Last week, the Federal Trade Commission (FTC) announced in a Statement of the Commission On Breaches by Health Apps and Other Connected Devices (Policy Statement) that the FTC will begin enforcement of its Health Breach Notification Rule (Rule) issued in 2009. The Rule was issued by the FTC to regulate certain businesses that handle health information when they are not regulated by the Health Insurance Portability and Accountability Act (HIPAA). Many of those businesses are likely not aware of the Rule, because there has been no public enforcement activity. While questions about the Rule’s scope remain, recent actions by the FTC (including the Policy Statement) suggest that it may be time for businesses to consider whether and how their operations may be drawing interest (investigative and enforcement) from regulators.
Persistent uncertainty about the scope of the FTC’s Health Breach Notification Rule
Our colleagues wrote about the Rule when it was first issued, to explain how certain businesses that handle health information may be required by the Rule to provide notice of data breaches affecting health information. We will not restate that analysis here, but it remains as accurate now as it was then. Until last week, the FTC had never publicly enforced or published new guidance on the Rule. Significant questions, therefore persist, about how the FTC will interpret and apply the Rule.
The Rule does not apply to businesses regulated by HIPAA, but the Rule ambiguously describes the types of business to which it does apply. For example, as drafted, employers that hold employee health records electronically could theoretically be regulated by the Rule—even though it was likely not the FTC’s intent for the Rule to apply in the employment context. Given the Rule’s ambiguous scope, businesses may need to conduct a case-by-case assessment of the applicability of the Rule to their data security incidents to avoid missing this little-known and broad regulatory requirement.
In contrast with the FTC’s Health Breach Notification Rule, HIPAA, which is enforced by the Office for Civil Rights in the Department of Health and Human Services, generally provides clear guidelines as to the scope of its applicability. HIPAA is applicable only to health care providers that submit claims electronically, health plans, and health care clearinghouses. Similar to the Rule, a breach of unsecured protected health information regulated by HIPAA triggers potential breach notification requirements. A “breach” under HIPAA involves “an acquisition, access, use, or disclosure of protected health information in a manner not permitted” by HIPAA, which includes many restrictions on disclosures without patient authorization. Failure to comply with the notification requirements under HIPAA could result in civil monetary and other penalties.
Looking for clarification in the FTC’s recent policy statement
Below, we highlight three main points the FTC made in its recently released Policy Statement.
A focus on health apps and connected devices
The FTC signaled where its enforcement focus will likely be: health apps and connected devices. The FTC stated that it previously provided guidance to health apps, but observed they frequently are not meeting the Rule’s requirements in the FTC’s view. The FTC listed particular types of health app services on which it may focus—those that “track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas . . . .”
The sources of data are relevant to the analysis of the rule
The FTC attempted to clarify that health apps and connected devices are subject to the Rule if they are “capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (APIs),” even if the health information only comes from one source. The FTC explained that “an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker.” For example, “if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it is covered under the Rule.” Therefore, the FTC seems to be broadly interpreting the types of technical functionality that could bring health apps and connected devices within the Rule’s scope.
Unique definition of a “Breach” incident
The FTC focused on a significant difference between the definition of a “breach” under the Rule as compared to the definitions of “breach” under state data breach notification laws. Many state data breach notification statutes define a “breach” to include unauthorized acquisition of “personal information.” Moreover, those state laws incorporate the concept that either a business, the individual about whom the data relates, or another party may be permitted to authorize the disclosure of personal information. By contrast, under the Rule, a “breach” occurs when there is “acquisition of [regulated] information without the authorization of the individual” (emphasis added). Therefore, importantly, under the Rule, only the individual data subjects appear to have the authority to permit a disclosure of their health information. Many businesses which may be unaware of the Rule or its applicability to their activities could be accused of “breaches” of health information by the FTC and subject to these additional regulatory requirements.
This difference between the Rule and state data breach notification laws is not surprising when one considers that the Rule was issued by the FTC pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH). IPAA significantly regulates and restricts the use and disclosure of health information without the authorization of the patient, and a failure to comply with the restrictions may be a “breach.” The Rule similarly focuses on the role of patient authorization for disclosures of health information. The Rule may cause businesses unregulated by HIPAA to take a more patient-centric position on control over the flow of health information, similar to businesses regulated by HIPAA.
Implications and Potential Chilling Effect on Innovation
The FTC’s Policy Statement is an important reminder for businesses (particularly, those that offer health apps and connected devices) that, in addition to state data breach notification laws, data breach notification obligations under HIPAA or the Rule may be implicated when data incidents (or even intended disclosures) of health information occur. The Rule, and the latest Policy Statement from the FTC, will be of particular interest – and potential concern – to businesses in light of the large, but uncertainly defined, numbers of unsuspecting entities to which the Rule may apply. Additionally, the broad and unique definition of “breach” may confuse businesses, cause operational difficulties, and exacerbate compliance challenges among information dependent businesses.
This uncertainty about how the Rule applies to businesses and the risk of related enforcement (failure to provide notices in accordance with the Rule may result in penalties—of up to $43,792 per day, according to the Policy Statement) may discourage innovation outside of the traditional health data ecosystem in much the same way that the Children’s Online Privacy Protection Act (COPPA) has had a chilling effect on innovative educational products for children under 13 years of age.