The Federal Trade Commission (FTC) has updated its guidance for health apps, requiring them to notify users of data breaches impacting them.
Smartphones and smartwatches are increasingly being used to help monitor users’ health and activity, while a plethora of apps access and use that data. The FTC is offering new guidance for these apps, in an effort to hold them to the same standards as companies specializing in health records.
The FTC’s Health Breach Notification Rule helps to ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) nevertheless face accountability when consumers’ sensitive health information is compromised. Under the Rule’s requirements, vendors of personal health records (“PHR”) and PHR-related entities must notify U.S. consumers and the FTC, and, in some cases, the media, if there has been a breach of unsecured identifiable health information, or face civil penalties for violations. The Rule also covers service providers to these entities. In practical terms, this means that entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information.
The Rule was issued more than a decade ago, but the explosion in health apps and connected devices makes its requirements with respect to them more important than ever. The FTC has advised mobile health apps to examine their obligations under the Rule,2 including through the use of an interactive tool.3 Yet the FTC has never enforced the Rule, and many appear to misunderstand its requirements. This Policy Statement serves to clarify the scope of the Rule, and place entities on notice of their ongoing obligation to come clean about breaches.
The new guidance will likely have a major impact on the booming health app market and better protect users and their privacy.