What does your glucometer, blood pressure monitoring device, or fitness tracker have to do with the FTC’s breach notification rule? Well, up to September of this year, you wouldn’t have been nuts to think, “Not much.” No longer.
Over ten years ago the Federal Trade Commission (aka the FTC or the Commission) published it. You may remember that it was one of the new requirements, like the HIPAA Breach Notification Rule, that was included in the HITECH Act. The HITECH Act – along with the FTC breach notification rule – was intended to require personal health record vendors who were not HIPAA covered entities or business associates to notify consumers in the event of a breach of their health data. Until last month, the FTC rule didn’t see a lot of action.
Be aware that the rule doesn’t just apply to personal health record vendors. If you’re a vendor and you make health related apps for or available to consumers, you need to pay attention because the FTC has officially stated that it will begin enforcing its rule.
Ignore the FTC at Your Own Peril
Now when the FTC says it will enforce something, it really means it. The Commission has a reputation for aggressive enforcement actions against companies who either have – or that the FTC perceives to have – violated Commission rules. Please, if you’re a vendor, do not take their enforcement assertion lightly.
The Commission conducted a virtual meeting on September 15, 2021 and the commissioners voted 3–2 along party lines to approve the FTC’s new policy statement. The policy statement clarifies the FTC’s position on breach rule enforcement; that is:
- Developers of mobile health apps or connected devices are healthcare providers for purposes of the Rule because the developer furnishes healthcare services or supplies by offering the app or connected device; and
- Any mobile health app is covered by the Rule if it is capable of drawing information from multiple sources, even if health information is collected from only one source.
To be clear, the policy statement doesn’t mean that in their definition of healthcare providers that the FTC is referring to HIPAA covered entities. They are not – covered entities and business associates are required to comply with the HIPAA Breach Notification Rule. What they are saying is this:
Developers of consumer facing mobile health apps are required to adhere to the FTC breach notification rule if they meet the FTC’s definition of mobile app developers where the apps draw data from multiple sources.
What apps are subject to FTC’s rule?
The FTC noted that an app is covered under the breach notification rule if it:
- collects information directly from consumers and
- has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker, glucometer, or blood pressure monitoring device.
The Commission also stated the rule applies to apps that pull information from multiple sources, even if only one of those sources provides health information (e.g., an app that collects health information that a consumer loads, and gathers non-health information from another source, such as dates from the consumer’s phone calendar).
The policy statement is a pointed reminder to mobile health app developers and manufacturers or sellers of connected devices (think fitness trackers) that a breach under the rule is not limited to cybersecurity intrusions or malicious behavior. It can also include incidents of unauthorized access, such as sharing covered information without authorization.
The Commission’s new, forceful stance is something to watch. Mobile health apps are released at an ever-increasing pace and are widely used by consumers to track everything from steps to heart rates to weight loss to reproductive cycles. New enforcement will likely be a good thing for consumers and privacy advocates.
I tend to think that it will take a while for vendors to catch on to breach notification requirements and associated enforcement. Let’s hope that only a few headlines will be enough of a wake-up call for healthcare mobile app vendors. It’s no fun to be in the FTC’s crosshairs.
Breach notification should be part of your security incident response plan and part of the overall compliance planning process. Give Apgar & Associates a call to be sure yours is up-to-date and covers the bases.