On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement clarifying that the 2009 Health Breach Notification Rule, 16 C.F.R. Part 318 (“the Rule”) covers health information collected by digital applications and wearable devices.
Under the Rule, healthcare vendors must notify consumers if a data breach compromises “unsecured identifiable health information.'' The Rule was originally intended to strengthen privacy protection requirements for entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”).
The Rule assigns significant civil penalties for violations amounting up to $43,792 “per violation,” “per day.” However, before 2021, the FTC had not enforced it for over a decade. The exact contours of its application remained unclear. This left vendors of healthcare-adjacent products and services – from fertility tracking applications and meditation apps to wearable fitness trackers – in a regulatory grey area.
The FTC’s pattern of non-enforcement ended in June, 2021, when the Commission reached a settlement with Flo Health Inc., a company which provides smartphone-based fertility tracking applications. The FTC required Flo Health Inc. to notify consumers before sharing health data with digital marketing conglomerates, signaling a broader shift towards tightened data privacy restrictions for digitized healthcare vendors.
September’s policy statement comes on the heels of that decision, announcing a new interpretation of the Rule such that health-adjacent apps and device providers must comply with the Rule’s notice requirements.
Under the new interpretation, “personal health information” refers to any health-related electronic record “drawn from multiple sources,” even if only one source is health-related. For example, an application that gathers both heart rate data and geotagging information is covered. The definition of “breach of security” is also no longer “limited to cybersecurity intrusions.” Even if a company intentionally shares health information with advertisers without user authorization, this could also be considered a breach under this interpretation.
The policy was introduced as a “clarification.” However, dissenting commissioners Noah Phillips and Christine Wilson argued that the interpretation was both impermissibly broad and an unnecessary end-run around parallel rulemaking processes at both HHS and the FTC. They also noted the oddity inherent to using a mechanism designed to prevent nefarious access to data to “police misrepresentations related to privacy.”
In practice, the Rule’s notice requirement may not result in significant changes to user experience. However, the broad definition of breach and significant civil penalty invoked by the new definitions will still have significant ramifications, especially in digitized sectors with business models that make care more affordable by selling aggregated data to third parties. As FTC Chair Lina M. Khan concluded, perhaps “a more fundamental problem is the commodification of sensitive health information” itself.
The eventual result of ongoing rulemaking remains unclear. However, the FTC’s move here marks a clear trend towards increased attention to privacy and efforts to expand the definition of healthcare data in the context of digital health. Given the proliferation of online health services and the increased need for digitized care and resources during a pandemic, further clarification of this rule and its implications will be essential.