On May 18, 2023, the Federal Trade Commission (FTC) announced a number of proposed amendments to the Health Breach Notification Rule (the Rule), the latest in a series of actions taken by the agency to make health apps and other similar technologies (such as fitness trackers) subject to the Rule. If adopted, the proposed amendments would significantly expand the FTC’s enforcement power in the area of digital health.
The Rule generally requires vendors of personal health records (PHRs) and PHR related entities that are not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. The FTC’s proposed amendments would, among other things, clarify i) the Rule applies to developers of many health applications, and ii) that a breach includes the unauthorized disclosure of personally identifiable health data and not just a breach of security (e.g., data compromised by a nefarious third party).
Although the Rule became fully effective in February 2010, it was not enforced for over a decade. In February 2023, the FTC announced a complaint against and proposed settlement agreement with GoodRx, a digital health company offering prescription discounts, over its data sharing practices that allegedly resulted in the disclosure of sensitive health data to third parties. In May 2023, the FTC announced a complaint against and proposed settlement agreement with Easy Healthcare Corporation (Premom), the operator of a fertility app, for allegedly misrepresenting its data sharing practices to consumers and for failing to provide notice to consumers when it shared user health information without consent. The GoodRx and Premom enforcement actions followed a controversial September 2021 FTC policy statement (Policy Statement), in which the FTC effectively attempted to broaden the applicability of the Rule to cover digital health apps and connected devices. In its novel interpretation, the FTC claimed that i) developers of healthcare apps were healthcare providers furnishing healthcare services, ii) health information on apps could constitute a PHR when information was drawn from multiple sources, and iii) breaches of security were not limited to just cybersecurity events, but they could also include sharing of information without an individual’s authorization. The FTC’s proposed amendments would retroactively codify the premises set forth in the Policy Statement.
All interested companies can submit comments prior to the closing of the comment period, which will be 60 days after the notice is published in the Federal Register to submit comments on the proposed changes to the Rule. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning the proposal, or assistance in providing comments, please contact Maneesha Mithal, Tracy Shapiro, Haley Bavasi, Hale Melnick, or any member of the firm’s privacy and cybersecurity practice.