The Federal Trade Commission is proposing to amend its Health Breach Notification Rule requiring vendors of personal health records to report data breaches to include developers of health applications.
On Friday a notice will be published in the Federal Register that outlines how the FTC is proposing to amend the breach notification rule for vendors, according to a posting by the National Archives and Records Administration (PDF). The FTC will propose to amend rules for entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) and to require them to notify the agency, individuals and the media in some cases of breaches of personally identifiable health data.
In addition to including health app developers, the proposed amendments would also clarify that a security breach includes data security breaches and unauthorized disclosures; revise the definition of a personal health record (PHR) related entity; clarify what it means for a PHR vendor to draw identifiable health information from multiple sources; modernize the method of notice; expand the content of the notice; and consolidating notice and timing requirements, as well as laying out the penalties for not following the rules.
The FTC has been warning health app developers of impending scrutiny of their behavior via the Health Breach Notification Rule, which requires entities to report any breaches of consumer health information to the agency.
The Department of Justice finalized a $1.5 million FTC settlement with GoodRx in February that required the company to prevent unauthorized disclosures of consumer data in the future and to ensure compliance of FTC rules. The Good Rx settlement was the first enforcement under the rule.
The June 9 notice states: “In its complaint, the Commission alleged that between 2017 and 2020, GoodRx as a vendor of personal health records, disclosed more than 500 consumers’ unsecured PHR identifiable health information to third party advertising platforms like Facebook and Google, without the authorization of those consumers. As charged in the complaint, these disclosures violated explicit privacy promises the company made to its users about its data sharing practices (including about its sharing of PHR identifiable health information).”
In March, the FTC again warned the health-app market that it intended to use its enforcement powers after Amazon acquired the membership-based One Medical primary care practice for $3.9 billion.
SC Media reported that commissioners communicated its concern to Amazon that failure to “obtain consumers’ express affirmative consent for marketing based on sensitive data such as health data may be in violation of the law.”
Under the American Recovery and Reinvestment Act of 2009, entities not covered under HIPAA are required to notify consumers, the media and the FTC of breaches of personally identifiable health information within 60 days of discovery of a breach, or “as soon as possible” or within 10 business days if the breach affects more than 500 people.
“Since the Rule’s issuance, apps and other direct-to-consumer health technologies, such as fitness trackers and wearable blood pressure monitors, have become commonplace. Further, as an outgrowth of the COVID-19 pandemic, consumer use of such health-related technologies has increased significantly,” the notice states.
The FTC’s second enforcement of the breach notification rule came in May against the maker of the Premom ovulation and period-tracking application for sharing personal and health information with third parties. The FTC fined Easy Healthcare, the maker of the app, $100,000.
The commission is asking for public comment on the proposed rule changes within 60 days of the notification’s publication in the Federal Register.