Then-FTC Chair nominee Lina M. Khan testifies during a Senate hearing on April 21, 2021, in Washington. (Photo by Graeme Jennings/Pool via Getty Images)

The College of Healthcare Information Management Executives (CHIME) is urging the Federal Trade Commission to utilize its enforcement authority to hold third-party vendors responsible for the illegal disclosure of consumer health data, even if the act was unintentional.

The FTC already has the authority to govern health information not covered by the the Health Insurance Portability and Accountability Act with its health breach notification rule. CHIME notes that it’s “one of only a handful of federal privacy laws protecting consumers’ health information.” 

Thus, the commission “plays a vital role in holding companies accountable for how they disclose consumers’ sensitive health information.” However, in September 2021, in warning app developers of its intention to leverage the rule, the FTC acknowledged it “has never enforced the Rule, and many appear to misunderstand its requirements.”

CHIME responded then, “and still believes that actions from the FTC will make a consumer’s data more secure and help ensure that those entities who have a breach of this crucial private data are held accountable.”

“Not only does it hold bad and unsecure actors accountable, but it also creates a disincentive that urges all businesses” with personal health data to strengthen their data security practices, CHIME wrote.

The comments were sent to the agency in response to the FTC’s proposed trade regulation rule on commercial surveillance and data security issued in August. Agency leaders voted to explore possible regulations for commercial data surveillance, a practice that directly raises the risk of data breaches.

The proposal aims to address a growing concern of apps and data brokers essentially forcing consumers to relinquish their personal data — and with it, their privacy — in order to use these programs. The platforms routinely gather their data, routines and highly sensitive data, some of which without transparency into the process.

The FTC is examining how to address this problem, which could result in highly stringent privacy and security protections for consumer data.

For healthcare stakeholders, the possible shift can’t come soon enough as reports consistently show that health apps are notorious for engaging in these dubious data-sharing practices. Estimates place the number of health-related apps at 350,000. These apps are not regulated by HIPAA, leaving consumers vulnerable to privacy risks.

CHIME warned it’s “entirely possible that the amount of health data held by entities who are not required to comply with the HIPAA exceeds the data held by those who are HIPAA-covered entities, a certainly concerning development.”

On the whole, CHIME broadly supports the proposal and the FTC’s planned approach for implementing new trade regulation rules for ways companies collect, retain, and use consumer data, as well as how and whether it's shared or monetized to ensure fairness.

However, the stakeholder group believes there’s some room to “constructively improve” the proposed plan. 

FTC holds authority to protect health data not covered by HIPAA

Following the Supreme Court’s upheaval of Roe v. Wade, the FTC warned it would crack down on companies misusing consumer data, including health and location data.

CHIME is urging the agency to “push further into this space” by using its authority to hold third parties not covered by HIPAA responsible for clear violations of consumer data privacy, particularly as healthcare data has become “an even more valuable commodity.”

In one notable enforcement example in early 2021, the women’s health app Flo Health was fined by the FTC for sharing consumer data with third parties without transparency. These regulatory actions are imperative, and FTC should keep pace with these changing technologies to ensure consumers are protected from similar data privacy violations.

The FTC’s latest proposal is encouraging, but CHIME believes that the agency should clarify how the intersection of the proposed rule and its existing authority under its health breach notification rule would play out when it comes to data held by HIPAA covered entities.

The group is also concerned as to how the FTC will better inform entities of its authority and their requirements, as the health breach notification rule was under-utilized despite the agency having the authority to hold accountable vendors with access to personal health data.

As such, CHIME believes greater clarity is needed, particularly for entities that fall under the potential new regulation, HIPAA, and the FTC’s health breach notification rule, particularly around definitions for vendors of personal health records.

The FTC should also use its authority to protect “consumers and patients who are often unaware of how their data is being used, and in some cases, may be under the false impression that it is still safeguarded under HIPAA. Clear, transparent communication to consumers about how their data is being used, monetized, and secured will be critical in future rulemaking.”

“It’s time for vendors of personal health records and PHR-related entities with lax data security — and sometimes blatant disregard of the law — to receive these notices and penalties under the existing authority provided to the Commission under the rule,” CHIME wrote.

The FTC has noted it’s aware of the current expansion of health apps amid the pandemic, but there are still not enough privacy protections for the apps. Similar comments were issued by other industry leaders following the proposal for a national data privacy law.

CHIME provided the FTC with questions that should be asked of all of these third-party health apps, which should better inform where inconsistencies and vulnerabilities lie in terms of the monetization of data and app security. This information should also be provided on the FTC site for consumers to review before leveraging apps that utilize their personal health data.