On September 15, 2021, the Federal Trade Commission (FTC or Commission) held an understatedly crucial open meeting, the third under the tenure of its new chairwoman, Lina Khan. During the meeting, FTC Commissioners voted 3-2 to adopt a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule. As a bit of background, the FTC originally implemented its Health Breach Notification Rule in September 2009, which the American Recovery and Reinvestment Act of 2009 required. To this day, there is no enforcement of this rule by FTC, which requires that vendors of personal health records (PHRs) and their service providers notify consumers and the FTC when a breach of identifiable health information occurs. Failure to report such breaches carries civil penalties of up to $43,792 per violation per day.
While you may shrug at such an innocuous sounding development, the Commission’s policy statement actually represents a major turning point in the federal oversight of processing activities involving health data not already protected by the Health Information Portability and Accountability Act (HIPAA). As a result, app developers, especially those in the health or connected device space, should pay close attention to the FTC’s new posture toward privacy under Chairwoman Khan.
Unfortunately, with its new policy statement, the Commission goes to great lengths to elide the difference between a beach of security and a privacy violation in hopes of expanding the rule’s reach. Whereas the Health Breach Notification Rule plainly states that it exists simply to ensure that PHR providers and their service providers notify consumers “when the security [emphasis added] of their individually identifiable health information has been breached,” the policy statement asserts that whenever a health app discloses sensitive health information without users’ authorization, this is a “breach of security” under the rule. Of course, the FTC originally recognized the commonly-understood distinction between security breaches and privacy abuses in 2009 when it included several examples of a covered breach in its Final Rule, all of which referenced instances where information was taken or stolen without the provider’s knowledge and despite security measures in place to stop such unauthorized access.
While the App Association is certainly sympathetic to the goal of preventing the unauthorized sharing of users’ sensitive information and agree that there should be punishment when a company violates consumer trust, the fact remains a data breach notification law is an imperfect vessel to accomplish privacy-specific goals.
The policy statement also stretches the definition of PHR, defined in the rule to mean “identifiable health information on an individual that can be drawn from multiple sources [emphasis added] and that is managed, shared, and controlled by or primarily for the individual.” The policy statement instead asserts that the rule covers health apps even when the health information they collect comes from a single source (such as an application programming interface) and the user themself inputs non-health data, such as through a separate calendar app. This directly contradicts existing FTC business guidance on the very topic, which states that “[i]f consumers can simply input their own information on your site in a way that doesn’t interact with personal health records offered by a vendor – for example, if your site just allows consumers to input their weight each week to track their fitness goals – you’re not a PHR-related entity.”
The Health Breach Notification Rule is simply a poor fit for policing first-party privacy violations, and the FTC’s new interpretation will create numerous headaches for app developers along the way. For example, since the notification standard in the rule triggers when the entity first discovers the breach, the FTC’s new interpretation seemingly blesses the underlying unauthorized sharing of data so long as the provider proffers a notification after the fact. Alternatively, the FTC’s interpretation could require providers to notify consumers when they first “discover” their own plan to share the information with third parties without consumer authorization, but the rule still does not provide any way for consumers to opt-out of that transaction ahead of time. That either option generates a non-sensical, counterproductive outcome that fails to actually prevent unauthorized data sharing before it occurs speaks to the frailty of the Commission’s interpretation.
To be fair, FTC’s policy statement comes amidst a sea-change where millions of Americans are increasingly turning to digital health applications and connected devices to better track and manage their personal health conditions. This has especially been the case during the global pandemic, with many quarantined inside their homes or otherwise dissuaded from scheduling in-person healthcare visits. Yet, many people still do not realize that when apps and connected devices collect and process health information, those activities do not generally carry the same legal restrictions as those that apply to the collection and processing activities of traditional health providers that accept health insurance, or their business associates, under HIPAA.
Meanwhile, Congress continues to struggle to make progress on a comprehensive privacy bill that could potentially equal the playing field between the treatment of HIPAA and non-HIPAA covered health information. On September 29, the Senate Commerce Committee held their first hearing on privacy in more than a year, specifically focusing on steps that Congress and the FTC can take to strengthen privacy protections for consumers. The App Association testified at the hearing and used the opportunity to directly call on Congress to pass a strong federal privacy bill.
All of this is to say that the Commission’s policy statement genuinely seeks to address a worrisome gap in our nation’s current privacy framework in the face of Congress’ apparent inability to act. Though the FTC has been active in enforcing its authority to punish entities that use unfair or deceptive acts or practices, it does not possess first time enforcement authority to punish particularly egregious privacy violators in the health space. For example, the FTC was only able to enjoin Flo, a popular fertility and period tracking app, from further harmful conduct when it allegedly shared the “health information of users with outside data analytics providers after promising that such information would be kept private.”
From our perspective, however, the answer to the health data protection gap is not for the FTC to create novel interpretations of its existing rules nor is it to extend HIPAA to cover healthcare tools and services not currently subject to HIPAA. As evidenced above, the Commission will inevitably encounter roadblocks as it seeks to retrofit old rules to address new use cases and business models. Meanwhile, HIPAA’s overarching purpose is to ensure the portability of insurance related health data (hence the title of the statute) between covered entities and business associates; it was not primarily designed to give consumers better control over their own healthcare data or to manage the risks healthcare data processing poses.
In our opinion, the best way to improve FTC enforcement capabilities within the privacy sphere is to specifically grant those authorities as part of a federal privacy framework. With our recent testimony, we urged the Committee to establish a set of federal requirements that puts in place baseline consumer rights and curbs data processing activities that expose consumers to undue privacy risks, including in the health privacy space. Our ideal privacy framework would effectuate transparency, strong consumer rights, accountability, a single, national standard, and scalable requirements that take small businesses into account even as lawmakers are likely to take aim at some of the biggest players in the digital space.
In the meantime, developers should remain on high alert with the FTC now taking a far more aggressive stance on health data and privacy writ large. Privacy intrusions, such as the unauthorized sharing of health data with third parties without notice, are now covered under the Health Breach Notification Rule and punishable at the first offense. Developers should expect the FTC to undertake an enforcement action in the near future to explore the contours of its new authorities. The App Association will remain attentive to the Commission’s activities and will notify developers with any new regulatory developments in the privacy space.