Dive Brief:
- The Federal Trade Commission said on Thursday that it’s proposing changes to a rule regulators recently have started using to stop companies from trafficking sensitive medical data, in order to better assert its applicability to health apps.
- The Health Breach Notification Rule requires companies accessing personal health information to notify users and the government when that data is breached, and allows regulators to levy fines against bad actors.
- The FTC seeks to clarify that a security breach includes any unauthorized acquisition of identifiable health information that occurs as a result of a disclosure.
Dive Insight:
Health apps proliferated during the COVID-19 pandemic, resulting in the companies — which track everything from diabetes to fertility to heart health to sleep — collecting more sensitive health data from consumers. The data are commonly used for marketing and other purposes beyond what users know or agree to, and resides beyond the purview of the HIPAA privacy law that applies to hospitals and health insurers.
The Supreme Court’s decision to overturn the constitutional right to an abortion last summer gave rise to fresh concerns regarding the sharing of sensitive medical data, sparking worries it could be used to prosecute individuals who receive, perform or help facilitate an abortion.
As a result, regulators in the Biden administration and some states have increasingly cracked down on data sharing. The FTC has turned to tools like the HBNR, which was finalized in 2009 and originally intended to strongarm companies into notifying consumers of data breaches affecting the information of more than 500 users.
However, the FTC issued an opinion in September 2021 suggesting they would begin reading “breach” as not just a nefarious intrusion, but any unauthorized sharing of data.
In February, the FTC hit GoodRx with its first HBNR enforcement action, levying a $1.5 million fine over accusations the California-based company illegally shared users’ information with advertisers like Google and Facebook.
Earlier this week, the FTC announced a proposed order settling allegations that Premom violated the HBNR, and fined the fertility app $100,000.
The fine amounts, in addition to settlements that don’t require companies to admit wrongdoing, suggest the FTC hasn’t been certain of its ability to enforce its interpretation of the HBNR in court, according to experts.
That could change with the new proposals. Along with clarifying that unauthorized disclosure of information is a security breach, and tweaking several definitions in the rule, the FTC also is proposing that companies can use email and other electronic means to notify consumers of a data breach.
Regulators also are expanding what companies need to include in the notices, including information about potential harm and about any third parties that might have acquired personally identifiable health information.
”The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology,” Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, said in the statement.
The public has 60 days after the notice is published in the Federal Register to comment on the proposed changes.