On September 15, 2021, recognizing the ever-increasing growth and use of mobile health apps as well as connected devices that capture individuals' health data, the Federal Trade Commission (FTC) issued a Policy Statement reminding organizations of the reach of its Health Breach Notification Rule (Rule).
In general, the Rule holds accountable those entities who are not otherwise covered by the Health Insurance Portability and Accountability Act (HIPAA) when their customers' unsecured health information is compromised.
Up to this point, the FTC has not typically enforced the Rule relative to mobile health apps. However, given the recent proliferation of digital health resources, such as those that track diseases, treatment, fitness, fertility, sleep, mental health, and diet, and their somewhat unrestrained collection and use of consumer data, the FTC took this most recent step to make clear that mobile health apps are generally considered to provide health care services or supplies as it relates to personal health records and, as such, are subject to the Rule. Pursuant to the Policy Statement, a personal heath record is an electronic record that can be drawn from multiple sources.
So, according to the FTC, if a mobile health app draws such consumer-sensitive health information from multiple sources – such as a through a combination of consumer inputs and application programming interfaces (APIs) – or even through a combination of both health and non-health sources (such as consumer input coupled with the data supplied by the consumer's phone), they are subject to the Rule. Consequently, any time that mobile health app discloses or shares health information without user authorization, the Rule's breach notification requirements are triggered.
In order to comply with this most recent guidance and to ensure alignment with the FTC's commitment to the protection of consumer data, developers offering mobile health apps and related digital health resources should integrate the FTC's recommended best practices for the protection of consumer data and the related laws governing those resources.
As breach notification and related health information privacy and security laws and regulations affecting the digital health industry evolve, Baker Donelson stands ready to support you. If you have any questions about this or any other aspect of your health information, privacy, and security practices, please contact any member of Baker Donelson's Health Law or Data Protection, Privacy, and Cybersecurity Practice Teams.