The Federal Trade Commission recently issued a policy statement related to its health breach notification rule. This “statement” by the FTC comes a few months after the agency reached a settlement with Flo Health, a mobile app that allegedly impermissibly disclosed sensitive health data about millions of users.
As part of that settlement, the FTC noted that it would be reviewing the health-breach rule and its applicability to companies that disclose sensitive health information without proper authorization.
This policy statement indicates that the FTC will likely be taking an aggressive approach toward enforcing the rule and will likely interpret its authority under the rule broadly going forward—in ways that likely are unexpected for many in the industry.
What Is the Health Breach Notification Rule?
The rule, which went into effect as part of the American Recovery and Reinvestment Act of 2009, requires “vendors” of “personal health records” containing identifiable health information and “PHR related entities” to notify consumers and the FTC following a breach of security involving “unsecured” information (which is defined to essentially mean information that is not encrypted or destroyed).
As the FTC noted in its policy statement, the rule is intended to create obligations for companies that process sensitive health information but are not otherwise subject to the Health Insurance Portability and Accountability Act (HIPAA). Notice to consumers must be made within 60 calendar days of discovery of the breach. Notice to the FTC must be made within the same time period, unless the breach involves more than 500 people, in which case the FTC must be notified within 10 days.
If a breach of security involves more than 500 residents of a particular state or territory, a company must also notify the relevant media outlets of that jurisdiction within 60 days. (The law also requires third-party service providers of vendors and PHR related entities to provide notice of a breach of security to their clients within 60 days).
In terms of applicability, the rule defines a vendor of personal health records as an entity that offers or maintains a personal health record, which is further defined as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”
PHR-identifiable health information is defined broadly to include health information that identifies someone or could reasonably be used to identify someone. A “PHR related entity,” meanwhile, is defined as an entity that: 1) offers products or services through the website of a vendor of personal health records or of a HIPAA covered entity that offers individual health records; or 2) accesses information in a personal health record or sends information to a personal health record.
Violations of the rule are treated as unfair or deceptive acts or practices under the FTC Act and could result in violations of to $43,792 per violation daily.
What’s New in the Recent FTC Policy Statement?
In addition to indicating to companies that the FTC is paying attention to this issue, its recent policy statement also indicates that the FTC is willing to interpret its authority under the rule broadly.
For example, the FTC made clear that a business that collected information from a combination of consumer inputs and application program interfaces would be considered vendor of personal health records under the rule (even if such a company would not traditionally be thought of as a direct-to-consumer health record).
This means that an app that collected information directly from a consumer but also had the technical capacity to collect information from the consumer’s smart watch would be covered under the rule. This scope would go beyond how many in the industry have thought of a “personal health record.”
Additionally, while the rule has normally been considered relevant in the context of data breaches, the FTC stated that a health app that discloses users’ sensitive health information without their authorization would also be subject to the rule. This is the approach that a few commentators and two FTC commissioners wanted the agency to take in the Flo Health case, where the allegations involved Flo Health sharing data with advertising and analytics companies in violation of Flo Health’s own public facing representations.
This policy statement indicates that the FTC is willing to enforce unpermitted disclosures under the health breach notification rule beyond situations that might typically be considered a breach of security.
How Can Companies Comply?
The first step toward compliance is for companies to understand what data they collect that may be subject to the rule. For health apps and connected device companies that process identifiable health information, this means understanding what information (if any) is subject to HIPAA and thus exempt from the scope of the law (though that information would be subject to HIPAA’s breach notification requirements). They also need to understand what information falls outside of HIPAA and, as a result, may be regulated under the FTC’s jurisdiction.
Companies that have previously thought of themselves as not subject to the rule (because they are not direct to consumer health records) need to reevaluate their position in light of the recent FTC policy statement and assess whether they collect identifiable health information that can be drawn from multiple sources.
Companies subject to the law can also mitigate their potential risk by implementing appropriate security practices that are proportionate to the sensitivity of the information that they process.
Taking reasonable security steps, such as implementing encryption at rest, can help ensure data is not at risk and that relevant legal obligations are not triggered. In fact, the FTC has provided an example in guidance it has issued stating that losing a laptop containing only encrypted personal health records would not require notification under the law.
Finally, in the event of a breach of security, a company subject to the law needs to evaluate its notification obligations under the law and ensure that any notice it provides under the health breach notice rule comply with the law’s timing, content, and method requirements. Companies should note that notice under the rule may be required in addition to any notice obligations a company may have under state law.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kirk J. Nahra is a partner with WilmerHale in Washington, D.C., where he is the co-chair of the firm’s global Cybersecurity and Privacy Practice. He teaches privacy issues at several law schools, serves as a fellow with the Cordell Institute for Policy in Medicine & Law at Washington University in St. Louis, and as a fellow with the Institute for Critical Infrastructure Technology.
Arianna Evers is a special counsel in WilmerHale’s Cybersecurity and Privacy Group, where she represents clients in FTC investigations relating to data security and privacy.
Ali A. Jessani is an associate in the Cybersecurity and Privacy Group at WilmerHale. He counsels clients on the privacy, cybersecurity, and regulatory risks presented by new and proposed uses of technology and consumer information.