The Federal Trade Commission (FTC) has implemented a Policy Statement regarding health data breach notifications for apps and other connected devices under the Health Breach Notification Rule.
Throughout the Policy Statement the FTC places entities on notice of their breach reporting obligations. Up to now the FTC has not enforced the Rule. However, they now intend to bring enforcement action with potential penalties of $43,792 per violation, per day.
The Rule’s breach notification obligation is becoming more important as Americans use apps to track more and more aspects of their health. Common things that are being tracked include:
- Diseases
- Diagnostics
- Treatments
- Medications
- Fitness
- Fertility
- Sleep
- Mental health
- Diet
The Rule covers individually identifiable health information from anyone who is a “vendor of personal health records”. This is defined as a non-HIPAA covered entity that offers or maintains a “personal health record”. Some health app developers may so be impacted. It also covers the same information when a personal health record on an app or other connected device draws information from multiple sources. This may either be from consumer input, drawing information from a fitness tracker or even a blood sugar monitor.
The Rule has highlighted that a reportable “breach of security” is not limited to a cybersecurity incident or malicious behaviour. Entities must report any incidents of unauthorized access to information, for example, when a health app discloses any sensitive health information without user authorization.
Value Privacy can monitor compliance against any relevant legislation and advise on what to do and how to handle data. We can also help to if a breach does occur on who to notify and the correct procedures to follow. Contact us and we can have a free, confidential conversation about how we can help your company manage all their data needs.
