FTC finalizes changes to data privacy rule to step up scrutiny of digital health apps

The Federal Trade Commission (FTC) finalized a rule Friday that aims to tighten the reins on digital health apps sharing consumers' sensitive medical data with tech companies.

The agency issued a final version of its revised Health Breach Notification Rule to underscore the rule’s applicability to health apps in a bid to protect consumers' data privacy and provide more transparency about how companies collect their health information.

The Health Breach Notification Rule (HBNR) requires vendors that manage digital health records, including health apps, that are not covered by the Health Insurance Portability and Accountability Act to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.

The FTC defines personally identifiable health data to include traditional health information like diagnoses and medications as well as data collected from fitness trackers and "emergent health data" such as health information inferred from things like location data and health-related purchases, according to the final rule (PDF).

It also requires third-party service providers to vendors of personal health records and PHR-related entities to notify such vendors following the discovery of a breach.

"Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection in a statement. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

The FTC's Health Breach Notification Rule dates back to 2009 and stipulates a covered entity must disclose leaks of unsecured data to consumers. But up until very recently, the agency didn't use its authority to penalize violations.

Since the rule’s issuance, health apps and other direct-to-consumer health technologies, such as fitness trackers, have become commonplace, according to the FTC.

In early February 2023, the FTC and GoodRx settled to resolve several claims under the FTC Act and the HBNR Rule against GoodRx. The enforcement action was the first of its kind under the FTC’s HBNR.

The FTC alleged that GoodRx, a telehealth and prescription drug discount provider, failed to notify customers and regulators of unauthorized disclosures of consumers’ personal health information. GoodRx agreed to pay a $1.5 million civil penalty. 

"Today’s issuance of the Final Rule codifies this approach, honoring the statutory directive that people must be notified when their health records are breached," FTC Chair Lina Khan, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro M. Bedo wrote in a joint statement PDF).

In May, the FTC reached a settlement with the developer of the fertility app Premom over allegations it deceived users by sharing their sensitive personal information with third parties, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule.

As part of the settlement, Premom’s owner, Easy Healthcare, agreed to stop sharing the data and pay a settlement fee of $200,000.

The agency also fined online therapy company BetterHelp $7.8 million over allegations that it shared consumers’ health data with companies like Facebook and Snapchat for advertising purposes. 

The finalized changes to the HBNR rule make it clear that health-related apps and trackers will face enforcement action and potential penalties if they do not alert consumers when their health data are disclosed without their permission.

And, the changes added a definition of healthcare services or supplies to mean "any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools."

The Commission voted 3-2 to approve the publication of the final rule in the Federal Register with Commissioners Melissa Holyoak and Andrew N. Ferguson voting no.

In a dissenting statement (PDF), Holyoak and Ferguson that the HBNR final rule adopted by the FTC "exceeds the Commission’s statutory authority, puts companies at risk of perpetual non-compliance, and opens the Commission to legal challenge that could undermine its institutional integrity."

The final rule will go into effect 60 days after its publication in the Federal Register.