On September 15, 2021, the Federal Trade Commission (FTC or commission) issued a policy statement to clarify its position that the commission's Health Breach Notification Rule, 16 CFR § 318, applies to the proliferation of apps and connected devices that capture sensitive health data. The commission notes that Americans increasingly turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other such health-related functions. Radiologists and ordering physicians also make use of apps to provide clinical decision support, such as determining the appropriateness of an order of an advanced diagnostic imaging test.

The FTC views its Health Breach Notification Rule (rule) as a backstop to help ensure that entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) nevertheless face accountability when consumers’ sensitive health information is compromised. The rule requires personal health record vendors and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The rule also specifies the timing, method, and content of the notification, and in the case of certain breaches involving 500 or more people requires notice to the media.

In its statement, the FTC acknowledged that it has never actually enforced the rule, and that many appear to misunderstand its requirements. The FTC wrote that this new policy statement serves to clarify the scope of the rule, and place entities on notice of their "ongoing obligation to come clean about breaches."

The statement clarifies that the rule covers vendors of personal health records that contain individually identifiable health information created or received by health care providers, noting that the rule is triggered when such entities experience a “breach of security.” The FTC went on to clarify its view that the developer of a health app or connected device is a “health care provider” because it “furnish[es] health care services or supplies.” By way of example, the commission noted it believes that when a health app discloses sensitive health information without users’ authorization, this is a “breach of security” as described in the rule.

The commission stated that the statute requires that a “personal health record” be an electronic record that can be drawn from multiple sources. It considers apps covered by the rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (APIs). Additionally, an app that draws information from multiple sources is covered under the rule, according to the policy statement, even if the health information comes from only one source. 

According to the FTC, one example of a covered app would be an app that collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. Another example would be a blood sugar monitoring app that draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from the user's phone’s calendar). In this circumstance, the app would be covered under the rule, according to the commission.

Note that many radiology-related apps, easily available through app stores, provide radiologists and patients with a myriad of options such as viewing, analyzing, editing, distributing, and archiving digital medical images. But these apps would likely not be covered by the rule unless they collected health information directly from patients.

Finally, the FTC's statement clarifies that a “breach” is not limited to "cybersecurity intrusions or nefarious behavior." Incidents of unauthorized access -- including sharing of covered information without an individual’s authorization -- trigger the notification obligations of the rule.

Significantly, the FTC states that it intends to bring actions to enforce the rule consistent with the policy statement. Violations of the rule face civil monetary penalties of $43,792 per violation, per day.