FTC Warns That Health Apps Must Notify Consumers of Data Breaches

By: Margaret Young Levi

On September 15, 2021, the Federal Trade Commission (FTC) issued a Policy Statement cautioning that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule and notify consumers when their health data is breached.

The Health Breach Notification Rule (codified at 16 C.F.R. § 318) protects individually identifiable health information created or received by vendors of personal health records. The Rule requires vendors of personal health records to notify U.S. consumers, the FTC, and sometimes the media when there has been a breach of security of unsecured identifiable health information. Persons that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation, per day.

The Health Breach Notification Rule became effective in 2009, but the FTC has not enforced it to date. However, because health care applications continue to proliferate and to collect increasingly personal and sensitive health information, the FTC issued this Policy Statement to place health apps on notice that the Rule will be enforced going forward and to clarify that they are considered to be “vendors of personal health records” covered under the Rule. 

The FTC explains that the developer of a health app or connected device is considered a “vendor of personal health records” under the Rule if it is capable of drawing information from multiple sources, such as a combination of direct inputting by a consumer, syncing with a consumer’s fitness tracker, or even interfacing with the phone calendar. The Rule does not apply to vendors of personal health records who are already covered by HIPAA. 

In addition, the FTC reminds vendors of personal health records that a “breach of security” is not limited to cyberattacks by third parties, but includes any acquisition of identifiable health information of an individual in a personal health record without the individual’s authorization.  The FTC states that “[i]ncidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.” 

If a breach occurs, then health apps should examine state data breach notification laws to determine if they apply as well. 

HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

Continue reading

OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading

LabMD Appeals; Court Grants Temporary Stay

lab_specimensIn a recent blog post entitled “FTC Issues Final Order and Data Security Lessons in LabMD Case,” we discussed the Federal Trade Commission (“FTC”)’s Final Order in the LabMD case.  The FTC found that LabMD failed to provide reasonable and appropriate security for its customers’ personal information and that this failure caused (or was likely to cause) substantial consumer harm constituting an unfair act in violation of the law.  It  ordered LabMD to implement a number of compliance measures, including creating a comprehensive information security program, undergoing professional routine assessments of that program, providing notice to any possible affected individual and health insurance company, and setting up a toll-free hotline for any affected individual to call.  Although LabMD has closed its doors and has limited resources to comply with the FTC’s Final Order, it appealed the Final Order to the U.S. Court of Appeals for the Eleventh Circuit.  At the same time, it sought a stay from the FTC, which would halt these compliance measures pending the court’s review. The FTC denied the stay, so LabMD then asked the Eleventh Circuit to grant the stay.

On November 10, 2016, the Eleventh Circuit granted LabMD’s motion to stay enforcement of the Final Order pending appeal.  A copy of the court’s Order granting the stay is available here.  When issuing the stay, the court found that there existed a serious legal question as to Continue reading

FTC issues Final Order and data security lessons in LabMD case

After HoursOn July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ).  The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act.  It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network.  Two alleged security incidents form the basis of the Complaint.  In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD.  In the second incident, dozens of day sheets and a small number of Continue reading