintain a PHR, such as a company that stores medical records on behalf of individuals. The FTC Health Breach Notification Rule requires vendors of PHRs, PHR-related entities, and their service providers to notify consumers in the event of a breach of their identifiable health information.
The policy statement confirms that developers of digital health apps and wearable device manufacturers must comply with the Health Breach Notification Rule. Health apps and wearable devices that are covered by the FTC Rule are those that collect health information from a consumer and can draw information from multiple sources, which includes via APIs that allow synching with a device such as a fitness tracker. If a company falls into that category but is also a HIPAA regulated entity, then the HIPAA Breach Notification Rule applies.
In the event of a data breach, the FTC Health Breach Notification Rule requires service providers to notify the PHR vendor or the PHR-related entity about any breach, and notifications must be sent to any individual whose unsecured identifiable health information is compromised in a breach. A breach is defined as the acquisition of individually identifiable health information without the authorization of the individual, which means the Rule not only applies to cybersecurity incidents but any unauthorized disclosure of individually identifiable health data.
As with the HIPAA Breach Notification Rule, there are additional requirements for breaches of 500 or more individuals. If 500 or more individuals in a particular state are affected, then a prominent media outlet serving that state must be notified about the breach. As with the HIPAA Breach Notification Rule, notifications must be issued within 60 days of the discovery of a breach and financial penalties can be imposed if the FTC Health Breach Notification Rule is violated.
The FTC made it quite clear in its Policy Statement that financial penalties will be imposed when violations are discovered. The financial penalties applicable can be up to $43,792 per day that notifications are not issued after the 60-day deadline.
Digital health app developers should therefore ensure policies and procedures are developed and implemented to ensure that notifications about breaches can be issued within the 60-day deadline, and also for data sharing policies to be reviewed to ensure that clear authorization to share data has been obtained from consumers.
“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” said the FTC in the Policy Statement.