<div dir="ltr"><div class="gmail_default" style="font-size:small"><a href="https://www.natlawreview.com/article/health-app-alert-ftc-expands-scope-health-breach-notification-rule">https://www.natlawreview.com/article/health-app-alert-ftc-expands-scope-health-breach-notification-rule</a></div><div class="gmail_default" style="font-size:small"><div id="gmail-content" class="gmail-left_section"><div class="gmail-region gmail-region-content"><div id="gmail-block-system-main" class="gmail-block gmail-block-system"><div class="gmail-content"><div id="gmail-node-157091" class="gmail-article gmail-node gmail-node-article"><div class="gmail-left_content_article gmail-left_content"><div id="gmail-normal-wrapper"><p class="gmail-rtejustify">The Federal Trade Commission (“FTC”) recently issued an important <a href="https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf" rel="noopener" target="_blank">policy statement</a> to
health apps and other connected devices that collect or use consumers’
health information. The FTC’s policy statement effectively clarified
the position that health apps and related connected devices are subject
to the <a href="https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-318/section-318.3" rel="noopener" target="_blank">Health Breach Notification Rule</a> (“the
Rule”), which requires vendors of personal health records (“PHR”) and
PHR-related entities to notify U.S. consumers, the FTC, and in cases of
certain breaches involving over 500 consumers, the media, if there has
been a breach of unsecured identifiable health information. The FTC’s
commissioners voted 3-2 to approve the policy statement.</p>
<p class="gmail-rtejustify">The FTC’s Rule helps account for entities that are not subject to the requirements of the <a href="https://www.workplaceprivacyreport.com/2021/03/articles/hipaa/small-nj-medical-practice-becomes-18th-target-of-ocrs-hipaa-right-of-access-enforcement-initiative/" rel="noopener" target="_blank">Health Insurance Portability and Accountability Act</a> (HIPAA),
but nonetheless collect and use sensitive health information. The FTC
notes in its policy statement that while the Rule was established more
than a decade ago, “the explosion in health apps and connected devices”
particularly with the onset of the COVID-19 pandemic, and a spike in
cyberattacks in this space, has made the Rule’s obligations “more
important than ever.” Health apps include everything from fitness,
sleep and diet trackers, to apps that help individuals track their
disease, diagnosis, medications, mental health, other vital areas and
more.</p>
<p class="gmail-rtejustify">Specifically, the Rule states that:</p>
<p class="gmail-rtejustify"><em>each vendor of personal health records,
following the discovery of a breach of security of unsecured PHR
identifiable health information that is in a personal health record
maintained or offered by such vendor, and each PHR related entity,
following the discovery of a breach of security of such information that
is obtained through a product or service provided by such entity,
shall:</em></p>
<ul><li class="gmail-rtejustify"><em>Notify each individual who is a citizen
or resident of the United States whose unsecured PHR identifiable health
information was acquired by an unauthorized person as a result of such
breach of security; and</em></li>
<li class="gmail-rtejustify"><em>Notify the Federal Trade Commission.</em></li>
</ul><p class="gmail-rtejustify">In addition, the Rule requires third-party
service providers of such vendors, following the discovery of a breach
of security, to provide notice of the breach to an official of the
vendor designated in writing, and if no such designation is made, to a
senior official of the vendor.</p>
<p class="gmail-rtejustify">PHR is defined as an electronic record or
individually identifiable health information that can be drawn from
multiple sources and that is managed, shared and controlled by or
primarily for an individual.</p>
<p class="gmail-rtejustify">Notably, the policy statement emphasizes that a
health app is subject to the Rule if it is capable of drawing
information from multiple sources, <em>even if the health information comes from only one source</em>.
The FTC provides the example of a blood sugar monitoring app that draws
health information only from one source (e.g., a consumer’s inputted
blood sugar levels), but also takes non-health information from another
source (e.g., dates from your phone’s calendar) – such an app is covered
under the Rule.</p>
<p class="gmail-rtejustify">The FTC’s policy statement further clarifies that
when a health app discloses sensitive health information without user
consent, a “breach of security” is triggered under the Rule, and such a
breach is not limited to “nefarious behavior”. “While this Rule imposes
some measure of accountability on tech firms that abuse our personal
information, a more fundamental problem is the commodification of
sensitive health information, where companies can use this data to feed
behavioral ads or power user analytics,” said FTC Chair Lina M. Khan.
“Given the growing prevalence of surveillance-based advertising, the
Commission should be scrutinizing what data is being collected in the
first place and whether particular types of business models create
incentives that necessarily place users at risk.” Entities that fail to
comply with the Rule are subject to monetary penalties of up to $43,792
per violation, per day.</p>
<p class="gmail-rtejustify">The Rule has generated significant confusion for
entities offering PHRs, particularly since the onset of the COVID-19
pandemic. It is important to emphasize that the FTC’s rule does not
apply to HIPAA-covered entities. The preamble of the Rule, for example,
addresses whether the Rule would cover PHRs that a HIPAA-covered entity
offers its employees. The preamble explicitly notes that “<em>be</em><em>cause the FTCs rule does not apply to HIPAA-covered entities, it does not apply to PHRs that such entities offer their employees</em><em>”.</em>
The overarching goal is to “harmonize” HHS and FTC data breach
notification reporting requirements, and compliance with certain HHS
rule requirements in turn satisfies compliance under the FTC rule.
There are, however, situations where an entity may have “dual or
overlapping” coverage under the HHS and FTC rules. Here are a couple
examples: 1) A vendor with a dual role as both a business associate
under HIPAA and a provider of PHRs to the public through its own website
(reporting requirements under HHS for its functions related to
qualifying as a business associate, and requirements under the FTC rule
for its role as a provider of PHRs to the public), 2) PHRs offered to
families (a HIPAA covered group health plan would have data breach
reporting requirements under HHS Rule for the employee covered by the
plan, but not for a spouse who has a PHR under the plan, but is insured
by the a different provider, for which the FTC Rule would be
applicable). As a result, it is crucial for an entity that provides
services and functions to varying categories of individuals, to
carefully parse out applicability under each of the rules.</p>
<p class="gmail-rtejustify">The health app industry is booming. It brings
innumerable potential benefits as well as significant data privacy and
security risks. Organizations that collect, use, and store medical data
face increasing compliance obligations as the law attempts to keep pace
with technology, cybersecurity crimes, and public awareness of data
privacy and security. Creating a robust data protection program or
regularly reviewing an existing one is a critical risk management and
legal compliance step.</p>
</div>
<div class="gmail-article_copyright"><br></div></div></div></div></div></div></div><div id="gmail-section2_middle" class="gmail-right_section"><div class="gmail-region gmail-region-section2-middle"><div id="gmail-block-dfp-art_rectangle_3" class="gmail-block gmail-block-dfp"><div class="gmail-content"><div id="gmail-dfp-ad-art_rectangle_3-wrapper" class="gmail-dfp-tag-wrapper">
<div id="gmail-dfp-ad-art_rectangle_3" class="gmail-dfp-tag-wrapper">
<div></div>
</div>
</div> </div>
</div>
</div>
</div></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>