The FTC’s recent policy statement on the Health Breach Notification Rule (the “Rule”) substantially impacts the consumer-facing digital health industry by significantly expanding (a) the scope of entities subject to the Rule and (b) data practices that constitute a breach. Under the new guidance, any entity that collects health data from both a connected device and the consumer (excluding entities already subject to HIPAA) will be treated as a “vendor of Personal Health Records” (“PHR Vendor”) subject to the Rule. Moreover, PHR Vendors that share such information without the individual’s authorization will trigger the Rule’s breach notification requirements.

PHR Vendors Include Health Apps, Too

The Rule applies to PHR Vendors, PHR related entities, and their third party service providers that collect data about an individual from multiple sources – excluding entities that are subject to HIPAA. The “multiple sources” requirement was historically interpreted to require collecting information from more than one entity (such as from multiple distinct health apps). In its policy statement, however, the FTC explained that “multiple sources” also includes data collected from a single consumer through more than one mechanism – e.g., a health app may be a PHR Vendor if it collects information from a consumer directly and from a connected device the consumer uses in connection with the app. As another example, an app that collects health data directly from the consumer (e.g., blood sugar levels) that it combines with other non-health data from other sources (e.g., dates from the consumer’s phone calendar) is also a PHR Vendor subject to the Rule.

Sharing Consumer Data Without Authorization is a “Breach” Under the Rule

The FTC also emphasized that sharing users’ information with third parties without the user’s authorization could be a “breach” under the Rule.  Earlier in 2021, the FTC alleged that a fertility tracking app failed to safeguard users’ health data by, among other things, sharing users’ sensitive health data with third party marketing and analytics service providers. Although the FTC did not allege violations of the Rule in its complaint against the fertility tracking app, some of the commissioners at the time expressed that the fertility tracking app’s actions should have constituted a breach under the Rule. The FTC’s subsequent policy statement regarding the Rule now confirms that the FTC interprets “breach” to encompass both “cybersecurity intrusions or nefarious behavior” as well as situations involving “sharing of covered information without an individual’s authorization.”

Summary of the Rule

  1. Applicability: The Rule exempts entities subject to the HIPAA Breach Notification Rule. The Rule applies to non-U.S. based businesses that maintain data about U.S. citizens and residents.
  2. Requirements: When a qualifying vendor of PHR or PHR related entity suffers a breach of unsecured PHR, the entity must send breach notices. Businesses must also notify the FTC within 10 days if the breach impacts over 500 people (otherwise, notification is required to the FTC and individuals “without unreasonable delay” but in no event later than 60 days). Under the Rule, a breach is “discovered” on the first day it is known by any person, other than the individual committing the breach, who is an employee, officer or agent of the affected business. Third party service providers must provide breach notice to affected vendors of PHR and PHR related entities.
  3. Penalties: The FTC announced at the beginning of 2022 that it adjusted the maximum civil penalty amount to $46,517 per violation per day to account for annual inflation. The maximum civil penalty amount was previously $43,792 per violation per day.

Companies interested in learning more details about the Rule’s applicability (or for copies of a detailed chart comparing the Rule to HIPAA’s Breach Notification Requirements), can contact the authors.