On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources.

The Rule, originally promulgated by the FTC over a decade ago, requires vendors of personal health records and related entities to notify individuals, the FTC, and, in certain cases, the media if unsecured identifiable health information is disclosed without the individual’s authorization. The Rule also imposes notification requirements on third party service providers of such vendors and related entities. However, the Rule does not apply to HIPAA covered entities or business associates, which are instead subject to the U.S. Department of Health and Human Services’ breach notification rule.

The policy statement explains that the Rule covers personal health records containing individually identifiable health information created or received by health care providers. A developer of a health app or connected device is a “health care provider” under the Rule because the developer furnishes health care services or supplies. The policy statement clarifies that the FTC considers apps to be covered by the Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (“APIs”).

The policy statement provides the following illustrative examples of apps covered by the Rule:

  • An app that collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker.
  • An app that draws information from multiple sources, even if the health information comes from only one source—such as a blood sugar monitoring app that draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from the calendar on the consumer’s phone).

Despite the Rule taking effect over a decade ago, the FTC has never initiated an enforcement action under the Rule. However, this guidance serves as a reminder of the FTC’s increased focus on privacy protections for sensitive health information given the rapid proliferation of connected health apps and similar technologies. In a supporting statement, FTC Chair Lina Khan noted that although “this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics.” Additionally, earlier this year, the FTC announced a settlement with a period and fertility-tracking app developer over allegations that the app shared users’ health information with third-party analytics providers despite promising that such data would be kept private. Although the FTC did not cite the Rule and focused instead on false statements made by the company about its privacy policies, two FTC commissioners argued that the company’s conduct did in fact violate the Rule.

Violations of the Rule carry civil penalties of up to $43,792 per violation per day. Companies in the health app space should review their internal policies and procedures to make sure they have systems in place that would allow them to identify breaches that occur and send out required notifications in a timely manner.