In an aggressive enlargement of its safety and privateness enforcement packages, on September 15, 2021, the FTC issued what it characterised as a “Coverage Assertion” reinterpreting an previous rule about private well being information.
First, some background. In 2009, Congress directed the FTC to create a rule requiring corporations to offer discover when there may be an unauthorized acquisition of sure well being info not coated by HIPAA. On the time, the FTC defined that its Well being Breach Notification Rule was slender, according to the textual content of the legislation, making use of solely to safety breaches by distributors of sure well being information repositories (referred to as “private well being information” or “PHRs”) and sure corporations that work with PHR distributors.
Flash ahead to September 2021. The FTC’s Coverage Assertion declares a broad vary of well being, health, wellness, and associated applied sciences to be coated by the Rule if they’ll draw info from “client inputs” and APIs that embody “private well being information.” This scope is markedly broader than the company’s previously-issued steering, which reiterated the slender utility of the Rule. To additional illustrate, the FTC now says that well being apps, reminiscent of glucose screens or health trackers, are topic to the Rule in the event that they draw info from a tool or wearable and a telephone calendar. In an unprecedented, expansive utility of a slender breach discover rule to client privateness, presumably to deal with what Chair Khan characterizes as “surveillance-based promoting,” the Assertion additionally asserts that the “sharing of coated info with out a person’s authorization” triggers breach notification obligations. The FTC issued this coverage assertion even because the Fee was within the midst of searching for public remark on the rule as a part of its periodic rule overview course of.
Corporations violating the Rule face civil penalties of $43,792 per violation.
Commissioners Wilson and Phillips issued robust dissents, calling the Fee majority to activity for abandoning prior enterprise steering and ignoring the Administrative Process Act’s discover and remark necessities. FTC Chair Khan, in flip, lamented the truth that the Fee had not introduced an enforcement motion underneath the Rule, cautioning that “the Fee shouldn’t hesitate to hunt vital penalties in opposition to builders of well being apps and different applied sciences that ignore [the Rule’s] necessities.”
App builders and different corporations offering well being, wellness, health, and associated apps ought to think about the implications of the FTC’s Assertion, and assess the potential applicability to their enterprise, even when they don’t usually view themselves as coated by HIPAA or working in an adjoining area. Certainly, the FTC’s Coverage Assertion underscored that its steering was supposed to brush broadly, noting its relevance for apps and different applied sciences that “observe ailments, diagnoses, therapy, medicines, health, fertility, sleep, psychological well being, food plan, and different very important areas.” Sadly, the Coverage Assertion raises extra questions than it solutions. For instance:
- Is all private info collected by such applied sciences topic to the FTC’s new interpretation of the Well being Breach Notification Rule?
- Do present information governance insurance policies and practices present applicable safeguards?
- Are current client disclosures and consents ample to mitigate danger? For instance, what stage of “authorization” can be required for sharing private info for interest-based promoting and analytics functions?
* * *
We’ll carefully monitor developments and publish updates as they happen.