health fitness app

Health and Fitness Tracker Apps are on Notice

Health and fitness tracking apps from companies that do not provide healthcare are not covered entities under HIPAA, so HIPAA rules don’t apply. Yet theses apps receive, store and transmit enormous amounts of private health information belonging to the individuals who use the app.

The FTC has a Health Breach Notification Rule

Since 2010, the Federal Trade Commission (FTC) has had a Health Breach Notification Rule (the Rule). The Rule requires vendors of personal health records (PHR), PHR-related entities and third-party service providers of PHR vendors to notify US consumers, the FTC and, in some cases, the media if a breach of unsecured identifiable health information occurs.

The Rule does not apply to HIPAA covered entities or business associates (acting in their capacity as business associates). The HIPAA Breach Notification Rule applies to them.

Since the FTC Rule took effect eleven years ago, the FTC has received only four notifications under the Rule and has not initiated any enforcement actions. Noting the explosion in health and fitness trackers over the last ten years, the FTC is putting vendors on notice – enforcement is amping up.

On September 15, 2021 the FTC issued a policy statement which clarifies that:

  • Developers of mobile health apps or connected devices are healthcare providers for purposes of the Rule because the developer furnishes healthcare services or supplies by offering the app or connected device; and
  • Any mobile health app is covered by the Rule if it is capable of drawing information from multiple sources, even if health information is collected from only one source.

The policy statement cross references HIPAA, noting that the FTC Rule is intended to protect personal health information in the hands of organizations that are neither covered entities nor business associates.

The policy statement reminds developers of mobile health apps or connected devices that a breach under the Rule is not limited to cybersecurity incidents or nefarious behavior, but can also include incidents of unauthorized access, such as sharing of covered information without an individual’s authorization.

The policy statement concludes:

As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever. Firms offering these services should take appropriate care to secure and protect consumer data. The Commission intends to bring actions to enforce the Rule consistent with this Policy Statement. Violations of the Rule face civil penalties of $43,792 per violation per day. (italics added for emphasis)

Private health information is governed by more than HIPAA. The FTC wants mobile health app developers to know that they are stepping up enforcement of the FTC Health Breach Notification Rule, after ten years of non-enforcement. We can help you sort the rules.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2021 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free