The Federal Trade Commission (FTC) recently issued revised guidance to companies about compliance with the Health Breach Notification Rule (the “Rule”). The Rule, first adopted in 2009 as part of the American Recovery and Reinvestment Act, requires certain entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify customers, the FTC, and, in some cases, the media if there is a breach of security of “unsecured” individually identifiable health information. Last year, the FTC issued a policy statement warning health apps and connected device companies that collect or use health information that they must comply with the Rule or risk civil penalties in the event of a breach. The FTC’s revised guidance broadly construes a “breach” to go well beyond typical cybersecurity incidents, such as the unauthorized disclosure of health information to a social media platform without obtaining a user’s consent. These developments signal the FTC’s renewed commitment to aggressively enforcing the Rule against app developers and other firms that may not have been covered under FTC’s prior guidance.
Who Is Covered? Virtually All Health Apps and Wearable Devices
The Rule applies to “vendors of personal health records (PHR),” “PHR related entities,” and “third-party service providers” for vendors of PHR or PHR related entities. A PHR means an electronic health record of identifiable health information that can be “drawn from multiple sources” and is “managed, shared, and controlled by or primarily for the individual.” It does not apply to entities covered by HIPAA or “business associates” of those entities (they are covered by HHS’s breach notification rule instead).
The FTC’s September 2021 policy statement “clarified” who is covered by the Rule in a way that many argue significantly expands the Rule’s scope and coverage to include most apps and connected devices that collect health information. The FTC’s statement specifically called out apps and wearables that track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, and diet, among others. Notably, the FTC now asserts that the Rule applies to any app that collects information directly from a consumer and is technically capable of accessing an application programming interface, or API, because such apps are “capable of drawing information from multiple sources.” As Commissioner Wilson noted in a dissent from the FTC’s policy statement, this is a significant change from previous FTC guidance that expressly excluded software that simply allowed consumers to input their own information without interacting with PHRs.
The key takeaway: If you offer a health or fitness app or wearable technology that can sync to other devices or access smartphone data like calendar entries or contacts, the FTC will treat you as within the scope of the Rule.
What Triggers Notification Requirements Under the Rule?
The Rule requires notification to the FTC where there has been an unauthorized acquisition of unsecured PHR identifiable health information. The FTC’s guidance treats any health information that is acquired by someone else without the affected person’s approval as an “unauthorized acquisition” under the Rule. For example, this could include a thief stealing a laptop with unsecured PHR or an employee impermissibly accessing electronic health records. However, the Rule also extends to less obvious scenarios. According to the FTC’s new guidance, the agency will treat any unauthorized disclosure of unsecured health information as a breach, including sending health information to social media platforms or ad tech partners without obtaining consent.
It is also important to understand the Rule’s definitions, as notification is only triggered if PHR health information is “identifiable” and “unsecured,” which can exclude some data from coverage.
- Identifiable health information includes any data that could reasonably be used to identify someone – like mobile device identifiers shared with an advertising network – but may not extend to some aggregated data that can’t reasonably be used to identify a specific person.
- Unsecured data means information that is unencrypted or has been destroyed. Thus, encrypted PHRs don’t trigger notification.
- PHRs are limited to “electronic” records, not paper. Also, if your app only lets users enter their own information without connecting to APIs, it wouldn’t be covered.
Where there is an unauthorized breach of PHR from a covered entity, the Rule requires businesses to notify affected customers, the FTC, and, if a breach involves more than 500 residents of a particular state, the media. Covered entities that fail to comply with the Rule could be subject to civil penalties of up to $46,517 per violation.
Next Steps for Your Business
The recent FTC policy statement and revised guidance likely signals increased enforcement of the Rule. The FTC has brought many cases alleging health privacy and security violations and the agency will continue to be active in this area. And, because rule violations are one of the few tools by which the FTC can get monetary relief after the Supreme Court’s AMG decision, we expect the FTC will increasingly allege rule violations wherever it can.
If you are unsure whether your business fits under the expanded scope of the Rule, or you are concerned about complying with the Rule’s notification requirements, Baker Botts can help. We will continue to monitor developments concerning the Rule and are here to answer any of your questions.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.