Health apps have to tell their users about any data breaches or risk a hefty fine, the Federal Trade Commission clarified in a policy statement last week. The rule that requires that transparency is a decade old, but it hasn’t been enforced before. The new guidance serves as a warning to the many companies elbowing into the health app space: the FTC is taking issues around health data privacy seriously — even if it won’t be able to tackle all the privacy gaps on its own.
The FTC’s Health Breach Notification Rule covers all organizations that aren’t subject to the Health Insurance Portability and Accountability Act (HIPAA), which covers things like doctors and insurance companies. HIPAA requires those groups to disclose any time they have a data breach. The FTC rule covers any other group that deals in health information.
Health apps often haven’t had strong data privacy protections, FTC Chair Lina Khan said in a statement about the rule. Apps often have poor data protection systems, or violate their own privacy policies by sharing data with outside groups without telling users. These apps weren’t a piece of the digital health picture when the rule was first written. But since then, there’s been an explosion in health apps — tens of thousands are released each year, and downloads increased during the COVID-19 pandemic. More and more people are trusting their health information to these products. The new guidance clarifies that the Health Breach Notification Rule applies to these platforms as well, even if they didn’t think it covered them before.
The breaches that could trigger a report don’t just include hacks or attacks. These organizations would have to disclose any information shared without users’ permission. That might apply to situations like the recent privacy breach by period tracking app Flo, which was sharing data to Facebook, Google, and marketing companies without users’ knowledge. The FTC didn’t cite Flo for breaking the Health Breach Notification Rule — it focused on false statements made by the company about its privacy policies — but two FTC members argued that it should have.
The FTC’s new focus on making sure companies follow the rule could trigger internal changes at health apps, says David Simon, a research fellow at the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School. “It’s going to force them to at least put systems in place, if they’re not already in place, to figure out when these breaches occur and then notify people,” Simon says. The rule says that groups have to report any data breaches that they should have known about, not just that they do know about — so they have to have ways to monitor data.
“it’s in your best interest if you’re an app developer or a vendor of a connected platform that you pay attention to this rule”
The penalties for breaking the rule are fairly significant: $43,792 per violation per day. “That can add up very quickly,” says Jennifer Wagner, an assistant professor of law, policy, and engineering at Pennsylvania State University. “I think they’re trying to signal that, ‘look, it’s in your best interest if you’re an app developer or a vendor of a connected platform that you pay attention to this rule, and that you have some kind of response mechanism in place.’”
The FTC’s rule will let users know when there’s a data breach, but it can’t solve all the data privacy issues around health apps. It doesn’t limit what companies are able to do with users’ data; it just says that they have to tell the users what they’re doing. “It’s a transparency kind of thing, but that has limitations,” Simon says. Some experts argue that users should have more active control over the ways apps can use and share data in the first place. The FTC doesn’t have the power to make those changes, though. “I don’t think it has the tools to do everything it would like to do,” Simon says.
The FTC’s rule is also limited to digital health products that deal with health information. Lately, though, it’s been clear that platforms not specifically designed for health can actually be used for that purpose: a Facebook support group for breast cancer survivors, for example, might not be considered a health record, but it’s collecting information that could be used to learn about members’ health, Wagner says. If there was a data breach on that platform, it wouldn’t necessarily be subject to the rule. “What the FTC can do with the terminology is somewhat limited, although they’re certainly trying to do everything they can,” she says.
Despite the limitations, the guidance also comes as the larger landscape around data protection is shifting to give people more control around their information. There’s increasing attention from Congress, states, and attorneys general on data privacy, Wagner says. Companies are paying attention to all of it, and the FTC decision is a new piece of that puzzle. “They need to think about the steps they can take that are required, and to think ahead, because this regulatory space is not going to go away,” she says.