The Federal Trade Commission never applied an old rule governing the privacy and security of health data. Now that the agency has vowed to get tough on enforcing it against mobile health apps, some legal and privacy experts siding with tech businesses say it’s a convoluted approach that already is causing confusion.
The FTC voted during a Sept. 15 meeting to apply the Health Breach Notification Rule to connected health apps and other tech used to monitor health, such as fitness trackers, fertility and period-tracking apps, mental health apps — or apps that help people quit smoking. The rule requires companies that have experienced a breach of health-related data to notify the FTC and those affected by the breach. The goal is to get the agency’s enforcement of the existing rule caught up with the ways people manage their physical and mental health today and align it with how the data reflecting their health is handled. No companies have been charged by the FTC under the rule.
“The health breach notification rule needs a bit of a refresh,” said Pam Dixon, executive director of World Privacy Forum, a non-profit group that has conducted research on health data privacy and breaches.
Previous FTC guidance indicated the rule was applicable only in a narrow set of circumstances related to personal health record vendors and firms that provide services to those companies. But times have changed, and the agency is taking a more aggressive approach to interpreting the rule to meet the health tech industry where it is today — much more evolved than it was in 2009 when the FTC first offered guidance on how it would apply the rule.
The health breach notification rule needs a bit of a refresh.
Pam Dixon, executive director of World Privacy Forum
“Today we are hoping to clarify that the health breach notification rule applies to connected health apps and similar technologies,” said FTC chairwoman Lina Khan during the meeting. As justification for shifting how the rule is applied, she pointed to the commodification of sensitive health information that app developers often disseminate to monetize their apps through targeted advertising and by building other products from large volumes of data. She said evolving the way in which the rule is applied to encompass modern technologies is a “logical interpretation.”
Khan put her proverbial foot down when introducing the policy shift. “The commission should not hesitate to seek significant penalties against developers of health apps and other technologies that ignore its requirements,” she said. Companies found in violation could be slapped with civil penalties of $43,792 a day per violation — the same amount established in 2009.
“We don’t voluntary give the information away which is what I think the FTC is really trying to manage — how these big apps make revenue and women don’t know what’s happening,” said Beckley. “Data’s very valuable [and] that’s the model for all these companies,” she added. “That kind of stuff — it’s just icky; it’s just not right.”
Confusion over data sharing as data breach
The FTC’s policy statement does not mean the agency is formally proposing that any new rules be established to protect health data. Indeed, crafting new rules at the FTC can take years to finalize.
I’m not sure that the FTC has identified where the guardrails are.
Riposo Vandruff, who until recently served as assistant director in the FTC’s Division of Privacy and Identity Protection
However, Laura Riposo Vandruff, a lawyer in the privacy and advertising practice group at Kelley Drye and Warren, called the plan to apply the existing health breach notification rule to health apps a “significant expansion” of the original interpretation. “I’m not sure that the FTC has identified where the guardrails are,” said Riposo Vandruff, who until recently served as assistant director in the FTC’s Division of Privacy and Identity Protection inside its Consumer Protection Bureau. The policy statement “raises so many questions for companies that provide health and wellness and fitness services, and the statement doesn’t answer those questions about what companies can do,” she said.
For instance, the policy statement did not provide guidance on whether personal information shared by health apps such as an email or IP address is subject to the FTC’s new interpretation of the rule. “In the period tracking space, the fact that a consumer is tracking her menstrual cycle is sensitive information; is that consumer’s IP address also sensitive information?” asked Riposo Vandruff. She said it is not clear whether companies have to update data sharing disclosure statements or garner additional consent from app users as a result of the rule enforcement.
The two FTC commissioners who voted against the rule policy statement criticized it as contradictory to existing guidance without proper notice to the business community. Commissioner Noah Phillips argued that the updated interpretation of the rule was “convoluted.” He wrote in a dissent, “Under it, all applications consumers use to store and process data about anything related to health — e.g., your steps, the food you eat, etc. — are ‘health care providers.’ So too would be retailers that sell health care supplies, like Neosporin and vitamins.”
Another point of contention: the very definition of a breach. In the original explanation of how to comply with the law, the FTC refers to a health data breach and “unauthorized access” in the classic sense, for example, “if one of your employees accesses a customer’s personal health record without authorization” or there’s “a lost laptop that contains personal health records.”
Now, the FTC is shifting the definition of a breach to help rein in what it sees as deceptive or unfair data sharing without proper permission from app users. “Notably, the rule does not just apply to cybersecurity, intrusions or other nefarious behavior,” said Khan. “Incidences of unauthorized access also trigger notification obligations under the rule,” she said, alluding to “serious problems ranging from insecure transmission of user data, including geolocation, to unauthorized dissemination of data to advertisers and other third parties in violation of the app’s own privacy policies.”
But the policy shift to encompass unscrupulous data sharing in the definition of a breach raises lots of questions about how a company would determine when a breach of security occurs that would require notification, wrote Phillips in his dissent. “Is it when the vendor ‘discovers’ their own plan to share the data, or comes up with it in the first place, before any information is acquired? Or is it only after that information is shared? Privacy regulations often deal with first-party violations such as these by barring the sharing and penalizing it, thus preventing the violations from happening. Waiting for an ill-defined discovery to occur and then requiring only notification permits the information sharing to happen,” he wrote.
Moving beyond the pre-wearables era
The rule policy statement came on the heels of the FTC’s settlement in June with Flo Health, maker of the period tracker, Flo. Commissioners who also voted in favor of the statement were among those who wanted it applied in the Flo Health case, though ultimately it was not. In that case, the regulator alleged Flo Health shared data that people submitted to its app — such as information about whether they were attempting to get pregnant or had premenstrual syndrome symptoms like depression — with Facebook, Google and analytics companies, without the permission of those people. “In the FTC’s action earlier this year against Flo, a fertility tracker, I made the point that the FTC must more effectively deploy the health breach notification rule against providers of digital health tools,” said FTC commissioner Rebecca Slaughter during the September meeting, when she voted in support of the new rule policy.
Health apps are generally not covered by HIPAA and some may mistakenly believe that they are not covered by the commission’s rules.
FTC chairwoman Lina Khan
The FTC does not reveal the inner workings of negotiations with companies it investigates, but disagreement over what specific types of data the rule should apply to may have been a reason why the agency did not apply it. In general, there has been some dispute over just what types of health data the rule should apply to. “Health apps are generally not covered by HIPAA and some may mistakenly believe that they are not covered by the commission’s rules,” said Khan, referencing the Health Insurance Portability and Accountability Act, which governs the privacy and security of health records stored online.
When the FTC published its original guidance on enforcing the rule in 2009, it said it would cover “web-based businesses that collect people’s health information [that] aren’t covered by HIPAA,” including “online services people use to keep track of their health information and online applications that interact with those services.” But back in 2009, mobile health apps simply weren’t common. Even health-related wearables such as Nike’s FuelBand didn’t come on the market till 2012. And discussion of digital health data tended to center on the impending digitization of personal health records prompted by President Obama’s 2010 Affordable Care Act.
“Given the fact that we’re in a pandemic and the fact that it looks like it will be ongoing for some time, and we have a preponderance of information at the individual level entering all sorts of non-HIPAA, non-public health apps, [addressing health app data] is of high importance,” said Dixon. She added, “And I do believe the FTC recognizes this.”