App Security, Health breach notification rule, breach notification rule

FTC: New Health App Security Ruling Includes Providers & Other Stakeholders


November 23, 2021 | Reading Time: 2 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

The Federal Trade Commission (FTC) has accepted app security and app privacy policy statement addressing the use of health applications and connected devices by providers, manufacturers, and other services that collect or use consumers’ personal health information. Their ruling represents a broad interpretation of the Health Breach Notification Rule. It includes safeguards and far-reaching sanctions for involved parties who violate security, privacy, and breach notification mandates. The FTC stated in a press release that the rising usage of COVID-19-related health applications influenced its broad policy statement.

Involved Parties and Devices 

Casting an extensive net, the ruling for app security and app privacy applies to health care providers and manufacturers. The FTC ruling also applies to those who sell personal health records (PHR), PHR-related businesses, and third-party service providers involved in health care applications and related devices.

Concerning types of devices, the FTC’s current interpretation of the health breach notification rule covers prominent mobile health, fitness applications, and wearables on the market. The health breach notification rule applies to “any application that collects information directly from consumers and has the technical capacity to pull information through an application programming interface (API) that permits synchronization with a consumer’s fitness tracker.” 

According to the FTC, “an app that takes data from numerous sources is protected, even if the health app originates from only one source.” For example, the app security new ruling would apply to an app that tracks blood sugar and gathers non-health information from a consumer’s phone calendar (i.e., dates). The FTC targeted apps and other technologies that monitor diseases, diagnosis, treatment, drugs, fitness, fertility, sleep, mental health, food, and other areas. 

Requirements & Penalties of the Health Breach Notification Rule for Apps

Commissioner Rohit Chopra stated that the FTC and the public have only been alerted four times of the breach since February 2010. The Rule requires providers, “personal health record suppliers,” and PHR-related businesses to notify concerned persons and the FTC within 60 calendar days of discovering a breach of security.

Under the FTC Conduct, a violation is considered an unfair and misleading act or practice, subject to civil penalties of up to $43,792 per violation per day. However, the FTC had not implemented the Rule since the date of the FTC’s policy statement.

Scope of the Health Breach Notification Rule for Apps

Among the FTC commissioners, there is disagreement over the Health Breach Notification Rule’s scope. In her dissenting statement, Commissioner Christine Wilson wrote that “the Rule was narrowly crafted to apply in limited, highly specific circumstances, and that its scope may depend on whether the personal health records at issue interact with personal health records held by a different vendor.”

Similarly, in a dissenting comment, Commissioner Noah Joshua Phillips stated that the FTC’s majority interpretation of “breach of security” to encompass unlicensed sharing goes beyond the text of the Rule. The original FTC’s policy statement is available here: On Breaches by Health Apps and Other Connected Devices

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Telehealth Law & Ethical Course Bundle

This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...