FTC Health Breach Notification Rule Applies to Health Apps and Wearable Devices

by | Sep 22, 2021

The Federal Trade Commission (FTC) has a Health Breach Notification Rule, similar to the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA). The FTC has recently released a Policy Statement confirming digital health app and wearable device companies are required to comply with the Health Breach Notification Rule.

The HIPAA Breach Notification Rule only applies to HIPAA regulated entities, which are healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. When there is a breach of Protected Health Information (PHI), HIPAA regulated entities are required to issue notifications to consumers within 60 days of the discovery of the breach. The HHS must also be notified in the same time frame.

The FTC Rule covers personal health records (PHRs). The FTC defines PHRs as “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” PHR vendors are businesses that provide or maintain a PHR, such as a company that stores medical records on behalf of individuals. The FTC Health Breach Notification Rule requires vendors of PHRs, PHR-related entities, and their service providers to notify consumers in the event of a breach of their identifiable health information.

The policy statement confirms that developers of digital health apps and wearable device manufacturers must comply with the Health Breach Notification Rule. Health apps and wearable devices that are covered by the FTC Rule are those that collect health information from a consumer and can draw information from multiple sources, which includes via APIs that allow synching with a device such as a fitness tracker. If a company falls into that category but is also a HIPAA regulated entity, then the HIPAA Breach Notification Rule applies.

In the event of a data breach, the FTC Health Breach Notification Rule requires service providers to notify the PHR vendor or the PHR-related entity about any breach, and notifications must be sent to any individual whose unsecured identifiable health information is compromised in a breach. A breach is defined as the acquisition of individually identifiable health information without the authorization of the individual, which means the Rule not only applies to cybersecurity incidents but any unauthorized disclosure of individually identifiable health data.

As with the HIPAA Breach Notification Rule, there are additional requirements for breaches of 500 or more individuals. If 500 or more individuals in a particular state are affected, then a prominent media outlet serving that state must be notified about the breach. As with the HIPAA Breach Notification Rule, notifications must be issued within 60 days of the discovery of a breach and financial penalties can be imposed if the FTC Health Breach Notification Rule is violated.

The FTC made it quite clear in its Policy Statement that financial penalties will be imposed when violations are discovered. The financial penalties applicable can be up to $43,792 per day that notifications are not issued after the 60-day deadline.

Digital health app developers should therefore ensure policies and procedures are developed and implemented to ensure that notifications about breaches can be issued within the 60-day deadline, and also for data sharing policies to be reviewed to ensure that clear authorization to share data has been obtained from consumers.

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” said the FTC in the Policy Statement.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection. He is an expert on data privacy and GDPR. You can contact Eoin via LinkedIn

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy