FTC Called Upon to Enforce Health Breach Notification Rule

The College of Healthcare Information Management Executives (CHIME) has urged the FTC to start holding health apps and data brokers accountable for illegal disclosure of health data and unfair or deceptive data practices. The letter to the FTC is in response to the FTC’s Advance Notice of Proposed Rulemaking (ANPR). 

Advance Notice of Proposed Rulemaking (ANPR)

The ANPR was published in August 2022 and healthcare industry stakeholders were encouraged to make comments. The issue discussed was whether the FTC should implement new trade regulation rules concerning the ways in which companies collect, aggregate, protect, use, analyze or/and retain consumer data and transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. 

CHIME expressed broad support for the proposed measures especially regarding the extent to which mobile devices and health apps are now being used to collect, process, and transmit health data. As mobile apps are not generally covered by HIPAA, the data input or collected through those is not protected and therefore often sold to data brokers. 

They also praised the efforts to protect consumer health information under the Health Breach Notification Rule. Under this, vendors of personal health records (PHR) must notify consumers and the FTC of breaches of unsecured information. 

However, CHIME stated that it is time the FTC acted upon the Health Breach Notification Rule. Vendors of personal health records and related entities that have lax security or are blatantly disregarding the law must be held accountable. CHIME feels it’s time the FTC used their existing authority under this Rule to issue notices and penalties. 

CHIME is broadly supportive of new trade regulation rules to utilize the FTC’s existing authority to protect consumers – we are strongly encouraging the FTC to push further into this space by utilizing and enforcing the clear, concise, and existing authority under the Health Breach Notification Rule to hold non-HIPAA covered third-parties (i.e., vendors of PHR and PHR-related entities) responsible when they illegally disclose – intentionally or not – covered information.


CHIME expressed that they feel the FTC should do more to prevent data breaches and the sale of consumer health data before it happens. This could be by enforcing real-world and stringent privacy and security protections on companies to better protect consumer data. They also recommend that consumers should understand exactly how their data will be used prior to using any company’s technology. Some proposed questions for health apps that should be considered in future rulemaking:

  • If they sell or monetize consumer information
  • How is consumer information that is sold used
  • What the documented consumer consent process is
  • How long is the consumer data stored, where and what the security practices are
  • If the data is securely destroyed and, if so, how and when
Previous Post

ANPD Guidance on Cookie Compliance

Next Post

Spanish AEPD Launches Breach Assessment Tool

Related Posts