Involved Parties and Devices
Casting an extensive net, the ruling for app security and app privacy applies to health care providers and manufacturers. The FTC ruling also applies to those who sell personal health records (PHR), PHR-related businesses, and third-party service providers involved in health care applications and related devices.
Concerning types of devices, the FTC’s current interpretation of the health breach notification rule covers prominent mobile health, fitness applications, and wearables on the market. The health breach notification rule applies to “any application that collects information directly from consumers and has the technical capacity to pull information through an application programming interface (API) that permits synchronization with a consumer’s fitness tracker.”
According to the FTC, “an app that takes data from numerous sources is protected, even if the health app originates from only one source.” For example, the app security new ruling would apply to an app that tracks blood sugar and gathers non-health information from a consumer’s phone calendar (i.e., dates). The FTC targeted apps and other technologies that monitor diseases, diagnosis, treatment, drugs, fitness, fertility, sleep, mental health, food, and other areas.
Requirements & Penalties of the Health Breach Notification Rule for Apps
Commissioner Rohit Chopra stated that the FTC and the public have only been alerted four times of the breach since February 2010. The Rule requires providers, “personal health record suppliers,” and PHR-related businesses to notify concerned persons and the FTC within 60 calendar days of discovering a breach of security.
Under the FTC Conduct, a violation is considered an unfair and misleading act or practice, subject to civil penalties of up to $43,792 per violation per day. However, the FTC had not implemented the Rule since the date of the FTC’s policy statement.
Scope of the Health Breach Notification Rule for Apps
Among the FTC commissioners, there is disagreement over the Health Breach Notification Rule’s scope. In her dissenting statement, Commissioner Christine Wilson wrote that “the Rule was narrowly crafted to apply in limited, highly specific circumstances, and that its scope may depend on whether the personal health records at issue interact with personal health records held by a different vendor.”
Similarly, in a dissenting comment, Commissioner Noah Joshua Phillips stated that the FTC’s majority interpretation of “breach of security” to encompass unlicensed sharing goes beyond the text of the Rule. The original FTC’s policy statement is available here: On Breaches by Health Apps and Other Connected Devices.
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.
Essential Telehealth Law & Ethical Issues
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Telehealth Law & Ethical Course Bundle
This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.