• Login
    • Advanced search
    • Title
    • Channel
    • Module
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transport and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Blockchain
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
Hogan Lovells Engage 5.6.14
      • Title
      • Channel
      • Module
    • Hit ENTER to search in content
    • Advanced search
    • Login
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transport and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Blockchain
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
  1. News
  2. FTC reinforces breach notification duties for health apps and connected health and wellness devices

FTC reinforces breach notification duties for health apps and connected health and wellness devices

5 October 2021
    • Share by email
    • Share on
    • Twitter
    • LinkedIn
    • Get link
    • Get QR Code
    • Download
    • Print

A new Policy Statement from the US Federal Trade Commission places companies that offer consumer-facing health apps and connected health and wellness devices on notice that they may be covered by a Health Breach Notification Rule that has been around for more than a decade. 

Index
  1. Health Breach Notification Rule Applies More Broadly than Previously Understood
    1. Compliance Obligations for Entities Subject to the Rule
    2. Action Items for Compliance with the Clarified Rule

Health Breach Notification Rule Applies More Broadly than Previously Understood

The Policy Statement has focused attention on a Health Breach Notification Rule (Rule) that was issued under the American Recovery and Reinvestment Act of 2009 (AARA), which sought to strengthen the privacy and security protections for health information handled by web-based businesses. The Rule – which requires that consumers, the FTC, and sometimes the media be notified in the event of a health data breach – applies only to entities that are not subject to HIPAA. The number of non-HIPAA-covered mobile applications and digital platforms handling health information is growing exponentially, and the Policy Statement signals a changing tide in how the FTC will approach policing such tools. Per the Policy Statement, the increased utilization of applications and connected devices that receive sensitive health data, such as those that track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, and diet, is driving a shift in the FTC’s enforcement priorities.

The Rule applies to personal health record (PHR) vendors and related entities and their service providers. PHRs are essentially electronic records that (1) contain individually identifiable health information; (2) are managed, shared, and controlled by or primarily for the individual; and (3) can be drawn from multiple sources. The Rule applies only to health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse. 

Critically, in the Policy Statement, the FTC explained its interpretation of the meaning of health care provider that will likely capture a number of health apps that previously were unaware that they could be subject to the Rule. In the FTC’s view, developers of health applications or connected devices are “health care provider[s]” because they “furnish health care services or supplies.” Thus, many companies that offer consumer-facing health apps and connected devices managed by the consumer are, in the FTC’s eyes, health care providers.

In the Policy Statement, the FTC further clarified that applications meeting the definition of a PHR vendor are covered by the Rule if they are capable of drawing information from multiple sources. These sources can include a combination of consumer inputs and application programming interfaces (APIs) and can also include sources of both health and non-health information. For example, a mobile application that draws information from a consumer’s health data while also capturing information from the consumer’s calendar application would be covered. By pulling information from multiple sources, including health and non-health sources, this particular application would fall under the Rule’s purview which would trigger notification requirements in the event of a breach.

As mentioned, the Rule also applies to PHR vendors and related entities and service providers, including those that: offer products or services through the web site of a PHR vendor or web sites of HIPAA-covered entities that offer PHRs; or those that access information in, or send information to, a PHR. Thus, the Rule may apply to some companies that advertise on health applications or covered entity platforms. 

Compliance Obligations for Entities Subject to the Rule

PHR vendors and related entities are required to notify consumers, the FTC, and in some cases the media when a consumer’s health information has been breached. A breach occurs when there has been unauthorized acquisition of an individual’s unsecured PHR.

In the Policy Statement, the FTC commented that a breach was not limited to cybersecurity intrusions. Incidents of unauthorized access, which include the sharing of covered information without a consumer’s authorization, would trigger notification obligations under the Rule, unless the PHR vendor or PHR related entity can show that the unauthorized acquisition has not or reasonably could not have taken place.

When a breach occurs, PHR vendors and related entities are required to notify (1) the FTC as soon as possible, and in any event, no later than ten business days following the discovery of a breach affecting 500 or more consumers, and (2) affected consumers and prominent media outlets in states or jurisdictions where 500 or more residents are affected within 60 days of discovery. For breaches involving the health information of fewer than 500 individuals, companies can meet their FTC notice obligation by providing an annual submission that includes breaches within the respective calendar year. Third party service providers must notify affected PHR vendors and related entities within 60 days of discovery.  

Action Items for Compliance with the Clarified Rule

The cost of non-compliance can be substantial. Companies could face civil monetary penalties of $43,792 per violation, per day if they fail to properly adhere to the Rule’s notification requirements. The FTC requirements are modeled on the HIPAA breach notification rule enforced by the U.S. Department of Health and Human Services (HHS), and it remains to be seen whether the FTC will take a similar approach to enforcement. Breaches reported to HHS can lead to broader compliance reviews that result in settlement agreements that involve both financial penalties and multi-year corrective action plans. The FTC has long considered health data to be sensitive and deserving of enhanced protections, and statements from some Commissioners suggest that the FTC may take further actions in this area.

 To manage compliance risk associated with the Rule and FTC enforcement generally, companies offering or advertising on mobile health applications and connected health and wellness devices should:

  • Assess whether and how they are subject to the Rule and update their incident response plans, policies, and procedures accordingly;
  • Evaluate the scope and clarity of notices and consents provided to consumers to confirm that data practices are consistent with FTC expectations and that there is a process for identifying and addressing access to consumer health data that could be considered a breach under the new Policy Statement; and 
  • Consider audits or simulated exercises to test preparedness.

As a final point, the Rule includes a sunset provision that if new legislation is enacted establishing requirements for breach notification that applies to entities subject to the Rule, the Rule will not apply to breaches discovered on or after the date of regulations implementing such legislation. Thus, companies who may be subject to the Rule should closely monitor federal privacy legislation developments as the implementation of a new federal breach law could preempt the Rule.

 

Authored by Marcy Wilder, Melissa Bianchi, and Donald DePass.

Amanda Pervine, a Law Clerk in our Washington, D.C. office, contributed to this entry.

Contacts
Marcy Wilder
Partner
Washington, D.C.
Melissa Bianchi
Partner
Washington, D.C.
Donald DePass
Senior Associate
Washington, D.C.
Index
  1. Health Breach Notification Rule Applies More Broadly than Previously Understood
    1. Compliance Obligations for Entities Subject to the Rule
    2. Action Items for Compliance with the Clarified Rule
Additional Resources
  • FTC Policy Statement
  • Health Breach Notification Rule
Keywords Breach, Breach Notification, FTC, Federal Trade Commission, HIPAA, connected devices, wearable, health tech, health devices, wellness devices
Languages English
Topics Privacy, Cybersecurity, Health Privacy
Countries United States
Delete Comment ?

Are you sure want to delete comment ?

Get link
Embed
Share by email
Get QR Code

Scan this QR Code to share this content