FTC steps up scrutiny of digital health apps with proposed changes to data privacy rule

The Federal Trade Commission (FTC) is tightening the reins on digital health apps sharing consumers' sensitive medical data with tech companies.

The agency issued Thursday proposed changes to its Health Breach Notification Rule to underscore the rule’s applicability to health apps in a bid to protect consumers' data privacy and provide more transparency about how companies collect their health information.

The move comes as the FTC has stepped up its role in regulating digital health.

The proposed rule makes it clear that health-related apps and trackers will face enforcement action and potential penalties if they do not alert consumers when their health data are disclosed without their permission.

The FTC's Health Breach Notification Rule dates back to 2009 and stipulates a covered entity must disclose leaks of unsecured data to consumers. But up until very recently, the agency didn't use its authority to penalize violations.

Since the rule’s issuance, health apps and other direct-to-consumer health technologies, such as fitness trackers, have become commonplace, the FTC said in a statement.

The proposed changes, issued after a 3-0 commission vote Thursday, come as business practices and technological developments increase both the amount of health data collected from consumers and the incentive for companies to use or disclose those sensitive data for marketing and other purposes, FTC officials said. 

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.”

The rule requires vendors that manage digital health records, including health apps, that are not covered by the Health Insurance Portability and Accountability Act to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. The FTC defines personally identifiable health data to include traditional health information like diagnoses and medications as well as data collected from fitness trackers and "emergent health data" such as health information inferred from things like location data and health-related purchases, according to the proposed rule (PDF).

The public will have 60 days to comment on the FTC's proposed rule.

In September 2021, the FTC issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information including fertility, heart health, glucose levels and other health data must comply with the Health Breach Notification Rule and notify consumers in the event of a breach.

The FTC has been stepping up scrutiny into digital health companies' data-sharing practices, and two recent enforcement actions make its stance on health data privacy and security abundantly clear.

In February, the agency announced a first-of-its-kind enforcement action against telehealth and prescription drug discount provider GoodRx for allegedly violating the Health Breach Notification Rule. The FTC claims GoodRx shared sensitive users' personal health information with advertising entities without informing users.

GoodRx agreed to pay a $1.5 million civil penalty but admitted no wrongdoing.

Just this week, the FTC charged the developer of period tracking app Premom with deceiving users by sharing their sensitive health information for advertising purposes, in violation of the Health Breach Notification Rule. Easy Healthcare, Premom's developer, agreed to pay a $100,000 civil penalty.

If the proposed order is approved by a federal court, Easy Healthcare would be barred from sharing users’ protected health information with third parties for advertising purposes, required to obtain users’ consent before sharing health data for any other purpose and required to tell consumers how their personal data will be used.

The agency also fined online therapy company BetterHelp $7.8 million over allegations that it shared consumers’ health data with companies like Facebook and Snapchat for advertising purposes. And in January 2021, the FTC fined menstrual cycle tracking app Flo over allegations that it lied to users about sharing private health information with third-party firms including Facebook and Google.