FTC Emphasizes Security Standards for mHealth Apps, Devices

September 16, 2021 - The federal government is strengthening efforts to ensure than mHealth apps and connected devices protect personal health information.

The Federal Trade Commission this week issued a policy statement affirming that connected health tools that collect or use consumer health information must comply with the Health Breach Notification Rule, which sets guidelines for notifying consumers and other groups when a platform is breached and data is accessed.

The policy covers and ever-growing market of mHealth apps and devices, not all of which are covered by the Health Insurance Portability and Accountability Act (HIPAA). It ensures that mHealth tools falling outside HIPAA’s purview still face accountability for data breaches.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan said in a press release. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The Health Breach Notification Rule, issued by the FTC in the wake of the American Recovery and Investment Act of 2009, requires vendors of personal health records and related entities to notify consumers when data is accessed without their approval. Notices must also be sent to the FTC and, in some cases, the media.

“The Rule was issued more than a decade ago, but the explosion in health apps and connected devices makes its requirements with respect to them more important than ever,” the new policy statement says. “The FTC has advised mobile health apps to examine their obligations under the Rule, including through the use of an interactive tool. Yet the FTC has never enforced the Rule, and many appear to misunderstand its requirements. This Policy Statement serves to clarify the scope of the Rule, and place entities on notice of their ongoing obligation to come clean about breaches.”

The FTC’s action this week addresses the sometimes murky mHealth market, where consumer-facing apps and devices may evade federal regulation. It seeks to rein in the growing numbers of products that address issues ranging from chronic disease management to health and wellness issues like sleep, fertility, nutrition and behavioral health.

“The Commission policy statement notes that apps and connected devices such as wearable fitness tracking devices that collect consumers’ health information are covered by the Health Breach Notification Rule if they can draw data from multiple sources, and are not covered by a similar rule issued by the Department of Health and Human Services,” the FTC pointed out in the press release. “For example, a health app would be covered under the FTC’s rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables synching with a consumer’s fitness tracker. Companies that fail to comply with the rule could be subject to monetary penalties of up to $43,792 per violation per day.”

The policy statement also notes that breaches aren’t limited to hacks, but also include “incidents of unauthorized access, including sharing of covered information without an individual’s authorization.”

ACT | The App Association, an organization representing more than 5,000 mHealth app developers, hailed the decision, while calling on the federal government to crack down even further on the industry.

“Today’s FTC action seeks to address consumer privacy expectations when it comes to the use of their most personal data, but the Commission’s ability to address privacy harms would be stronger if Congress enacted a comprehensive federal privacy law,” Morgan Reed, the organization’s president, said in a press release. “If the FTC intends to enforce a breach notification requirement to address such harms, it is an example of the Commission working with the limited tools at its disposal and is hopefully an interim measure until Congress provides authorities for the FTC that are better suited to tackling privacy issues. Health apps can play a positive role in the lives of Americans and are transforming our healthcare system, but not without clear communication to users on use of their data.”