On September 15, 2021, the Federal Trade Commission (FTC) issued a Statement providing guidance on the scope of the FTC’s Health Breach Notification Rule (Rule). As more and more Americans turn to fitness trackers and apps for tracking things like sleep, glucose levels, blood pressure, and fertility this Rule is more important than ever.
For most hospitals, physician offices, insurance companies, and other health care settings, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of electronic health data. But many companies that collect people’s health information aren’t covered by HIPAA. The Rule helps to ensure that entities who are not covered by HIPAA face accountability when sensitive health information is compromised. The Rule covers vendors of personal health records (PHR), a PHR related entity, or a third-party service provider for a vendor of PHRs or a PHR related entity.
A PHR is defined as an electronic record that can be drawn from multiple sources, and an app is covered by the Rule if they are capable of drawing information from multiple sources. The Rule is triggered when companies experience a “breach of security”. When a health app, for example, discloses sensitive health information without the users’ authorization, this is a “breach of security” under the Rule.
If there has been a breach of unsecured identifiable information, companies with PHR must notify U.S. consumers, the FTC, and in some instances, the media. The Rule also states that entities covered by the Rule who have experienced breaches cannot conceal this fact from consumers or individuals who have entrusted them with the sensitive health information.
Entities subject to the Rule should take proactive measures to avoid a violation. This can be done by:
- assessing the categories of its stored data
- undertaking a cybersecurity risk assessment
- reviewing privacy policies
- ensuring the development and implementation of a robust security incident response procedure
About the Author