[BreachExchange] Health App Alert: FTC Expands Scope Health Breach Notification Rule

Tue Oct 5 17:54:48 EDT 2021

https://www.natlawreview.com/article/health-app-alert-ftc-expands-scope-health-breach-notification-rule

The Federal Trade Commission (“FTC”) recently issued an important policy
statement
<https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf>
to
health apps and other connected devices that collect or use consumers’
health information.  The FTC’s policy statement effectively clarified the
position that health apps and related connected devices are subject to
the Health
Breach Notification Rule
<https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-318/section-318.3>
(“the
Rule”), which requires vendors of personal health records (“PHR”) and
PHR-related entities to notify U.S. consumers, the FTC, and in cases of
certain breaches involving over 500 consumers, the media, if there has been
a breach of unsecured identifiable health information.  The FTC’s
commissioners voted 3-2 to approve the policy statement.

The FTC’s Rule helps account for entities that are not subject to the
requirements of the Health Insurance Portability and Accountability Act
<https://www.workplaceprivacyreport.com/2021/03/articles/hipaa/small-nj-medical-practice-becomes-18th-target-of-ocrs-hipaa-right-of-access-enforcement-initiative/>
(HIPAA),
but nonetheless collect and use sensitive health information.  The FTC
notes in its policy statement that while the Rule was established more than
a decade ago, “the explosion in health apps and connected devices”
particularly with the onset of the COVID-19 pandemic, and a spike in
cyberattacks in this space, has made the Rule’s obligations “more important
than ever.”  Health apps include everything from fitness, sleep and diet
trackers, to apps that help individuals track their disease, diagnosis,
medications, mental health, other vital areas and more.

Specifically, the Rule states that:

*each vendor of personal health records, following the discovery of a
breach of security of unsecured PHR identifiable health information that is
in a personal health record maintained or offered by such vendor, and each
PHR related entity, following the discovery of a breach of security of such
information that is obtained through a product or service provided by such
entity, shall:*

   - *Notify each individual who is a citizen or resident of the United
   States whose unsecured PHR identifiable health information was acquired by
   an unauthorized person as a result of such breach of security; and*
   - *Notify the Federal Trade Commission.*

In addition, the Rule requires third-party service providers of such
vendors, following the discovery of a breach of security, to provide notice
of the breach to an official of the vendor designated in writing, and if no
such designation is made, to a senior official of the vendor.

PHR is defined as an electronic record or individually identifiable health
information that can be drawn from multiple sources and that is managed,
shared and controlled by or primarily for an individual.

Notably, the policy statement emphasizes that a health app is subject to
the Rule if it is capable of drawing information from multiple sources, *even
if the health information comes from only one source*. The FTC provides the
example of a blood sugar monitoring app that draws health information only
from one source (e.g., a consumer’s inputted blood sugar levels), but also
takes non-health information from another source (e.g., dates from your
phone’s calendar) – such an app is covered under the Rule.

The FTC’s policy statement further clarifies that when a health app
discloses sensitive health information without user consent, a “breach of
security” is triggered under the Rule, and such a breach is not limited to
“nefarious behavior”.  “While this Rule imposes some measure of
accountability on tech firms that abuse our personal information, a more
fundamental problem is the commodification of sensitive health information,
where companies can use this data to feed behavioral ads or power user
analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of
surveillance-based advertising, the Commission should be scrutinizing what
data is being collected in the first place and whether particular types of
business models create incentives that necessarily place users at risk.”
Entities that fail to comply with the Rule are subject to monetary
penalties of up to $43,792 per violation, per day.

The Rule has generated significant confusion for entities offering PHRs,
particularly since the onset of the COVID-19 pandemic. It is important to
emphasize that the FTC’s rule does not apply to HIPAA-covered entities. The
preamble of the Rule, for example, addresses whether the Rule would cover
PHRs that a HIPAA-covered entity offers its employees. The preamble
explicitly notes that “*be**cause the FTCs rule does not apply to
HIPAA-covered entities, it does not apply to PHRs that such entities offer
their employees**”.*   The overarching goal is to “harmonize” HHS and FTC
data breach notification reporting requirements, and compliance with
certain HHS rule requirements in turn satisfies compliance under the FTC
rule.  There are, however, situations where an entity may have “dual or
overlapping” coverage under the HHS and FTC rules.  Here are a couple
examples: 1) A vendor with a dual role as both a business associate under
HIPAA and a provider of PHRs to the public through its own website
(reporting requirements under HHS for its functions related to qualifying
as a business associate, and requirements under the FTC rule for its role
as a provider of PHRs to the public), 2) PHRs offered to families (a HIPAA
covered group health plan would have data breach reporting requirements
under HHS Rule for the employee covered by the plan, but not for a spouse
who has a PHR under the plan, but is insured by the a different provider,
for which the FTC Rule would be applicable). As a result, it is crucial for
an entity that provides services and functions to varying categories of
individuals, to carefully parse out applicability under each of the rules.

The health app industry is booming. It brings innumerable potential
benefits as well as significant data privacy and security risks.
Organizations that collect, use, and store medical data face increasing
compliance obligations as the law attempts to keep pace with technology,
cybersecurity crimes, and public awareness of data privacy and security.
Creating a robust data protection program or regularly reviewing an
existing one is a critical risk management and legal compliance step.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211005/c37956fc/attachment.html>