On September 15, 2021, the Federal Commerce Fee (FTC) voted 3–2 alongside social gathering traces (with Republican commissioners dissenting) to situation a policy statement asserting an expansive interpretation of the FTC’s Health Breach Notification Rule, 16 CFR Half 318 (the Rule). Based on the coverage assertion, the Rule applies to well being apps and linked gadgets that aren’t topic to the Well being Insurance coverage Portability and Accountability Act (HIPAA) however are able to drawing info from a number of sources—for instance, by means of a mix of client inputs and software programming interfaces (APIs).
IN DEPTH
The Rule was first promulgated by the FTC in 2010 and doesn’t apply to HIPAA lined entities or enterprise associates (appearing of their capability as a enterprise affiliate). The Rule requires distributors of private well being information (PHR), PHR-related entities and third-party service suppliers of PHR distributors to inform US customers, the FTC and, in some instances, the media if a breach of unsecured identifiable well being info happens. The Rule imposes civil penalties of $43,792 per day, per violation. Because the Rule took impact greater than a decade in the past, the FTC has acquired solely 4 notifications below the Rule and has not initiated any enforcement actions.
The Rule defines a PHR as an digital report of individually identifiable well being info that may be drawn from a number of sources and that’s managed, shared and managed by or primarily for a person. The Rule cross-references the HIPAA definition of individually identifiable well being info, which, in related half, is outlined as info that’s created or acquired by a healthcare supplier, well being plan or healthcare clearinghouse, and pertains to the previous, current or future bodily or psychological well being or situation of a person, the availability of healthcare to a person, or fee for the availability of healthcare to a person.
Throughout the FTC’s digital assembly on September 15, 2021, the commissioners voted 3–2 alongside social gathering traces to approve the coverage assertion, which clarifies the FTC’s place that:
-
Builders of cellular well being apps or linked gadgets are healthcare suppliers for functions of the Rule as a result of the developer furnishes healthcare companies or provides by providing the app or linked system; and
-
Any cellular well being app is roofed by the Rule whether it is able to drawing info from a number of sources, even when well being info is collected from just one supply.
The FTC offered particular examples of apps topic to the Rule, explaining that an app is roofed if it collects info straight from customers and has the technical capability to attract info by means of an API that allows syncing with a client’s health tracker. The FTC additionally clarified that the Rule applies to apps that pull info from a number of sources, even when solely a type of sources offers well being info (e.g., an app that collects well being info inputted by a client and likewise gathers non-health info from one other supply, comparable to dates from the buyer’s cellphone calendar).
The coverage assertion additionally reminds builders of cellular well being apps or linked gadgets {that a} breach below the Rule isn’t restricted to cybersecurity intrusions or nefarious habits, however can even embody incidents of unauthorized entry, comparable to sharing of lined info with out a person’s authorization.
The coverage assertion concludes by stating that the FTC expects to start implementing the Rule per this new steerage.
In separate statements, the dissenting Republican FTC commissioners asserted that the FTC’s interpretation was too expansive and raised procedural considerations about using a coverage assertion to stipulate the scope of the Rule. The dissenting commissioners argued that the assertion served as an “end run” round ongoing rulemaking processes, together with a public comment interval the FTC opened in Might 2020 concerning potential modifications to the Rule that particularly requested feedback on whether or not the Rule’s definitions needs to be modified and potential enforcement implications raised by the proliferation of direct-to-consumer cellular well being apps and platform well being instruments.
Subsequent Steps
The coverage assertion has broad implications for cellular well being, health and different apps that fall inside the scope of this new steerage. For instance, a lined app developer’s disclosure of individually identifiable well being info to a third-party analytics supplier with out the buyer’s authorization probably triggers the breach notification provisions of the Rule, until the entity “has dependable proof exhibiting that there has not been, or couldn’t moderately have been, unauthorized acquisition of such info.”
Builders of cellular well being apps and linked gadgets ought to consider their services in gentle of this coverage assertion, together with whether or not to acquire particular person authorization for disclosures of individually identifiable well being info made by the developer.
The coverage assertion will probably achieve appreciable consideration within the digital well being neighborhood. We are going to proceed to observe FTC enforcement exercise and any associated litigation.