Health Breach Notification Rule Applies More Broadly than Previously Understood
The Policy Statement has focused attention on a Health Breach Notification Rule (Rule) that was issued under the American Recovery and Reinvestment Act of 2009 (AARA), which sought to strengthen the privacy and security protections for health information handled by web-based businesses. The Rule – which requires that consumers, the FTC, and sometimes the media be notified in the event of a health data breach – applies only to entities that are not subject to HIPAA. The number of non-HIPAA-covered mobile applications and digital platforms handling health information is growing exponentially, and the Policy Statement signals a changing tide in how the FTC will approach policing such tools. Per the Policy Statement, the increased utilization of applications and connected devices that receive sensitive health data, such as those that track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, and diet, is driving a shift in the FTC’s enforcement priorities.
The Rule applies to personal health record (PHR) vendors and related entities and their service providers. PHRs are essentially electronic records that (1) contain individually identifiable health information; (2) are managed, shared, and controlled by or primarily for the individual; and (3) can be drawn from multiple sources. The Rule applies only to health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse.
Critically, in the Policy Statement, the FTC explained its interpretation of the meaning of health care provider that will likely capture a number of health apps that previously were unaware that they could be subject to the Rule. In the FTC’s view, developers of health applications or connected devices are “health care provider[s]” because they “furnish health care services or supplies.” Thus, many companies that offer consumer-facing health apps and connected devices managed by the consumer are, in the FTC’s eyes, health care providers.
In the Policy Statement, the FTC further clarified that applications meeting the definition of a PHR vendor are covered by the Rule if they are capable of drawing information from multiple sources. These sources can include a combination of consumer inputs and application programming interfaces (APIs) and can also include sources of both health and non-health information. For example, a mobile application that draws information from a consumer’s health data while also capturing information from the consumer’s calendar application would be covered. By pulling information from multiple sources, including health and non-health sources, this particular application would fall under the Rule’s purview which would trigger notification requirements in the event of a breach.
As mentioned, the Rule also applies to PHR vendors and related entities and service providers, including those that: offer products or services through the web site of a PHR vendor or web sites of HIPAA-covered entities that offer PHRs; or those that access information in, or send information to, a PHR. Thus, the Rule may apply to some companies that advertise on health applications or covered entity platforms.
Compliance Obligations for Entities Subject to the Rule
PHR vendors and related entities are required to notify consumers, the FTC, and in some cases the media when a consumer’s health information has been breached. A breach occurs when there has been unauthorized acquisition of an individual’s unsecured PHR.
In the Policy Statement, the FTC commented that a breach was not limited to cybersecurity intrusions. Incidents of unauthorized access, which include the sharing of covered information without a consumer’s authorization, would trigger notification obligations under the Rule, unless the PHR vendor or PHR related entity can show that the unauthorized acquisition has not or reasonably could not have taken place.
When a breach occurs, PHR vendors and related entities are required to notify (1) the FTC as soon as possible, and in any event, no later than ten business days following the discovery of a breach affecting 500 or more consumers, and (2) affected consumers and prominent media outlets in states or jurisdictions where 500 or more residents are affected within 60 days of discovery. For breaches involving the health information of fewer than 500 individuals, companies can meet their FTC notice obligation by providing an annual submission that includes breaches within the respective calendar year. Third party service providers must notify affected PHR vendors and related entities within 60 days of discovery.
Action Items for Compliance with the Clarified Rule
The cost of non-compliance can be substantial. Companies could face civil monetary penalties of $43,792 per violation, per day if they fail to properly adhere to the Rule’s notification requirements. The FTC requirements are modeled on the HIPAA breach notification rule enforced by the U.S. Department of Health and Human Services (HHS), and it remains to be seen whether the FTC will take a similar approach to enforcement. Breaches reported to HHS can lead to broader compliance reviews that result in settlement agreements that involve both financial penalties and multi-year corrective action plans. The FTC has long considered health data to be sensitive and deserving of enhanced protections, and statements from some Commissioners suggest that the FTC may take further actions in this area.
To manage compliance risk associated with the Rule and FTC enforcement generally, companies offering or advertising on mobile health applications and connected health and wellness devices should:
- Assess whether and how they are subject to the Rule and update their incident response plans, policies, and procedures accordingly;
- Evaluate the scope and clarity of notices and consents provided to consumers to confirm that data practices are consistent with FTC expectations and that there is a process for identifying and addressing access to consumer health data that could be considered a breach under the new Policy Statement; and
- Consider audits or simulated exercises to test preparedness.
As a final point, the Rule includes a sunset provision that if new legislation is enacted establishing requirements for breach notification that applies to entities subject to the Rule, the Rule will not apply to breaches discovered on or after the date of regulations implementing such legislation. Thus, companies who may be subject to the Rule should closely monitor federal privacy legislation developments as the implementation of a new federal breach law could preempt the Rule.
Authored by Marcy Wilder, Melissa Bianchi, and Donald DePass.
Amanda Pervine, a Law Clerk in our Washington, D.C. office, contributed to this entry.