NEW ORLEANS — Recognizing the ever-increasing growth and use of mobile health apps as well as connected devices that capture individuals’ health data, the Federal Trade Commission issued a policy statement in September reminding organizations of their obligation to comply with its health breach notification rule.
The rule holds accountable those entities who are not otherwise covered by the Health Insurance Portability and Accountability Act (HIPAA), which contains its own breach notification obligations, when their customers’ unsecured health information is compromised.
Up to this point, the FTC has not typically enforced the rule relative to mobile health apps. However, given the recent increase in digital health resources and their somewhat unrestrained collection and use of consumer data, the FTC took this most recent step to enhance privacy protections for these resources when they pull health data from multiple sources. This applies to wearable fitness tracking devices and those that track diseases, treatment, fertility, sleep, mental health and diet.
For example, a mobile health app that draws health information from a combination of user inputs and application programming interfaces (APIs) is subject to the rule, as is one that gets information through a combination of both health and non-health sources (such as user input coupled with the data supplied by the user’s phone). Consequently, any time that mobile health app discloses or shares health information without user authorization, or if the app is the victim of a cybersecurity intrusion or a bad actor’s nefarious behavior, the rule’s breach notification requirements are triggered.
The rule has far reaching consequences, including monetary penalties, for not only the companies offering fitness and health-related tracking devices to consumers, but also many the employers who host mobile health apps for their employees. Any companies or developers offering or providing these apps should integrate the FTC’s recommended best practices for the protection of consumer data and take the appropriate steps to secure and protect the consumer data pulled, stored, and managed through the apps.
Monica J. Manzella, CIPP/US is an attorney at law firm Baker Donelson. She assists clients with matters concerning data privacy, security, compliance, and information management. She may be reached at mmanzella@bakerdonelson.com.