Digital health companies could be subject to large fines if they fail to disclose breaches to users, the Federal Trade Commission warned in a recent policy statement. And yes, the agency clarified: this applies to apps and wearables that are not covered by the Health Insurance Portability and Accountability Act (HIPAA).
As health apps have proliferated over the last decade, many of them haven’t been subject to HIPAA, including wearables, fertility-tracking apps and mental health apps with meditations or exercises. But they still have to be transparent with users about how their information might be used, and notify them promptly in the event of a breach.
If they don’t, companies must pay a steep penalty of $43,792 per violation per day, which could add up quickly for a health app with a lot of users.
What’s more, the costs could extend far beyond the initial penalty, said Patricia Carreiro, a cybersecurity and privacy litigator with Carlton Fields. For example, companies would face remediation costs, audits, and could also face private class action lawsuits if a breach hadn’t been disclosed, she said.
“The companies that were doing it right probably don’t make much of this FTC guidance. But for those that have been playing it a little looser, perhaps… the FTC is clarifying and saying, ‘no, this is what we mean by this,’” she said.
To avoid legal trouble, digital health companies should make sure they have good cybersecurity practices in place, have procedures in place to detect and respond to breaches, and be truthful in notices to users if their information was unknowingly shared or stolen.
Most companies should already be doing this, Carreiro said, but for those that aren’t, it sends a clear message.
“Don’t think that because HIPAA may not apply to you that you don’t have to protect someone’s health information,” she said.
The FTC’s Health Breach Notification rule has been in place for about a decade, but the FTC hadn’t previously enforced it against health apps. Last Wednesday, by a 3-2 vote, the commission voted to clarify that it should also apply to health apps, wearables and other connected devices.
The vote was split along party lines, with the two Republican commissioners opposing the policy statement, saying it expanded the breach notification rule beyond its intended scope.
FTC Chair Lina Khan wrote in attached commentary that the commission would enforce the rule “with vigor,” noting that it “should not hesitate to seek significant penalties against developers of health apps and other technologies that ignore its requirements.”
At the same time, she acknowledged that privacy protections need to extend beyond this rule, as health information is increasingly commodified and used to power ads and analytics.
“Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she wrote.
The decision came months after the FTC settled with period-tracking app Flo for allegedly sharing health information, such as whether a user had gotten pregnant, to third-party analytics and marketing services, despite telling users it would not share their health data.
Now, Flo has to notify users of the settlement, get an independent review of its privacy practices, and try to have the health data it shared with third parties deleted.
Commissioner Rebecca Kelly Slaughter had opposed the settlement, saying that the FTC should have also charged Flo with violating the Health Breach Notification rule. In her commentary on Wednesday, she said she was happy to see the majority of commissioners agree that the rule should apply to digital health companies.
“If you are offering digital health services, the FTC will hold you accountable for accurate, evidence-based claims and fully compliant data privacy practices,” she wrote.
Photo credit: David Tran, Getty Images