Health and fitness tracking apps from companies that do not provide healthcare are not covered entities under HIPAA, so HIPAA rules don’t apply. Yet theses apps receive, store and transmit enormous amounts of private health information belonging to the individuals who use the app.
The FTC has a Health Breach Notification Rule
Since 2010, the Federal Trade Commission (FTC) has had a Health Breach Notification Rule (the Rule). The Rule requires vendors of personal health records (PHR), PHR-related entities and third-party service providers of PHR vendors to notify US consumers, the FTC and, in some cases, the media if a breach of unsecured identifiable health information occurs.
The Rule does not apply to HIPAA covered entities or business associates (acting in their capacity as business associates). The HIPAA Breach Notification Rule applies to them.
Since the FTC Rule took effect eleven years ago, the FTC has received only four notifications under the Rule and has not initiated any enforcement actions. Noting the explosion in health and fitness trackers over the last ten years, the FTC is putting vendors on notice – enforcement is amping up.
On September 15, 2021 the FTC issued a policy statement which clarifies that:
- Developers of mobile health apps or connected devices are healthcare providers for purposes of the Rule because the developer furnishes healthcare services or supplies by offering the app or connected device; and
- Any mobile health app is covered by the Rule if it is capable of drawing information from multiple sources, even if health information is collected from only one source.
The policy statement cross references HIPAA, noting that the FTC Rule is intended to protect personal health information in the hands of organizations that are neither covered entities nor business associates.
The policy statement reminds developers of mobile health apps or connected devices that a breach under the Rule is not limited to cybersecurity incidents or nefarious behavior, but can also include incidents of unauthorized access, such as sharing of covered information without an individual’s authorization.
The policy statement concludes:
As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever. Firms offering these services should take appropriate care to secure and protect consumer data. The Commission intends to bring actions to enforce the Rule consistent with this Policy Statement. Violations of the Rule face civil penalties of $43,792 per violation per day. (italics added for emphasis)
Private health information is governed by more than HIPAA. The FTC wants mobile health app developers to know that they are stepping up enforcement of the FTC Health Breach Notification Rule, after ten years of non-enforcement. We can help you sort the rules.