These apps and devices read, track and record both health-related information and, by signing up for or registering the app or device, information that identifies the particular person using the app or device. Some of these apps and devices even interface with other apps or devices; for instance, syncing the calendar apps records histories like sleep cycles, heart rate or glucose levels or to forecast such as fertility cycles. The question then arises:
What protection do consumers have over the health and personal data generated by these relatively new apps and connected devices?”
The Federal Trade Commission (“FTC”) recently issued a policy statement addressing this issue and protection of the information gathered by these relatively new technologies.
Privacy of health-related information gathered by providers of healthcare services or supplies — such as physician offices and pharmacies — has long been protected by the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA also contains provisions requiring healthcare providers to notify impacted individuals when HIPAA-protected data is breached or compromised and the FTC enforces those provisions.
In addition, vendors of personal health data that are not regulated under HIPAA have had to comply with the FTC’s Health Breach Notification Rule (the “Rule”) and its requirements to notify impacted individuals, the FTC and even the media of breaches involving the compromise of individually identifiable health data.
A word of caution to consumers, developers of health-related apps and devices do not necessarily fit neatly within the parameters of HIPAA and the Rule because those developers are not strictly healthcare providers under HIPAA or vendors of information subject to the Rule.
FTC Policy Statement
Recognizing this gap, the FTC issued a policy statement that in effect extends the Rule to these entities. The policy statement considers that developers of any healthcare apps that sync with or draw information from multiple inputs — such as an app that syncs with a calendar — are vendors of personal health records subject to the breach notification provisions of the Rule.
Further, the FTC also considers that developers of health apps and connected devices are to be considered “healthcare providers” under HIPAA because the apps and devices are “healthcare services or supplies.”
Accordingly, the HIPAA standards apply to information gathered by apps and devices, affording significant protection to consumers. Finally, under the policy statement, the FTC concludes that the data breach notification requirements imposed by the Rule are applicable to app and device developers whenever there is a breach of security resulting in the disclosure of “sensitive health information without users’ authorization.”
In addition, developers who fail to comply with the notice requirements under the Rule could face potential civil penalties over $40,000 per day a violation continues.
Benefit to Consumers
With this policy statement, the FTC has not only addressed a privacy issue raised by new technologies but also corralled a group — app and device developers — who were previously outside the scope of HIPAA and the FTC rules regarding health data privacy and breach notification and placed significant requirements on them to protect the data they collect and inform consumers of any breaches.
The policy statement takes a broad view of when health apps and connected devices are covered by the Rule. Specifically, the policy statement broadly construes when health apps and connected devices are subject to provisions that apply to “vendors of personal health records that contain individually identifiable health information created or received by health care providers.”
Those needing legal assistance with data and privacy concerns may contact me at firstname.lastname@example.org or by phone at 239-344-1153.