Creators of health applications and wearable devices like fitness trackers that get health information received a warning from the Federal Trade Commission (FTC) that they must abide by the FTC Health Breach Notification Rule and should alert users regarding data breaches.
In 2009, the FTC Health Breach Notification Rule was launched together with the American Recovery and Reinvestment Act of 2009. It demands the notification of individuals in case there is a compromise of their health information. The Health Breach Notification Rule is applicable to personal health data vendors and associated firms, however, in a policy statement released on September 16, 2021, the FTC stated that the Rule also applies to health applications and other connected devices that get or utilize the health data of U.S. consumers. The approval of this policy statement was given through a vote of 3-2 during an open meeting on Sept 15, 2021.
The FTC Health Breach Notification Rule is applicable to health applications and wearable devices that get health data from a user and can pull data from several sources, for example by means of an API that permits synching with a device like a fitness tracker. The FTC will enforce compliance and has the power to issue financial penalties. Penalties may be up to $43,792 per day of not issuing the notifications.
Health applications can get a broad selection of sensitive personal and health information, either through directly documenting the data via paired sensors, or via users inputting the information into the applications manually. Health applications are increasing in popularity and utilization has gone up throughout the pandemic. Considering the broad selection of sensitive information stored by the applications, they are an appealing target for cybercriminals.
Because a lot of Americans use applications and other technologies to monitor illnesses, diagnoses, treatment, prescription drugs, fitness, fertility, mental wellbeing, sleep, eating habits, and other important areas, this Rule is more crucial than ever before.
Many of the information obtained by health applications is regarded as protected health information (PHI) when obtained by a healthcare provider, which means the data is governed by uses and disclosures restrictions established by the HIPAA Privacy Rule. Safety measures should be put in place to protect the information, according to the HIPAA Security Rule, and a breach of health information demands notifications according to the HIPAA Breach Notification Rule. Nonetheless, except if a health application is developed for usage by a HIPAA-covered entity, it is not covered by HIPAA protections.
Health applications usually have security capabilities to secure user privacy, however, they are usually limited. There are demands for HIPAA to be expanded to include health application creators to strengthen privacy protections for users, or to enforce new laws addressing these applications that require specific criteria of privacy and security to be followed.
The FTC policy statement is going to at least make sure that end-users of health applications and wearable devices shall be informed when a data breach happens, which will permit them to take action to secure their identities and avoid fraud.
Although this Rule imposes a measure of liability on tech companies that misuse personal data, a more basic concern is the commodification of sensitive health data, where firms could use this information for behavioral ads or power user stats. Considering the increasing incidence of surveillance-based marketing, the Commission ought to be scrutinizing what information is being obtained, to begin with, and whether certain types of business models make offers that actually put users at risk.