FTC Warns That Health Apps Must Notify Consumers of Data Breaches

By: Margaret Young Levi

On September 15, 2021, the Federal Trade Commission (FTC) issued a Policy Statement cautioning that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule and notify consumers when their health data is breached.

The Health Breach Notification Rule (codified at 16 C.F.R. § 318) protects individually identifiable health information created or received by vendors of personal health records. The Rule requires vendors of personal health records to notify U.S. consumers, the FTC, and sometimes the media when there has been a breach of security of unsecured identifiable health information. Persons that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation, per day.

The Health Breach Notification Rule became effective in 2009, but the FTC has not enforced it to date. However, because health care applications continue to proliferate and to collect increasingly personal and sensitive health information, the FTC issued this Policy Statement to place health apps on notice that the Rule will be enforced going forward and to clarify that they are considered to be “vendors of personal health records” covered under the Rule. 

The FTC explains that the developer of a health app or connected device is considered a “vendor of personal health records” under the Rule if it is capable of drawing information from multiple sources, such as a combination of direct inputting by a consumer, syncing with a consumer’s fitness tracker, or even interfacing with the phone calendar. The Rule does not apply to vendors of personal health records who are already covered by HIPAA. 

In addition, the FTC reminds vendors of personal health records that a “breach of security” is not limited to cyberattacks by third parties, but includes any acquisition of identifiable health information of an individual in a personal health record without the individual’s authorization.  The FTC states that “[i]ncidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.” 

If a breach occurs, then health apps should examine state data breach notification laws to determine if they apply as well. 

OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.

HIPAA generally prohibits a physician from telling the individual’s employer or others whether an individual has received a COVID-19 vaccine. HIPAA prohibits covered entities from using or sharing an individual’s protected health information (PHI), such as whether they have received a COVID-19 vaccine, unless the individual authorizes the disclosure or it is permitted by HIPAA.

The guidance provides some scenarios where a covered entity is permitted under HIPAA to disclose information about COVID-19 vaccination without the patient’s authorization. For example:

  • A physician may disclose information relating to an individual’s vaccination to the individual’s health insurance in order to obtain payment for administering a COVID-19 vaccine.
  • A pharmacy may disclose information relating to an individual’s vaccination status to a public health authority, such as a state or local public health department.
  • A hospital may disclose information relating to an individual’s vaccination status to the individual’s employer in order to permit the employer to evaluate the spread of COVID-19 within the workforce or to determine whether the individual has a work-related illness, if the employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or similar state laws.

In other circumstances, HIPAA generally requires a covered entity to obtain an individual’s written authorization before disclosing information about vaccine status to, for example, a sports arena, hotel, cruise ship, or airline.

HIPAA does not prohibit an employer from requiring an employee to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. HIPAA does not apply to employers and employment records. Consequently, HIPAA does not regulate what information employers can request from employees. Employers may require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation that they have met this requirement without violating HIPAA. Employers may also require the employee to share this information with clients and others.  However, when requiring employees to obtain vaccinations and documentation of vaccination as a condition of employment, employers should ensure that these requirements comply with other federal or state laws, such as the Americans with Disabilities Act (ADA).

HIPAA does not prohibit a HIPAA covered entity from requiring members of its workforce to disclose to their employers or other parties whether they have received a COVID-19 vaccine. HIPAA does not apply to employers—including HIPAA covered entities in their role as employers—and  employment records. Similar to other employers, HIPAA covered entities may require their employees, volunteers, contractors and other members of their workforce to be vaccinated against COVID-19 and to disclose whether they have been vaccinated to their employer, other workforce members, patients, or members of the public.

OCR also sets the record straight that HIPAA does not prohibit a covered entity from requiring or requesting each member of the workforce to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

As noted above, other federal and state laws, such as the ADA, may limit or affect the HIPAA covered entity’s use of this information.

HIPAA does not prevent individuals from choosing to disclose whether they have received a COVID-19 vaccine. HIPAA does not apply to individuals’ disclosures about their own health information. It applies only to HIPAA covered entities. Therefore, HIPAA does not apply when an individual tells another person, such as a colleague or business owner, about their own vaccination status.

This long-overdue guidance addresses the misunderstandings about the application of HIPAA to questions about COVID-19 vaccinations by employers, businesses and others.

OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading

LabMD Appeals; Court Grants Temporary Stay

lab_specimensIn a recent blog post entitled “FTC Issues Final Order and Data Security Lessons in LabMD Case,” we discussed the Federal Trade Commission (“FTC”)’s Final Order in the LabMD case.  The FTC found that LabMD failed to provide reasonable and appropriate security for its customers’ personal information and that this failure caused (or was likely to cause) substantial consumer harm constituting an unfair act in violation of the law.  It  ordered LabMD to implement a number of compliance measures, including creating a comprehensive information security program, undergoing professional routine assessments of that program, providing notice to any possible affected individual and health insurance company, and setting up a toll-free hotline for any affected individual to call.  Although LabMD has closed its doors and has limited resources to comply with the FTC’s Final Order, it appealed the Final Order to the U.S. Court of Appeals for the Eleventh Circuit.  At the same time, it sought a stay from the FTC, which would halt these compliance measures pending the court’s review. The FTC denied the stay, so LabMD then asked the Eleventh Circuit to grant the stay.

On November 10, 2016, the Eleventh Circuit granted LabMD’s motion to stay enforcement of the Final Order pending appeal.  A copy of the court’s Order granting the stay is available here.  When issuing the stay, the court found that there existed a serious legal question as to Continue reading

FTC issues Final Order and data security lessons in LabMD case

After HoursOn July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ).  The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act.  It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network.  Two alleged security incidents form the basis of the Complaint.  In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD.  In the second incident, dozens of day sheets and a small number of Continue reading