FTC’s Policy Statement on breach notifications in mobile health apps: a new, broad approach that may face legal challenge
On September 15, 2021, the Federal Trade Commission (FTC) issued a broad Policy Statement offering guidance on the scope of the FTC’s Health Breach Notification Rule. In the statement, the FTC said it was clarifying : (1) the types of apps that are covered under the Rule and (2) that a disclosure of a consumer’s covered information without the consumer’s authorization may be considered a “breach” that triggers an entity’s notification obligations under the Rule.
The FTC has not taken any enforcement actions under the Rule since its issuance in 2009; however, the agency’s Policy Statement highlights its intention to step up enforcement consistent with these new interpretations.
Interestingly, the agency states: “[t]his Policy Statement serves to clarify the scope of the Rule, and place entities on notice of their ongoing obligation to come clean about breaches.” [Emphasis ours.] Characterizing such a significant expansion of a rule as a “clarification,” rather than a change in policy, opens the door to enforcement by the FTC for disclosures that occurred prior to the release of the Policy Statement as well as legal challenges to the Policy.
As background, Congress directed the FTC to promulgate the Rule in the Health Information Technology for Economic and Clinical Health Act (HITECH), which was passed as part of the American Recovery and Reinvestment Act of 2009. HITECH also amended requirements under the Health Insurance Portability and Accountability Act (HIPAA) to impose breach notification requirements on HIPAA Covered Entities and Business Associates.
Analogous requirements covering those not subject to HIPAA
In recognition of the growing number of mobile health applications that also process health information, Congress created analogous requirements for vendors of personal health records and related entities that are not subject to HIPAA. The HITECH provisions require such entities to provide notice to affected consumers, the FTC, and, in some cases, the media, in the event of a breach of security of unsecured individually identifiable health information.
The Rule contains specific requirements governing the timing, method, and content of consumer breach notices. Entities that violate the Rule may be subject to civil penalties of $43,792 per violation per day. Until the release of the Policy Statement, the Rule and the HIPAA Breach Notification Rule were harmonized by the FTC and the Office for Civil Rights (OCR), which enforces HIPAA.
In the new Policy Statement, the FTC stated that health apps are covered by the Rule if they are “capable of drawing information from multiple sources, such as through a combination of customer inputs and application program interfaces.” Under the FTC’s newly articulated interpretation, an app that can draw information from multiple sources is subject to the Rule, even if it only pulls health information from a single source (eg, through consumer input) and pulls non-health information from other sources (eg, through an API).
Ruling is in contrast to earlier, more narrow interpretations
Additionally, in contrast to earlier, more narrow interpretations, the FTC noted that a “breach” under the Rule includes “incidents of unauthorized access,” meaning disclosures of an individual’s covered information without the individual’s authorization. Notably, in the 2009 text of the Final Rule, the FTC included the following examples of a “breach,” all of which more closely align with the healthcare industry’s understanding of the term: (1) the theft of a laptop containing unsecured health records; (2) the unauthorized downloading or transfer of such records by an employee; and (3) the electronic break-in and remote copying of covered health records by a hacker.
The Policy Statement includes a much broader reading, which contemplates that a covered app operator’s disclosure of covered information to, for example, a data analytics provider, could be considered a “breach” that could trigger notification obligations and result in potential liability under the Rule if the operator did not obtain the consumer’s authorization before the disclosure. In Commissioner Lina Khan’s public statement, she emphasized concerns with sensitive health information being used in analytics, particularly with respect to consumer advertising. The Policy Statement does not offer examples of what would constitute adequate consumer “authorization” to allow such disclosures, nor does it specify the types of disclosures for which authorization is required.
The FTC voted 3-2 to approve the Policy Statement, with Commissioners Noah Joshua Philips and Christine S. Wilson voting no and issuing dissenting statements. Among other points, the dissents question the FTC’s authority to expand the scope of the Rule in the absence of a formal rulemaking under the Administrative Procedure Act. They also argue that changes to the Rule should be made through the rulemaking process that is already currently under way at the FTC.
Mobile health app developers should closely examine the personal and health data they collect to determine whether, under the FTC’s new interpretation, the Rule applies, and then assess whether they need to revisit privacy policies, global privacy control settings, privacy notices and consents in light of the Policy Statement.
These companies should also evaluate their information security programs and incident response policies and protocols to consider whether they are able to detect breaches and comply with notification requirements under the FTC’s expanded definition of a breach.
Learn more about the implications of this broad new approach by contacting any of the authors.