From step-counting fitness bands and sleep-grading watches to reproductive-tracking mobile applications, the Internet of Things has empowered consumers with an incredible variety of tools that allow them greater involvement as patients and insights into their own health and fitness. According to Market.us, the wearable medical device market grew to an estimated $30.1 billion in 2022 (and this projection did not include mobile applications that also collect their users’ health data). In addition to wearable health devices and apps, the COVID-19 pandemic forced many traditional health care interactions into the digital space, a trend that has shown no signs of reversing post-pandemic.
The results of these trends: Americans are creating massive amounts of health-related data outside traditional professional medical interactions. As exciting as this new market growth has been, health care data holders are still swimming in murky waters when it comes to their privacy obligations. The disconnection between and overlap of information that is protected by state privacy law and information protected under the Health Insurance Portability and Accountability Act (HIPAA) not to mention information protected by some other privacy regime have created a precarious landscape proving difficult to navigate. Storm clouds are gathering for stewards of health care data that operate both inside and outside HIPAA, and providers will need to adjust quickly if they want to remain on safe ground.
The collection of consumer health data – that is, data that does not constitute Protected Health Information (PHI) under HIPAA – can create significant confusion for both consumers and providers. For starters, many consumers assume that the nature of their data, i.e., that it relates to their physical or mental health, means that it is protected under federal privacy law. This assumption is frequently incorrect; the only protections or limitations on the use of consumer health data are likely to be found in the app’s or device’s privacy policy or terms of use. More often than not, these policies allow for downstream sharing and disclosure of consumer health data that is inconsistent with consumer expectations.
HIPAA is not the only operable federal statute, and the failure to fully identify and comply with privacy regulations relating to consumer health data can prove to be a costly mistake. The Federal Trade Commission’s (FTC) Health Breach Notification Rule (16 CFR 318) applies to breaches of “unsecured” health information and requires vendors of personal health records (including service providers) and related entities that are not covered by HIPAA to notify consumers, the FTC and, for certain breaches, prominent media outlets serving a state of jurisdiction, of a breach of unsecured personally identifiable health data.[1] The rule applies to apps, etc. that draw data from “multiple sources” that are not covered by a rule from the Department of Health and Human Services (for example, a blood sugar app that combines a glucose level and calendar data would qualify). A breach results from “unauthorized access,” and in 2001, the FTC clarified that this includes unauthorized sharing in violation of a privacy policy. A breach can result in monetary penalties of up to $43,792 per violation per day, affording the agency considerable flexibility in tailoring any potential penalty to the offender.
In February 2023, the FTC announced its first enforcement action under its Health Breach Notification Rule against GoodRx, a telehealth and prescription drug discount provider. According to the settlement, GoodRx:
- Shared personal health information with advertisers and third parties in violation of its privacy policies.
- Used personal health information to target its users with personalized health- and medication-specific advertisements,
- Misrepresented its HIPAA compliance.
- Failed to implement policies to protect personal health information.
GoodRx agreed to a no-admit/no-deny settlement, a $1.5 million civil penalty, a notification to impacted consumers and a court order that did the following:
- Prohibited the sharing of personal health data for advertising.
- Required user consent for any other sharing.
- Required the company to seek the deletion of data held by third parties.
- Required the company to limit its own retention of data and to implement a mandated privacy program.
On May 17, the FTC settled with another entity, Easy Healthcare Corporation (EHC), the developer of the fertility app Premom. EHC allegedly deceived users by doing the following:
- Sharing their sensitive personal information with third parties when its privacy policies promised that it would not share health information without users’ consent.
- Disclosing users’ sensitive health data to third parties when its privacy policy stated that any data it did collect was non-identifiable and used only for its own analytics or advertising.
- Failing to take reasonable measures to address the privacy and data security risks created by its use of third-party tracking tools.
- Failing to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule
The company agreed to pay a $100,000 civil penalty, provide a notification to impacted consumers and obey a court order similar to the one given above for the GoodRx settlement.
On May 18, the FTC proposed further amendments to the Health Breach Notification Rule that would do the following:
- Revise several definitions to clarify how the rule applies to health applications and similar technologies that are not covered by HIPAA.
- Codify the agency’s interpretation that a breach includes an unauthorized disclosure.
- Clarify the scope of the entities covered by the rule.
- Clarify what it means for a personal health record to draw information from multiple sources.
- Expanding the ability to provide electronic notice of a breach to consumers (and provide additional requirements regarding such notices)
The FTC’s comment period will run for 60 days from the publication of the new rule in the Federal Register.
[1] HIPAA-covered entities and their “business associates” must instead comply with the Department of Health and Human Services’ breach notification rule.
About the Author
Peter Bogdasarian is a partner and serves as Chief Privacy Officer for the firm. He counsels clients on data privacy and cyber security-related issues. Peter also provides advice to clients in connection with inquiries, investigations, and enforcement actions initiated by government agencies and self-regulatory organizations as well as general litigation matters.
pbogdasarian@stradley.com
202.419.8405