“The Federal Trade Commission (FTC) adopted a policy statement on Sept. 15, 2021, emphasizing that developers of digital health apps, connected devices and other health products have obligations under the Health Breach Notification Rule. The Health Breach Notification Rule requires certain businesses not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify their customers and others if there is a breach of unsecured, individually identifiable electronic health information.”
“The Health Breach Notification Rule was adopted in 2009 to ensure that entities not covered under HIPAA would still be held accountable in the event of a breach of customers’ sensitive health information. Since the Health Breach Notification Rule’s inception, the FTC has never enforced it. The FTC’s policy statement signals the FTC’s commitment to utilize its enforcement tools where sensitive health information may be compromised.”
“Breach Notification Provisions
The FTC’s rules implement breach notification provisions found in the Health Information Technology for Economic and Clinical Health Act (HITECH Act). As part of the American Recovery and Reinvestment Act (ARRA), Congress passed the HITECH Act, which focused on the implementation and use of health information technology, with a particular emphasis on privacy and security. The FTC regulations affect situations where there is a breach of a “personal health record” (PHR). The regulations require vendors of PHRs and PHR-related entities to notify U.S. consumers, the FTC and, in some cases, the media if a breach of unsecured identifiable health information occurs. The rules define “personal health record” as “an electronic record of PHR identifiable information of an individual that can be drawn from multiple sources and that is managed, shared, and controlled primarily by or primarily for the individual.”1 Until the FTC’s September 2021 statement, there was no clear guidance regarding a definition of “multiple sources.” In the FTC’s policy statement, it clarified that multiple sources can be drawn through a combination of consumer inputs and application programming interfaces (APIs) even if the health information comes from only one source…”
“An important and often complex question for PHR vendors is whether they are “business associates” under the HIPAA privacy and security rules. If so, the FTC rules would not apply if the PHR vendor experiences a data breach. The HIPAA privacy and security rules only apply to “covered entities,” their “business associates” and “subcontractors” of business associates. Covered entities include health plans, healthcare clearinghouses and most healthcare providers. Business associates and subcontractors are third parties that need access to protected health information to perform certain functions or services on behalf of covered entities or other business associates. For example, a person who offers a PHR to individuals on behalf of a covered entity is a business associate…” Read the full article here.
Source: Important FTC Rules for Health Apps Outside of HIPAA – By Marissa C. Serafino, Ashley Thomas, and Shannon Britton Hartsfield, September 27, 2021. Holland & Knight.
