FTC Announces Intent to Enforce Health Breach Rule
Last week, the Federal Trade Commission (“FTC”) announced its strong commitment to enforce the 2009 Health Breach Notification Rule ("Rule"), clarifying its scope through a new policy statement. This policy statement expands the types of entities covered by the Rule and emphasizes that not only unauthorized acquisition but also unauthorized disclosure of health data to third parties constitutes a reportable breach.
The Rule mandates that vendors of personal health records (“PHRs”) and related entities report security breaches to affected individuals, the FTC, and, in certain cases, the media. It was designed to fill gaps in breach reporting requirements for entities not covered by HIPAA but handling individually identifiable health information. A vendor of PHRs refers to an entity collecting health information from various sources into an electronic record managed primarily for the individual, while PHR-related entities include those transmitting information to PHRs. An example is an online service aggregating medical records from multiple healthcare providers for electronic storage.
The FTC's policy statement broadens the Rule's applicability to include healthcare providers not covered by HIPAA, because of cross-referenced definitions being incorporated into the Rule. Notably, health apps and connected devices are categorized as healthcare providers if they provide health services or supplies and gather health information from multiple sources, such as APIs or user-input data like blood pressure readings.
In the Policy Statement, the FTC provides clarity on what constitutes a reportable breach of security under the Rule. This definition encompasses not only unauthorized acquisitions by malicious actors but also unauthorized disclosures of sensitive health information by apps or devices without consumer consent. Entities subject to the Rule must review their privacy policies and obtain opt-in consent before disclosing health data to third parties, even if such disclosures might not breach state laws but qualify as breaches under the Rule.
What this means is that health technology companies are urged to promptly assess whether they fall under the Rule's jurisdiction and to update their privacy and security policies accordingly. And entities covered by the Rule must notify affected individuals and the FTC promptly upon discovering a breach, and downstream service providers must inform PHR vendors or related entities and confirm receipt of such notice within 60 days of discovery.
With the FTC expectation that entities maintain robust security measures to detect breaches promptly, companies offering apps collecting health data, particularly those not subject to HIPAA and gathering data from multiple sources, should carefully review their data collection practices, privacy policies, and incident response plans.
The FTC's policy statement also signals a shift towards more stringent enforcement, with potential civil penalties reaching $43,792 per violation, per day. The FTC intends to enforce the Rule rigorously, particularly following recent legal developments limiting its ability to seek monetary relief under other statutes.
© 2021 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.