Policy statement affirms that covered companies that hold fertility, heart health, glucose levels and other health data must notify consumers in the event of a breach
The Federal Trade Commission (@FTC) issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule, which requires that they notify consumers and others when their health data is breached.
In a policy statement adopted during an open meeting, the Commission noted that health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.
As part of the American Recovery and Reinvestment Act of 2009, Congress included specific provisions to strengthen privacy and security protections for web-based businesses. The law directed the FTC to ensure that companies contact customers in the event of a security breach. Shortly after, the FTC issued the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization. Over a decade later, health apps and other connected devices that collect personal health data are not only mainstream—and have increased in use during the pandemic—but are targets ripe for scammers and other cyber hacks. Yet, there are still too few privacy protections for these apps.
“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
The Rule ensures that entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) face accountability when consumers’ sensitive health information is breached.
The Commission policy statement notes that apps and connected devices such as wearable fitness tracking devices that collect consumers’ health information are covered by the Health Breach Notification Rule if they can draw data from multiple sources, and are not covered by a similar rule issued by the Department of Health and Human Services. For example, a health app would be covered under the FTC’s rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables synching with a consumer’s fitness tracker. Companies that fail to comply with the rule could be subject to monetary penalties of up to $43,792 per violation per day.
The Commission voted 3-2 to approve the policy statement during the open virtual meeting. Chair Khan and Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued separate statements. Commissioners Noah Joshua Phillips and Christine S. Wilson both voted no and each issued dissenting statements.