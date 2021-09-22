FTC revives decade-old rule on health app explosion as guardrail

The health app must notify its users of any data breaches or risk hefty fines, the Federal Trade Commission clarified in a policy statement last week. The rule that requires transparency is a decade old, but has not been implemented before. The new guidance serves as a warning to many companies involved in the health app space: The FTC is taking health data privacy issues seriously — even if it may not be able to tackle all privacy gaps on its own.

The FTC’s Health Violation Notification Rule covers all organizations that are not subject to the Health Insurance Portability and Accountability Act (HIPAA), which covers things like doctors and insurance companies. HIPAA requires those groups to disclose a data breach at any time. The FTC rule covers any other group that deals with health information.

Health apps often don’t have strong data privacy protections, FTC President Leena Khan said in a statement about the rule. Apps often have poor data protection systems, or violate their privacy policies by sharing data with outside groups without informing users. These apps weren’t a piece of the digital health picture when the rule was first written. But since then, there has been an explosion in health apps – tens of thousands are released each year, and downloads have increased during the COVID-19 pandemic. More and more people are trusting their health information to these products. The new guidance clarifies that the health violation notification rule applies to these platforms as well, even if they don’t think it covered them before.

The breaches that triggered the report didn’t just include hacks or attacks. These organizations must disclose any information shared without the users’ permission. This could apply to situations like a recent privacy breach by period tracking app Flow, which was sharing data to Facebook, Google and marketing companies without users’ knowledge. The FTC didn’t cite Flo for breaking the health violation notification rule — it focused on false statements the company made about its privacy policies — but two FTC members argued it should have.

The FTC’s new focus on making sure companies follow the rule could trigger internal changes to the health app, says David Simon, a research fellow in the Petri-Flom Center for Health Law Policy, Biotechnology and Bioethics at Harvard Law School. Is. “It’s going to force them to at least put in place systems, if they haven’t already, to detect when these breaches happen and then notify people,” Simon says. The rule states that groups must report any data breach that they should be known about, not only that they Doing Learn about – so they must have ways to monitor the data.

“If you are an app developer or seller of a connected platform, it is in your best interest to heed this rule”

The penalties for breaking the rules are significant: $43,792 per violation per day. “It can add up very quickly,” says Jennifer Wagner, MD, assistant professor of law, policy and engineering at Pennsylvania State University. “I think what they’re trying to signal is, ‘Look, it’s in your best interest if you’re an app developer or a seller of connected platforms that you heed this rule, and that you don’t have any The type of feedback mechanism is in place.'”

The FTC’s rule will let users know when a data breach occurs, but it can’t solve all of the data privacy issues surrounding Health apps. It does not limit what companies are able to do with users’ data; It just says that they have to tell users what they are doing. “It’s a kind of transparency, but it has its limits,” Simon says. Some experts argue that users should have more proactive control over the ways that apps can use and share data in the first place. However, the FTC doesn’t have the power to make those changes. “I don’t think it has the tools to do everything it wants to do,” Simon says.

The FTC’s regulation also limited digital health products to those related to health information. Recently, however, it has become clear that a platform not specifically designed for health can actually be used for that purpose: a Facebook support group for breast cancer survivors, for example. For health records, it may not be considered a health record, but it is collecting information that can be used to learn about the health of members, Wagner says. If a data breach occurs on that platform, it will not necessarily be subject to the rule. “What the FTC can do with the terminology is somewhat limited, although they are certainly trying to do everything they can,” she says.

Despite the limitations, the guidance also comes as the larger landscape around data security is shifting to give people more control around their information. There is increasing attention from Congress, states, and attorneys general on data privacy, Wagner says. Companies are looking into all of this, and the FTC’s decision is a new piece of that puzzle. “They need to think about the steps they need to take, and to think ahead, because this regulatory space is not going away,” she says.