FTC warns health apps must notify users about data breaches or face fines

The Federal Trade Commission (FTC) has warned apps and connected devices that collect personal health information, such as glucose levels or fertility data, are required to notify consumers if their data are breached or shared with third parties without their permission.

Health apps and devices that collect that kind of information fall under the Health Breach Notification Rule, the FTC said in a new policy statement issued this week. 

In a 3-2 vote Wednesday, the FTC agreed on a policy statement that clarifies a rule issued in 2009 that requires vendors of personal health records to notify consumers, the FTC and, in some cases, the media when those data are disclosed or acquired without the consumers’ authorization.

The commission noted that health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers. And, there are still too few privacy protections for these apps, the FTC said.

RELATED: Complaint to FTC accuses Facebook of exposing sensitive health data in groups

The rule ensures that entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) face accountability when consumers’ sensitive health information is breached, according to the FTC.

"As we have seen, however, digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches. Given the rising prevalence of these practices, it is critical that the FTC use its full set of tools to protect Americans," said FTC Chair Lina Khan in a statement.

If companies don’t comply with the rule, the FTC said it can enforce fines of $43,792 per violation per day.

The health breach notification rule imposes "some measure of accountability" on tech firms that abuse consumers' personal information.

But, Khan said, a more fundamental problem is the commodification of sensitive health information, where companies can use these data to feed behavioral ads or power user analytics.

“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk," Khan said.

RELATED: With consumers' health and privacy on the line, do mental wellness apps need more oversight?

The FTC clarified that the Health Breach Notification Rule applies to apps and connected devices such as fitness tracking wearables that collect consumers’ health information even if those apps are not covered by HIPAA.

For example, a health app would be covered under the FTC’s rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker.

Khan clarified that apps that are not capable of drawing data from multiple sources are not covered by the FTC rule.

The College of Healthcare Information Management Executives (CHIME) applauded the FTC's move to hold non-HIPAA-covered third parties responsible for the disclosure of personal health information. The policy statement not only holds bad and insecure actors accountable, it also creates a disincentive that urges all personal health record companies to strengthen their data security practices, CHIME officials said.

The FTC policy statement comes as recent regulatory moves at the federal level, namely the Office of the National Coordinator for Health IT's information blocking rule, open up health data to make the information more accessible to patients.

CHIME had advocated directly for the expansion of the personal health record definition and for the utilization of the FTC enforcement authority in comments to the agency last year, according to CHIME policy steering committee co-chair Scott MacLean.

“Patient data safety is crucial for maintaining trust in the patient-provider relationship, and ensuring that patients’ data remains safe even when they are outside of the four walls of the hospital only helps strengthen that bond," MacLean said in a statement.

But some stakeholders say the FTC policy doesn't go far enough to protect consumer health data, and congressional action is needed.

“Today’s FTC action seeks to address consumer privacy expectations when it comes to the use of their most personal data, but the Commission’s ability to address privacy harms would be stronger if Congress enacted a comprehensive federal privacy law," said Morgan Reed, president of The App Association, in a statement.

"If the FTC intends to enforce a breach notification requirement to address such harms, it is an example of the Commission working with the limited tools at its disposal and is hopefully an interim measure until Congress provides authorities for the FTC that are better suited to tackling privacy issues," he said.

The FTC rule does not just apply to cybersecurity intrusions or other nefarious behavior; incidents of unauthorized access also trigger notification obligations, Khan said.

Since February 2010, when the rule took full effect requiring notification for unauthorized disclosures of covered information, the FTC and the public have only been notified four times about breaches, according to Commissioner Rohit Chopra.

In January, menstrual cycle tracking app Flo settled with the FTC over allegations that it lied to users about sharing private health information with third-party firms including Facebook and Google.

As part of the settlement with the FTC, Flo Health must notify affected users about the disclosure of their health information and instruct any third party that received users’ health information to destroy those data.