- The U.S. Federal Trade Commission issued a policy brief Wednesday clarifying when healthcare apps would be subject to the Health Breach Notification Rule that requires entities not covered by HIPAA to notify consumers if private health information is compromised.
- The FTC said that developers of health apps and connected devices are considered healthcare providers, and if they disclose sensitive information without authorization that would be considered a breach.
- The agency also noted that a breach must be reported regardless of whether it was the result of malicious action. Any unauthorized access, including sharing information without consent, would trigger the rule.
The FTC said apps are subject to the breach notification rule if they are capable of drawing health records from multiple sources. For example, if an app takes information that a user inputs along with data retrieved through an API from the fitness tracker or calendar on that person's phone, it would count.
Many apps available now have that capability, and more are coming on the market frequently. The FTC said the rule "was issued more than a decade ago, but the explosion in health apps and connected devices makes its requirements with respect to them more important than ever."
Healthcare data breaches have been a serious issue for many years now. So far this year, more than 400 breaches have been reported to HHS by entities that are covered by HIPAA.
That problem has been exacerbated by the COVID-19 pandemic as providers quickly built out telemedicine platforms. The number of breaches increased by 36% from the first half of last year to the second half, according to CI security.
The device side has also raised increasing alarm about cybersecurity attacks and breaches. Legacy medical devices still in use at hospitals — without the latest security measures — are particularly troublesome.
FTC warned it is prepared to bring actions to enforce the rule. "As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever," according to the brief. "Firms offering these services should take appropriate care to secure and protect consumer data."