FTC Requires That Health Apps Must Notify Customers About Data Breaches

In a policy statement, the Federal Trade Commission affirmed that health apps and connected devices that collect or use consumers health information must comply with the Breach Notification Rule, which requires that they alert individuals whose personal health information was involved in a breach. Under the rules requirements, vendors of personal health records and PHR related entities must notify consumers and the FTC, and in some cases the media, if there has been a breach of unsecured identifiable health information or face civil penalties. 

It is worth repeating that a breach is not merely limited to an intrusive attack, but can also include unauthorized access and sharing information without the data owners authorization.

In their statement, the FTC took note that these apps are able to track everything from glucose levels, physical activity, sleep, and even fertility are increasingly collecting sensitive data from consumers, and so have the duty to ensure that the data that they collect remains secure. According to FTC chair Lina Khan:

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said Khan in a statement, who pointed to a study published  by the British Medical Journal that discovered many health apps were using insecure transmissions of personal data as well as engaging in unauthorized sharing of data with advertisers.

To Date

These apps have been living in a wild-west with few laws and regulations affecting them, at least in the United States due to the lack of a federal privacy law. The relative lack of an emphasis on privacy and security of records has fed into low consumer confidence in their privacy. 

To all those health apps, we can’t say that we didn’t warn you. In our article describing what is and isn’t PHI, we noted that:

So if you are a startup developing an app, and you are trying to decide whether your software needs to be HIPAA Compliant, the general rule of thumb is this: If the product that you are developing transmits health information that can be used to personally identify an individual and that information will be used by a covered entity (medical staff, hospital, or insurance company), then that information is considered PHI and your organization is subject to HIPAA. If you have no plans on sharing this data with a covered entity, then you do not need to worry about HIPAA compliance - yet. 

While those organizations do not find themselves under the crosshairs of HIPAA or a broader data privacy rule, it is safe to assume that if they haven’t already, they should begin to treat these personal health records that they collect as carefully as Covered Entities and Business Associates do.