Written by : Dr. Aishwarya Sarthe
April 30, 2024
This revision seeks to enhance transparency regarding the collection of individuals' health information by companies operating in the digital health realm.
In a bid to fortify the protection of consumers' sensitive medical information shared through digital health apps, the Federal Trade Commission (FTC) has made significant amendments to its Health Breach Notification Rule (HBNR).
The revised rule accentuates the obligation of health apps to notify individuals and relevant authorities in case of breaches involving unsecured personally identifiable health data.
Under the updated Health Breach Notification Rule (HBNR), vendors managing digital health records, including health apps not governed by the Health Insurance Portability and Accountability Act (HIPAA), must disclose breaches of unsecured personally identifiable health data.
This encompasses traditional health information, such as diagnoses and medications, alongside data inferred from fitness trackers and other sources. The rule also compels third-party service providers to notify vendors of personal health records after discovering a breach.
According to Samuel Levine, director, FTC's Bureau of Consumer Protection, "Protecting consumers’ sensitive health data is a high priority for the FTC."
He further emphasized that with the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.
Recent enforcement actions by the FTC underscore the necessity for enhanced scrutiny of digital health apps.
In February 2023, the FTC settled with GoodRx, a telehealth and prescription drug discount provider, over allegations of unauthorized disclosures of consumers’ personal health information. GoodRx agreed to a $1.5 million civil penalty, marking the first enforcement action under the HBNR.
Similarly, in a settlement with the developer of the fertility app Premom, the FTC addressed concerns regarding the unauthorized sharing of users’ sensitive personal information with third parties.
As part of the settlement, Premom’s owner agreed to cease data-sharing practices and pay a settlement fee of $200,000.
The finalized changes to the HBNR rule signify stricter enforcement measures against health-related apps and trackers that fail to uphold consumer privacy standards.
The rule also expands the definition of healthcare services to encompass a broader range of online health-related tools and services.
However, not all commissioners agreed with the amendments. Commissioners Melissa Holyoak and Andrew N Ferguson expressed dissent, highlighting concerns over the FTC's statutory authority and the potential for perpetual non-compliance among companies.
According to them, the final rule adopted by the FTC could subject companies to legal challenges that undermine the commission's institutional integrity.
Despite dissenting voices, the FTC's revised Health Breach Notification Rule is set to effect 60 days after its publication in the Federal Register. This move reflects a concerted effort to bolster data privacy measures in the rapidly evolving landscape of digital health applications.
The amendments underscore the FTC's focus on safeguarding consumer health data privacy amidst the proliferation of health apps and connected devices.
With the enforcement of stringent regulations, consumers can expect greater transparency and accountability from companies handling their sensitive medical information.