The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report data breaches and issue notifications to affected individuals, but in the event of a data breach impacting a health app or wearable device, the HIPAA Breach Notification Rule would generally not apply. Health app developers and wearable device companies do still have to issue notifications when individually identifiable health data is breached, as they are required to comply with the Federal Trade Commission (FTC) Health Breach Notification Rule.
The Health Breach Notification Rule applies to personal health records (PHR), which includes PHR vendors and PHR-related entities. Last week, the FTC issued a Policy Statement confirming health apps and wearable devices are covered by the Health Data Breach Notification Rule. The FTC not only made it clear than breach notifications are required, but said it will be actively enforcing compliance and financial penalties will be imposed for Health Data Breach Notification Rule violations. The penalties for violations can be as high as $43,792 for each day that notifications are not issued.
The use of health apps has increased considerably in recent years. Health apps can collect a wide range of personally identifiable data, including extensive health data through paired wearable devices such as glucose monitors. It is important for consumers to be notified about data breaches to allow them to take steps to protect themselves from misuse of their data.
“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” said the FTC in the policy statement.
The FTC Rule applies to health apps and devices that collect health information from a consumer which have the functionality to draw information from multiple sources. That includes via APIs that allow synching with devices such as fitness trackers or glucose monitors.
The Policy Statement makes it clear that breach notifications are required in the event of a cyberattack that exposes users’ data, but not all data breaches are caused by hackers. Health app developers and wearable device manufacturers also need to make sure that individually identifiable health data are only disclosed to entities that have been authorized by users of those apps and devices to receive the data. If a user of an app or wearable devices has not provided their consent to share data with a third party, acquisition of that information by a third party would also constitute a data breach and would require notifications to be issued.
Now that the Policy Statement has made it clear that the FTC Health Breach Notification Rule applies to health apps and wearable devices, developers and manufacturers need to ensure they have the policies and procedures in place to allow notifications to be issued within 60 days of the discovery of a data breach. They should also review their data sharing practices and ensure that their privacy policies and authorizations clearly state to whom personally identifiable health data may be disclosed.