HIPAA-Exempt Health Apps Face FTC Threats
One of the few parenting truths is not to threaten children with punishments unless the parents can deliver. Failure to follow through with threatened repercussions ruins discipline and makes a mockery of any perceived authority. Accordingly, the Federal Trade Commission (FTC) better be prepared to enforce its recent “policy update” involving health-related applications/APIs.
On September 15, 2021, the FTC announced that health-related apps and internet-connected devices, even those exempt from Health Insurance Portability and Accountability Act (“HIPAA”), that collect or use consumers’ health information must comply with the FTC’s Health Breach Notification Rule (the “Rule”). The Rule, found in 16 C.F.R. Part 318 , is part of the American Recovery and Reinvestment Act of 2009 and intended to ensure that entities not considered “covered entities” under HIPAA report data breaches to the FTC, consumers, and media (sometimes). Failure to adhere to the FTC’s policies may result in civil penalties of up to $43,792 per violation per day.
This policy statement comes several months following the FTC’s settlement with “Flo Health,” a fertility and ovulation tracking API, which now faces a class action lawsuit in U.S. District Court for the Northern District of California for allegedly deceptive privacy practices. Entitled Frasco v. Flo Health Inc, No. 3:21-cv-00757-JD, the lawsuit states that Flo Health hosts over 38 million active users who share intimate details of their sexual and reproductive lives. And, according to the plaintiffs therein (a joinder of seven different proposed class actions), the app shared its users highly sensitive health information with third parties without user knowledge through software development kits (SDKs), which transmitted the personal information for marketing and data analytics purposes to third parties.
While not correlating the purported privacy violations from the Flo Health settlement and class action to its recent policy statement, it’s clear that the FTC is focusing on “the explosion in health apps and connected devices” and the need to protect consumers. Although the FTC acknowledges that it declined to enforce the Rule over the last 12 years, the Policy statement seeks to “place entities on notice of their ongoing obligation to come clean about breaches.”
While normally exempt from FTC’s jurisdiction under section 5 of the FTC Act, non-profits (e.g., educational institutions, charities, and 501(c)(3) organizations), are subject to the rule given the FTC’s self-serving interpretation of American Recovery and Reinvestment Act. However, given HIPAA and the HITECH Act, FTC determined that “because health care providers such as doctors are generally HIPAA-covered entities, the FTC’s rule does not apply to them in such capacity.” When “a doctor’s medical practice offers PHRs (Private Health Records) to its patients, neither the doctor nor the medical practice is subject to the FTC’s rule.” However, “if the doctor creates a PHR in a personal capacity, there may be circumstances under which the FTC’s rule would apply.
The Rule is triggered by a “breach of security,” defined in 16 C.F.R. § 318.2(a) as the “acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual.” The FTC gives examples that an unauthorized acquisition would “include the theft of a laptop containing unsecured PHRs; the unauthorized downloading or transfer of such records by an employee; and the electronic break-in and remote copying of such records by a hacker.” The FTC is further imposing a “rebuttable presumption” triggered “when there is unauthorized access to data, unauthorized acquisition will be presumed unless the entity that experienced the breach” presents “reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.’’
As a carrot, the FTC states that no breach of security will be found in minor incidents of employees exceeding access, such as “if an unauthorized employee inadvertently accesses an individual’s PHR and logs off without reading, using, or disclosing anything.” But, if the unauthorized employee reads or shares the data, the data is determined ‘‘acquired” and thereby triggering the notification obligation. Likewise, and in the hypothetical case of a lost laptop, if the information becomes accessible to unauthorized persons, the presumption of unauthorized acquisition is invoked absent rebutting facts such as “the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised.”
In short, it’s time for any entity remotely engaged in healthcare to lawyer up and review existing procedures to ensure that when the inevitable “breach” occurs, sufficient evidence can defeat the FTC’s rebuttable presumption.