FTC warns health apps to comply with health data breach rules


According to a recent policy statement from the Federal Trade Commission (FTC), health apps and connected devices that collect or use your patients’ health information must comply with federal rules that require a company to notify consumers and others in the event of a health data breach.

The AMA applauds the FTC’s guidance that health app developers must comply with the health breach notification rule. It further empowers data holders by penalizing those who share information without the user’s permission, which, in addition to constituting a security breach, could expose the user to discrimination and profiling on the basis of of their health data.

Last year, the AMA responded to the FTC’s request for comment on the rule, urging the commission to expand the “coverage of the health breach notification rule to specifically include direct-to-consumer technologies and services.” such as mobile health apps, virtual assistants and platform health tools. and increase enforcement efforts.

In its statement (PDF), the FTC acknowledges that since its original rule was issued more than a decade ago, there has been an explosion of health apps and connected devices and that the statement serves to “advise entities of their continuing obligation to admit wrongdoing.

The statement clarifies how the rule applies to providers of personal health records containing individually identifiable health information created or received by healthcare providers, which are defined to include a developer of a health application or of a connected device, because it “provides”.[es] healthcare services or supplies.

It is triggered when these entities experience a “security breach”, for example, when a health app leaks sensitive health information without users’ permission. This includes cybersecurity intrusions, malicious behavior and unauthorized access incidents. Those who violate the rule can be fined $43,792 per violation per day. Companies must also contact consumers about the violation and, in some cases, the media.

Related coverage

7 Essentials for Integrating mHealth Data into the Patient Care Workflow

The FTC’s statement says apps will be covered by the rule if they are able to pull information from multiple sources, such as consumer input and application programming interfaces (APIs).

For example, according to the statement, an app falls under the health breach notification rule if it “collects information directly from consumers and has the technical ability to extract information through an API that enables synchronization with tracking.” of a consumer’s physical condition”. It’s important to note that an app that pulls information from multiple sources is covered, even if the health information comes from only one source. For example, a blood sugar monitoring app that collects patient-entered blood sugar levels and takes non-medical information from phone calendar dates.

FTC officials noted that the rule ensures that entities that Health Insurance Portability and Accountability (HIPAA) does not cover are held accountable.

“While this rule imposes some liability on technology companies that misuse our personal information, a more fundamental issue is the commodification of sensitive health information, where companies may use this data to power behavioral advertisements or power analytics. users,” said FTC Chairwoman Lina. M.Khan. “Given the growing prevalence of surveillance-based advertising, the commission should first consider what data is collected and whether particular types of business models create incentives that necessarily put users at risk.”

Related coverage

10 Keys to Easier to Use mHealth Apps

The AMA has worked for years to ensure that patient health information is shared – especially outside the healthcare system – that they have meaningful controls over how their data is used, with whom they are shared and remain private. .

WADA has created a set of Privacy Principles (PDF), derived primarily from House of Delegates policy, which call on third parties who access an individual’s data to act as responsible custodians of the information, just as doctors promise to maintain patient confidentiality. The principles state that individuals should have rights and protections against discrimination and that the responsibility for privacy should rest with data holders beyond just HIPAA-covered entities. They also call for “rigorous enforcement of sanctions” in the event of violations.


Comments are closed.