FTC Warns Health Apps to Comply with Notification Rule

Sept. 20, 2021

The Federal Trade Commission issued a press release warning health app developers and connected device companies to comply with the Health Breach Notification Rule if sensitive health data is breached

Janette Wider

On Sept. 15 the Federal Trade Commission (FTC) issued a press release warning health app developers and connected device companies to comply with the Health Breach Notification Rule, that requires the notification of consumers and others when their health data is breached.

The release states that “In a policy statement adopted during an open meeting, the Commission noted that health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.”

Further, “As part of the American Recovery and Reinvestment Act of 2009, Congress included specific provisions to strengthen privacy and security protections for web-based businesses. The law directed the FTC to ensure that companies contact customers in the event of a security breach. Shortly after, the FTC issued the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization. Over a decade later, health apps and other connected devices that collect personal health data are not only mainstream—and have increased in use during the pandemic—but are targets ripe for scammers and other cyber hacks. Yet, there are still too few privacy protections for these apps.”

FTC chair Lina M. Khan was quoted in the release saying that “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics. Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The Rule makes sure that entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) are held accountable when consumers’ health information is breached.

The release concludes that “The Commission policy statement notes that apps and connected devices such as wearable fitness tracking devices that collect consumers’ health information are covered by the Health Breach Notification Rule if they can draw data from multiple sources, and are not covered by a similar rule issued by the Department of Health and Human Services. For example, a health app would be covered under the FTC’s rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables synching with a consumer’s fitness tracker. Companies that fail to comply with the rule could be subject to monetary penalties of up to $43,792 per violation per day.”