FTC strengthens reporting requirements for violations for health apps and connected health and wellness devices | Hogan Lovells
The notification rule for health injuries applies more broadly than previously understood
The Policy Statement drew attention to a Health Injury Notification Rule (Rule) issued under the American Recovery and Reinvestment Act of 2009 (AARA) that aimed to strengthen the privacy and security of health information processed by web-based companies will. The rule – which requires consumers, the FTC, and sometimes the media to be notified in the event of a health data breach – only applies to companies not subject to HIPAA. The number of non-HIPAA mobile applications and digital platforms processing health information is growing exponentially, and the policy statement signals a change in the way the FTC will go about monitoring such tools. According to the Policy Statement, the increased use of applications and connected devices that receive sensitive health information, such as enforcement priorities, is driving the FTC.
The rule applies to providers of Personal Health Records (PHR) and affiliated companies and their service providers. PHRs are essentially electronic records that contain (1) individually identifiable health information; (2) Managed, shared, and controlled by, or primarily for, the person; and (3) can be drawn from multiple sources. The rule only applies to health information that is created or received by a health care provider, health insurance company, employer, or health care clearing house.
Crucially, in the policy statement, the FTC outlines its interpretation of the importance of health care providers, which is likely to capture a number of health apps that were previously unaware that they might be subject to the rule. According to the FTC, developers of healthcare applications or connected devices are “healthcare providers”[s]”Because they” provide health services or supplies “. As a result, many companies that offer consumer-centric health apps and connected devices that are managed by the consumer are health care providers in the eyes of the FTC.
In the policy statement, the FTC also made it clear that applications that meet the definition of a PHR provider fall under the rule if they can obtain information from multiple sources. These sources can include a combination of consumer input and application programming interfaces (APIs), and can also include sources of health and non-health information. For example, a mobile application that obtains information from a consumer’s health record while collecting information from the consumer’s calendar application would be covered. By pulling information from multiple sources, including health and non-health sources, this particular application would fall within the scope of the rule, triggering notification obligations in the event of a breach.
As noted earlier, the rule also applies to PHR providers and affiliates and service providers, including those who: offer products or services through a PHR provider’s website or websites of HIPAA-covered companies that offer PHRs; or those who access information in a PHR or send information to a PHR. Therefore, the rule may apply to some companies that advertise on covered company health applications or platforms.
Compliance obligations for companies that are subject to the rule
PHR providers and affiliates must notify consumers, the FTC, and in some cases the media, if a consumer’s health information has been breached. A violation occurs when a person’s unsecured PHR has been acquired without authorization.
In the policy statement, the FTC commented that a breach was not limited to cybersecurity attacks. Incidents of unauthorized access, including disclosure of Covered Information without the consent of the consumer, would trigger notification obligations under the rule, unless the PHR seller or the PHR affiliated entity can demonstrate that the unauthorized acquisition did not take place or reasonably not.
If a breach occurs, PHR Sellers and Affiliates must (1) notify the FTC as soon as possible and in any event no later than ten business days after a breach that affects 500 or more consumers is discovered, and (2) affected consumers and knowns Media in states or jurisdictions that affect 500 or more residents within 60 days of discovery. In the case of violations with health information of fewer than 500 people, companies can meet their FTC notification requirements by filing an annual report that includes violations within the respective calendar year. Third party service providers must notify affected PHR providers and affiliates within 60 days of the discovery.
Action points to comply with the clarified rule
The cost of non-compliance can be significant. Corporations could face civil fines of $ 43,792 per violation per day for failing to properly comply with the notification requirements of the rule. The FTC requirements are based on the HIPAA notification rule enforced by the U.S. Department of Health (HHS), and it remains to be seen whether the FTC will take a similar approach to enforcement. Violations reported to HHS can lead to more extensive compliance reviews leading to settlement agreements that include both fines and multi-year corrective action plans. The FTC has long believed that health data are sensitive and deserve enhanced protection, and statements by some commissioners suggest that the FTC may take further action in this area.
To manage compliance risk related to rule and FTC enforcement in general, organizations that offer or advertise mobile health applications and related health and wellness devices should:
- Assess if and how they are subject to the rule and update their incident response plans, policies and procedures accordingly;
- Assess the scope and clarity of communications and consents to consumers to confirm that data practices are as expected by the FTC and that a process is in place to identify and handle consumer health data access that is considered a violation under the new policy could be considered; and
- Consider audits or simulated exercises to test readiness.
As a final point, the rule includes a forfeiture provision that, when new laws are enacted, sets out the violation notification requirements that apply to companies subject to the rule, the rule does not apply to violations that occur on or after the date of Regulations implementing these laws are discovered. Therefore, companies that may be subject to the rule should closely monitor developments in federal data protection laws, as the implementation of a new federal law violating the rule could forestall the rule.