The Federal Trade Commission (FTC) just released a Policy Statement emphasizing how telemedicine and digital health apps can be held accountable under the Health Breach Notification Rule, even if the company is not subject to HIPAA. Digital health breaches are not limited solely to hacks and cybersecurity intrusions, but also occur when companies share user health information without the user's consent. The Policy Statement was issued at the heels of a recent FTC enforcement action and settlement, where FTC alleged the company misrepresented how it would not share users' sensitive personal health information with third parties. Members of Congress have also pressured the FTC to use the Health Breach Notification Rule as a tool to protect users from having their sensitive information exploited.
When a health app, for example, discloses sensitive health information without users' authorization, this is a 'breach of security' under the Rule.
– Federal Trade Commission (Sep 15, 2021)
Frequently Asked Questions for Telemedicine & Digital Health Companies under the FTC Health Breach Notification Rule
- What information is covered by the
Rule? The Rule covers personal health records (PHRs),
defined as an electronic record of "identifiable health
information on an individual that can be drawn from multiple
sources and that is managed, shared, and controlled by or primarily
for the individual."
- To whom does the Rule apply? The Rule
applies to vendors of PHR, PHR-related entities, and their service
providers. A vendor of PHR is a business that offers or maintains a
PHR, such as a company that collects and stores medical records on
behalf of individuals. A PHR-related entity is a business that
interacts with vendors of PHR, such as a company that offers an app
that helps consumers manage their diabetes by collecting data from
a smart glucose meter. Any company that is a HIPAA-covered entity
or business associate will not be considered a vendor of PHR or a
PHR-related entity. The Rule also applies to service providers,
such as data hosting providers.
- What does the Rule require? Service
providers must notify the vendor of PHR or PHR-related entity of
any breach. Entities covered by the Rule must report breaches of
unsecured identifiable health information to the impacted
individuals, the FTC, and if the breach involves the information of
500+ people of a particular state, the media must be notified.
Notice must be made within 60 calendar days of discovery of the
- Does "breach" mean a cybersecurity
incident? The definition is not limited to
cybersecurity incidents. The Rule defines "breach of
security" as the acquisition of individually identifiable
health information without the authorization of the individual.
While cybersecurity incidents are included within that definition,
the Policy Statement makes clear that sharing individually
identifiable health information without an individual's
authorization is a breach that triggers the notification
requirements of the Rule. For example, a health app that collects
identifiable health information from an individual, such as their
unique device identifier along with body mass index, and shares the
identifiable information with third parties without adequate
authorization from the individual has most likely triggered the
Want to Learn More?
- Sharing and Mining Patient Data in Digital Health and Telemedicine: Laws You Need to Know
- Is My Telehealth App Subject to HIPAA?
- Five To-Do's for Telemed Companies Before the Public Health Emergency Ends
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.