FTC Strengthens Violation Reporting Obligations for Health Apps and Connected Health and Wellness Devices | Hogan Lovells
The health damage notification rule applies more widely than previously understood
The Policy statement drew attention to a Health damage notification rule (Rule) which was issued under the United States Recovery and Reinvestment Act of 2009 (AARA), which was intended to strengthen the protection of the privacy and security of health information processed by web-based companies . The rule – which requires consumers, the FTC, and sometimes the media to be notified in the event of a health data breach – only applies to entities that are not subject to HIPAA. The number of non-HIPAA-covered mobile apps and digital platforms handling health information is growing exponentially, and the policy statement signals a change in how the FTC will approach policing these tools. In line with the policy statement, the increased use of apps and connected devices that receive sensitive health data, such as those that track diseases, diagnoses, treatments, medications, fitness, fertility, sleep, mental health, and diet, results in a change in the FTC’s Enforcement Priorities.
The rule applies to personal health record (PHR) providers and related entities and their service providers. PHRs are essentially electronic records that (1) contain individually identifiable health information; (2) are managed, shared and controlled by or primarily for the individual; and (3) can be drawn from several sources. The rule only applies to health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse.
Importantly, in the policy statement, the FTC explained its interpretation of the meaning of healthcare provider which will likely encompass a number of healthcare apps that were previously unaware that they might be subject to the rule. In the opinion of the FTC, developers of health applications or connected devices are “providers of health care.[s]”because they” provide health care services or supplies. “For example, many companies that provide consumer health applications and connected consumer-managed devices are, in the eyes of the FTC, providers health care.
In the policy statement, the FTC further clarified that applications meeting the definition of a PHR provider are covered by the rule if they are able to derive information from multiple sources. These sources can include a combination of consumer input and application programming interfaces (APIs) and can also include both health and non-health information sources. For example, a mobile application that pulls information from a consumer’s health data while also capturing information from the consumer’s calendar application would be covered. By extracting information from multiple sources, including sanitary and non-sanitary sources, this particular application would fall within the scope of the rule, triggering notification requirements in the event of a violation.
As mentioned, the rule also applies to PHR providers and associated entities and service providers, including those who: offer products or services through a PHR provider’s website or entity websites covered by HIPAA that offer PHR; or those who access information or send information to a PHR. Thus, the Rule may apply to certain businesses that advertise on health apps or covered entity platforms.
Compliance obligations for entities subject to the rule
PHR providers and associated entities are required to notify consumers, the FTC, and in some cases the media when a consumer’s health information has been breached. A violation occurs when there has been an unauthorized acquisition of an individual’s unsecured PHRs.
In the policy statement, the FTC said a breach was not limited to cyber security intrusions. Unauthorized access incidents, which include sharing covered information without a consumer’s authorization, would trigger notification obligations under the Rule, unless the PHR provider or the PHR related entity cannot demonstrate that the unauthorized acquisition did not or reasonably could not have taken place.
When a violation occurs, PHR providers and related entities are required to notify (1) the FTC as soon as possible, and in any event, no later than ten business days after discovery of a violation affecting 500 or more consumers, and (2) affected consumers and leading media in states or jurisdictions where 500 or more residents are affected within 60 days of discovery. For violations involving the health information of less than 500 people, companies can fulfill their obligation to notify the FTC by providing an annual submission that includes violations in the respective calendar year. Third-party service providers must notify affected PHR providers and associated entities within 60 days of discovery.
Steps to be taken to comply with the clarified rule
The cost of non-compliance can be substantial. Businesses could face civil monetary penalties of $ 43,792 per violation per day if they do not properly comply with the rule’s notification requirements. The FTC’s requirements are modeled after the HIPAA violation notification rule enforced by the US Department of Health and Human Services (HHS), and it remains to be seen whether the FTC will take a similar approach to enforcement. Violations reported to HHS can lead to broader compliance reviews that result in settlement agreements that involve both financial penalties and multi-year corrective action plans. The FTC has long viewed health data as sensitive and deserving of enhanced protections, and statements from some commissioners suggest that the FTC could take further action in this area.
To manage the compliance risk associated with the rule and the FTC enforcement in general, companies offering or advertising on mobile health apps and connected health and wellness devices should:
- Assess whether and how they are subject to the Rule and update their incident response plans, policies and procedures accordingly;
- Assess the scope and clarity of notices and consents provided to consumers to confirm that data practices are in line with FTC expectations and that there is a process to identify and address access to consumer health data that could be considered a violation under the new policy statement; and
- Consider audits or mock exercises to test readiness.
Finally, the Rule includes a sunset provision that if new legislation is enacted establishing breach notification requirements that apply to entities subject to the Rule, the Rule will not apply to breaches discovered on or after the rule. date of the regulations implementing this legislation. As such, businesses that may be subject to the Rule should closely monitor developments in federal privacy legislation, as the implementation of a new federal breach law may override the Rule. .