Ho Ho Ho - TBHI Holiday Special 40% off USE CODE

"Holiday21"

app security and app privacyThe Federal Trade Commission (FTC) has accepted app security and app privacy policy statement addressing the use of health applications and connected devices by providers, manufacturers, and other services that collect or use consumers’ personal health information. Their ruling represents a broad interpretation of the Health Breach Notification Rule. It includes safeguards and far-reaching sanctions for involved parties who violate security, privacy, and breach notification mandates. The FTC stated in a press release that the rising usage of COVID-19-related health applications influenced its broad policy statement.

Involved Parties and Devices 

Casting an extensive net, the ruling for app security and app privacy applies to health care providers and manufacturers. The FTC ruling also applies to those who sell personal health records (PHR), PHR-related businesses, and third-party service providers involved in health care applications and related devices.

Concerning types of devices, the FTC’s current interpretation of the health breach notification rule covers prominent mobile health, fitness applications, and wearables on the market. The health breach notification rule applies to “any application that collects information directly from consumers and has the technical capacity to pull information through an application programming interface (API) that permits synchronization with a consumer’s fitness tracker.” 

According to the FTC, “an app that takes data from numerous sources is protected, even if the health app originates from only one source.” For example, the app security new ruling would apply to an app that tracks blood sugar and gathers non-health information from a consumer’s phone calendar (i.e., dates). The FTC targeted apps and other technologies that monitor diseases, diagnosis, treatment, drugs, fitness, fertility, sleep, mental health, food, and other areas. 

Requirements & Penalties of the Health Breach Notification Rule for Apps

Commissioner Rohit Chopra stated that the FTC and the public have only been alerted four times of the breach since February 2010. The Rule requires providers, “personal health record suppliers,” and PHR-related businesses to notify concerned persons and the FTC within 60 calendar days of discovering a breach of security.

Under the FTC Conduct, a violation is considered an unfair and misleading act or practice, subject to civil penalties of up to $43,792 per violation per day. However, the FTC had not implemented the Rule since the date of the FTC’s policy statement.

Scope of the Health Breach Notification Rule for Apps

Among the FTC commissioners, there is disagreement over the Health Breach Notification Rule’s scope. In her dissenting statement, Commissioner Christine Wilson wrote that “the Rule was narrowly crafted to apply in limited, highly specific circumstances, and that its scope may depend on whether the personal health records at issue interact with personal health records held by a different vendor.”

Similarly, in a dissenting comment, Commissioner Noah Joshua Phillips stated that the FTC’s majority interpretation of “breach of security” to encompass unlicensed sharing goes beyond the text of the Rule. The original FTC’s policy statement is available here: On Breaches by Health Apps and Other Connected Devices

See TBHI’s previous articles about healthcare data breaches.

Do You Have Comments?

Are you one of the named parties to whom this ruling applies? How will you change your current use of apps to comply with this ruling?

Cyber Security

Would TBHI Telehealth Training Help You?

Cybersecurity

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.