In an aggressive expansion of its security and privacy enforcement programs, on September 15, 2021, the FTC issued what it characterized as a “Policy Statement” reinterpreting an old rule about personal health records.
First, some background. In 2009, Congress directed the FTC to create a rule requiring companies to provide notice when there is an unauthorized acquisition of certain health information not covered by HIPAA. At the time, the FTC explained that its Health Breach Notification Rule was narrow, consistent with the text of the law, applying only to security breaches by vendors of certain health data repositories (called “personal health records” or “PHRs”) and certain companies that work with PHR vendors.
Flash forward to September 2021. The FTC’s Policy Statement declares a broad range of health, fitness, wellness, and related technologies to be covered by the Rule if they can draw information from “consumer inputs” and APIs that include “personal health records.” This scope is markedly broader than the agency’s previously-issued guidance, which reiterated the narrow application of the Rule. To further illustrate, the FTC now says that health apps, such as glucose monitors or fitness trackers, are subject to the Rule if they draw information from a device or wearable and a phone calendar. In an unprecedented, expansive application of a narrow breach notice rule to consumer privacy, presumably to address what Chair Khan characterizes as “surveillance-based advertising,” the Statement also asserts that the “sharing of covered information without an individual’s authorization” triggers breach notification obligations. The FTC issued this policy statement even as the Commission was in the midst of seeking public comment on the rule as part of its periodic rule review process.
Companies violating the Rule face civil penalties of $43,792 per violation.
Commissioners Wilson and Phillips issued strong dissents, calling the Commission majority to task for abandoning prior business guidance and ignoring the Administrative Procedure Act’s notice and comment requirements. FTC Chair Khan, in turn, lamented the fact that the Commission had not brought an enforcement action under the Rule, cautioning that “the Commission should not hesitate to seek significant penalties against developers of health apps and other technologies that ignore [the Rule’s] requirements.”
App developers and other companies providing health, wellness, fitness, and related apps should consider the implications of the FTC’s Statement, and assess the potential applicability to their business, even if they do not normally view themselves as covered by HIPAA or operating in an adjacent space. Indeed, the FTC’s Policy Statement underscored that its guidance was intended to sweep broadly, noting its relevance for apps and other technologies that “track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.” Unfortunately, the Policy Statement raises more questions than it answers. For example:
- Is all personal information collected by such technologies subject to the FTC’s new interpretation of the Health Breach Notification Rule?
- Do current data governance policies and practices provide appropriate safeguards?
- Are existing consumer disclosures and consents adequate to mitigate risk? For example, what level of “authorization” would be required for sharing personal information for interest-based advertising and analytics purposes?
* * *
We will closely monitor developments and post updates as they occur.