STATEMENT OF THE COMMISSION
On Breaches by Health Apps and Other Connected Devices
September 15, 2021
“In recognition of the proliferation of apps and connected devices that capture sensitive health data, the Federal Trade Commission is providing this Policy Statement to offer guidance on the scope of the FTC’s Health Breach Notification Rule, 16 C.F.R. Part 318 (“the Rule”).1
The FTC’s Health Breach Notification Rule helps to ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) nevertheless face accountability when consumers’ sensitive health information is compromised. Under the Rule’s requirements, vendors of personal health records (“PHR”) and PHR-related entities must notify U.S. consumers and the FTC, and, in some cases, the media, if there has been a breach of unsecured identifiable health information, or face civil penalties for violations. The Rule also covers service providers to these entities.”
This new policy statement by the FTC is designed to update and clarify the agency’s 2009 Health Breach Notification Rule, which requires vendors handling health records to notify consumers if the data is accessed through a breach or other means without the individual’s authorization. This rule applies to health apps, such as those tracking fitness or menstrual cycles, which have been developed over the past decade.
“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” the FTC stated and intends to enforce the new policy, with those in violation facing a financial penalty of over $43,000 per day.