At an open commission meeting on Wednesday, September 15th, the Federal Trade Commission (FTC) voted 3-2 to approve a policy statement affirming that health apps and connected devices that draw information from multiple sources need to comply with the FTC’s August 2009 Health Breach Notification Rule. The policy statement serves as a notice to health apps and connected devices – companies that are traditionally not covered entities under HIPAA – “of their ongoing obligation to come clean about breaches”. The statement also affirms that the entities may be subject to civil penalties of up to $43,792 per violation per day.
The American Recovery and Reinvestment Act of 2009 (Recovery Act of 2009) required the FTC to enforce breach notification requirements with respect to vendors and third parties and to adopt a rule implementing such requirements. Under the Health Breach Notification Rule, vendors of personal health records and related entities must notify U.S. consumers and the FTC, and, in some cases the media, if there has been a breach of unsecured identifiable health information.
Acknowledging that it has now been more than a decade since the promulgation of the Health Breach Notification Rule and that there has been a proliferation of apps and technologies that consumers can now use “to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas,” the FTC affirmed on Wednesday that apps capable of drawing information from multiple sources (such as through a combination of consumer inputs and APIs) are covered, even if the health information comes from only one source.
You can read the full policy statement of the FTC here.
FTC Chair Lina M. Khan and Commissioners Rohit Chopra and Rebecca Kelly Slaughter voted in favor of the policy statement, while Commissioners Joshua Phillips and Christine S. Wilson each issued dissenting statements. The dissenting opinions asserted that this statutory and regulatory opinion should be determined in the context of the rulemaking process that is currently under way, rather than a policy statement.
It is important that companies developing health apps and connected devices be aware of this announcement. Beckage closely monitors developments in laws and regulations governing health data and breach response. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.
Email Beckage Health Law Team Lead Sarah L. Rugnetta, Esq., (CIPP/E) at firstname.lastname@example.org or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.
*Attorney advertising; prior results do not guarantee similar outcomes.