The Federal Trade Commission (FTC) recently released a new policy statement that requires health apps and connected device companies that collect health information to comply with the Health Breach Notification Rule. Yes, that means those very apps that so many of us use to collect our heart rate, weight, sleep, fertility, height, or any other sensitive medical data are going to be held accountable to notify their users if they experience a data breach. These vendors have long been overlooked in comparison with the covered entities who collect the very same data but are held to compliance.
The Health Breach Notification Rule was issued in 2009 by the FTC to strengthen the security protection of web-based businesses, but since then, there has been an explosion in devices and software that is used to collect protected health information (PHI). While these businesses were advised to examine their obligation and accountability, there was never any enforcement. The FTC defines a personal health record as “an electronic record that can be drawn from multiple sources”. For example, synching a device up with input from the user via an interface means that an app or device is capable of drawing information from a combination of consumer inputs and application programming interfaces (APIS), and therefore is accountable to the Rule.
While this change is an important measure in ensuring that patient data and privacy are protected with regard to sensitive health records, it also plays a critical role in ensuring that there is accountability to the tech firms that may use the data to feed analytics and behavioral advertising.
Developers of these products were not necessarily acting maliciously, but because they fell within a grey area of accountability, their actions weren’t always in line with what was best for the consumer instead of what was best for the business. The FTC was specific in saying that a data breach “is not limited to cybersecurity intrusions or nefarious behavior”. In other words, even sharing PHI will trigger notification obligations. Failure to comply with the rule could result in a penalty of as much as $43,792 per violation per day.
This ruling is yet another emphasis on the fact that healthcare companies must align their cybersecurity posture with HIPAA compliance, and not look at them as separate entities. They work together to keep patients and businesses secure. Not sure if you are doing all that you can? We can help!