Apps Fall Under Health Breach Notification Rule, Cautions FTC

  • By
  • In COVID-19
  • October 22, 2021
  • Comments Off on Apps Fall Under Health Breach Notification Rule, Cautions FTC
Apps Fall Under Health Breach Notification Rule, Cautions FTC

As more health apps flood the market, app developers need to be aware of their responsibilities to consumers.

The U.S. Federal Trade Commission (FTC) issued a policy brief on Sept. 15 clarifying when healthcare apps would be subject to Health Breach Notification Rule 16 C.F.R. Part 318 (the Rule). The Rule was created to help ensure that entities not covered by HIPAA notify consumers if their private health information is compromised. Under the Rule’s requirements, vendors of personal health records (PHR) and related entities must notify U.S. consumers and the FTC, and, in some cases, the media, if there has been a breach of unsecured identifiable health information or face civil penalties for violations.

Old Rule, New Technologies

The breach notification rule has been in place for more than a decade, though it has never been strictly enforced. The recent surge of new health apps and connected devices, however, has brought this Rule to prominence again, and it has become clear that many developers of mobile health apps do not understand their product requirements and obligations to customers under the Rule.

According to the FTC, “Under the definitions cross-referenced by the Rule, the developer of a health app or connected device is a “health care provider” because it “furnish[es] health care services or supplies.” Therefore, a health app that discloses sensitive health information without the user’s authorization is, in fact, in breach of security, even without malicious intent or action.

Who Does This Cover?

The Rule defines a PHR to be an electronic record that can be drawn from multiple sources. An app falls under the Rule if it can draw information from more than one source, such as information collected by consumer input and information that comes from an application programming interface (API). So, something seemingly innocuous like synching with your fitness tracker is covered under the Rule.

Even non-health information sources come into play. A blood sugar monitoring app that also draws on dates from a patient’s cell phone calendar (a non-health information source) would count under the Rule.

What is the Impact?

Healthcare data breaches have been on the rise for years — their numbers doubling since 2014. The HIPAA Journal reports a 25 percent increase in breaches in 2020, with more than 29 million healthcare records breached. The COVID-19 pandemic added to the already troubling trend, thanks to an increase in telehealth services in 2020. Telehealth providers were targeted by cyberattacks in increasingly greater numbers as they scrambled to provide new or additional virtual services in the wake of the national shutdown. Healthcare breaches did not slow down in 2021, either.

Sept. 27 saw the appointment of Lisa J. Pino, new Director of the Office for Civil Rights (OCR), which enforces HIPAA privacy and breach notification rules. It is too soon to tell what impact she may have on HIPAA enforcement actions.

The Future is Now

As more and more people turn to health apps to track everything from their diet and fitness to their diagnoses and medications, it is important that companies offering health apps and connected devices secure the patient data they collect or manage. The FTC intends to enforce the Health Breach Notification Rule in light of the current trends in technology and the increase in cyberattacks. Those who create and manage health apps can expect to pay civil penalties of $43,792 per violation per day for violations.


Lee Fifield

About Has 153 Posts

Lee Fifield has a Bachelor of Science in communications from Ithaca College, Ithaca, New York, and has worked as a writer and editor for 17 years.

Comments are closed.