August 17, 2022


Business Activity

FTC Issues Reminder on the Breach Notification Requirements by Health Apps and Other Connected Devices and Their Service Providers | McGuireWoods LLP

  • The FTC issued a coverage statement on Sept. 15, 2021, emphasizing that developers of wellbeing apps and other linked equipment and their services providers have breach notification demands beneath the Wellness Breach Notification Rule.
  • The breach notification necessities include things like a immediate 10-working day discover period of time to the FTC, and a 60-day recognize period of time to persons and the media, with violations potentially ensuing in important civil penalties of $43,792 “per violation,” “per working day.”
  • The policy assertion warned that the FTC intends to provide enforcement actions.
  • Appropriately, developers of well being applications and other connected products really should take actions quickly to consider their obligations underneath the Wellbeing Breach Notification Rule.

In reaction to the proliferation of health applications for the duration of the COVID-19 pandemic, the Federal Trade Fee (FTC) issued a policy statement on Sept. 15, 2021, to explain the breach notification demands on distributors of health apps and other linked units and their services suppliers underneath the FTC’s Health and fitness Breach Notification Rule, 16 CFR Aspect 318.

Investigate from the Group for the Overview of Care and Well being Programs uncovered that the COVID-19 pandemic led to a 25 p.c boost in wellbeing app downloads, and that, of the 350,000 overall health apps out there on the market place, 90,000 ended up introduced in 2020 alone, an common of 250 for every working day. Usually, overall health apps are not included by the Health and fitness Insurance coverage Portability and Accountability Act (HIPAA), which has led some distributors of well being applications and their services vendors to mistakenly consider they do not have breach notification obligations.

In the Sept. 15 plan statement, the FTC emphasised that the Health and fitness Breach Notification Rule, which has been in spot given that 2009, handles a lot of vendors of overall health applications and linked equipment and their assistance vendors, involves these kinds of entities to comply with breach notification needs and topics the entities to sizeable penalties for failure to do so. Accordingly, distributors of overall health applications and connected products and their provider vendors should consider measures now to be certain they comply with the Health and fitness Breach Notification Rule’s necessities for notification of knowledge breaches, as the FTC’s coverage assertion signals that amplified enforcement is on the horizon.

What info is lined by the Overall health Breach Notification Rule?

The Overall health Breach Notification Rule covers private well being records (PHRs). A PHR is an digital history made up of “identifiable well being info on an individual that can be drawn from various sources and that is managed, shared, and controlled by or generally for the personal.”

In its statement, the FTC clarified that an electronic report is “drawn from various sources” even if the overall health info does not appear from “more than one supply.” The FTC explained that “a blend of client inputs and software programming interfaces (‘APIs’)” could be considered “drawn from many resources.” For instance, the plan assertion clarified that a wellness app would be lined by the Well being Breach Notification Rule and is an electronic file “drawn from multiple sources” under the definition of a PHR if it collects details specifically from consumers and has the complex potential to attract info through an API that enables syncing with a consumer’s health and fitness tracker. Further more, if a blood sugar monitoring app draws overall health info only from one particular resource (e.g., a consumer’s inputted blood sugar degrees) but also usually takes non-overall health data from yet another source (e.g., dates from a cell phone calendar), it is coated less than the Wellness Breach Notification Rule as an electronic file “drawn from various resources.”

Thus, the rule is broad and addresses applications and equipment that accumulate buyer information and facts directly and sync to other apps or gadgets, like those that sync to wearable health trackers or to users’ digital calendars.

Who is lined by the Overall health Breach Notification Rule?

The Overall health Breach Notification Rule applies to (1) “foreign and domestic vendors” of PHR, (2) “PHR-relevant entities” and (3) “third-bash support providers” that preserve information and facts of U.S. citizens or inhabitants.

A “foreign and domestic vendor” of PHR is any entity that “offers or maintains a PHR.” For example, an on the web platform that permits shoppers to upload professional medical data from other sources for corporation in a central location is a seller of PHR.

A “PHR-associated entity” is just one that (1) offers products and solutions or products and services by way of the web page of a vendor of PHR, (2) features merchandise or companies as a result of the web-sites of HIPAA-lined entities that supply people today PHR or (3) accesses facts in a PHR or sends information to a PHR. For instance, an app that will allow individuals to upload blood glucose readings into a personal health and fitness document is a PHR-associated entity.

A “third-party assistance provider” is an entity that provides solutions to a PHR vendor or a PHR-connected entity and accesses PHR identifiable information and facts because of these kinds of companies. For illustration, an entity that is hired by a seller of PHR to tackle billing, data administration or info storage associated to health and fitness info is a third-celebration services service provider. Distributors of PHR and PHR-connected entities need to tell 3rd-social gathering provider companies, preferably in the parties’ penned agreement, that the Health and fitness Breach Notification Rule covers them.

Any corporation that HIPAA covers is not thought of a vendor of PHR or a PHR-connected entity, and appropriately, is not subject to the Health Breach Notification Rule. HIPAA-included entities and their small business associates are instead matter to the HIPAA breach notification guidelines. Nevertheless, it is critical for wellbeing apps and consumer-related products to thoroughly think about their partnership with HIPAA-covered entities. They must initially consider whether or not the well being applications and unit entities are a “business associate” or “subcontractor” of a enterprise associate less than HIPAA, which would not be topic to the Wellbeing Breach Notification Rule, but topic to HIPAA or a “PHR seller,” which is protected by the Overall health Breach Notification Rule if it “offers merchandise or services via the web-sites of HIPAA-protected entities that offer you folks PHR.”

What is regarded a breach of protection?

The Wellbeing Breach Notification Rule defines a breach of safety as an “acquisition of [unsecured PHR identifiable health information of an individual in a PHR] devoid of the authorization of the individual.” The FTC observed in its policy assertion that a breach is “not confined to cybersecurity intrusions or nefarious conduct.” Any incident of unauthorized obtain to lined shopper info may be regarded a breach, together with details sharing with no prior buyer approval. Though a cybersecurity intrusion or unsecured facts theft would be considered a protection breach, unauthorized sharing of unsecured identifiable info for behavioral promoting or other details analytics could also be regarded as a breach. Consequently, the FTC policy assertion implies that PHR suppliers and PHR-linked entities that are sharing details “without client authorization” or exterior of their privacy guidelines will have to take into account whether this exercise needs notification less than the Well being Breach Notification Rule.

What is required in the occasion of a breach of security?

In the event of a breach of unsecured identifiable health and fitness information and facts, PHR suppliers and PHR-connected entities need to notify impacted U.S. consumers, the FTC and probably the media inside 60 times soon after identifying a breach of unsecured personally identifiable health and fitness information, or the FTC in just 10 days if 500 or much more men and women are affected by the breach. 3rd-bash services providers ought to notify the PHR vendor or PHR-connected entity of any breach in accordance with the created agreement between the entities. Therefore, it is essential for PHR distributors and PHR-connected entities to make certain their contracts with 3rd-get together support providers involve how and when to notify the entity of a breach, so its notification obligations can be met.

PHR distributors and PHR-related entities should take particular notice of the extremely shorter 10-working day notification window to the FTC if 500 or much more persons are affected by the breach.

What are the penalties resulting from a violation of the Health and fitness Breach Notification Rule?

A covered entity that fails to disclose a breach of safety appropriately is in violation of the Well being Breach Notification Rule. Violations can final result in civil penalties of $43,792 per violation, for every day.

Looming FTC Enforcement

The FTC’s plan assertion follows a recently finalized settlement in between the FTC and the creators of a fertility-tracking application, Flo Wellbeing Inc. In its criticism from Flo Wellness, the FTC alleged that even with promising to hold thousands and thousands of its users’ menstruation, ovulation and being pregnant wellbeing info private, Flo Wellbeing shared this delicate wellbeing knowledge with marketing and analytics firms, together with Facebook and Google. As a part of the settlement, Flo Health must notify influenced end users about disclosing their non-public health details and instruct any third occasion in receipt of wellness data to wipe out the info.

While the FTC declined to implement the Wellness Breach Notification Rule in the Flo Health and fitness situation and has under no circumstances taken enforcement motion beneath the Wellness Breach Notification Rule in in excess of a decade, its coverage assertion warns that “the Commission intends to carry [enforcement] actions” in the foreseeable future. Accordingly, it is extra vital than at any time for distributors of wellness apps and linked devices and their company suppliers to ensure compliance with the Health and fitness Breach Notification Rule to steer clear of reputational hurt and substantial financial penalties. When the Wellness Breach Notification Rule was enacted in 2009, it was estimated that the rule would only go over about 900 entities and involve 11 breach notifications a year. These days, given the proliferation of overall health apps and shopper gadgets, the variety is simply in the hundreds of 1000’s, with countless numbers of opportunity violations demanding notification each and every calendar year.

Next Actions for Impacted Entities:

  • Consider the entity’s status as a vendor of PHR or a PHR-associated entity under 16 CFR § 318.2. If the entity qualifies as a seller of PHR or a PHR-linked entity below 16 CFR § 318.2, notify all entities that might qualify as third-get together provider vendors about the entity’s status and audit contracts for compliance with the Wellbeing Breach Notification Rule.
  • Be certain that all buyer PHR identifiable health details is encrypted and secured.
  • Audit inside data protection and privateness methods to guarantee compliance with the Well being Breach Notification Rule demands, including an evaluation of breach notification methods to be certain compliance with 16 CFR § 318.3-6.
  • Carry on checking announcements from the FTC related to the rule and its enforcement.