Health apps that collect private information from consumers and various medical devices are used by companies in the personalized nutrition space to customize their product offerings and diet advice for consumers.
For many years consumers’ medical information has been protected by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Among other things the law stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft. Singing a HIPAA disclosure form has become a standard part of a doctor’s office visit.
Applicability of law that came out of spending bill
Now FTC has said that companies that collect data in the personalized nutrition context must comply with the Health Breach Notification Rule. That requires companies to notify consumers and others when their health data is breached.
Health apps and devices are now used to rack everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers.
FTC noted in a policy statement that the rule came about part of the American Recovery and Reinvestment Act of 2009. That included specific provisions to strengthen privacy and security protections for web-based businesses.
IN a policy statement released last week the Commission acknowledge that the rule has not been enforced up to now. In 2016 FTC did issue a guidance document for companies using mobile apps on how to comply with the rule.
The recent policy statement says changes in teh marketplace make it more important than even that companies comply with the requirement.
“The Rule was issued more than a decade ago, but the explosion in health apps and connected devices makes its requirements with respect to them more important than ever. . . .Yet the FTC has never enforced the Rule, and many appear to misunderstand its requirements,” the policy statement said.
Data used to drive web analytics
“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
FTC notes that apps and connected devices such as wearable fitness tracking devices that collect consumers’ health information are covered by the Health Breach Notification Rule if they can draw data from multiple sources. Companies that fail to comply with the rule could be subject to monetary penalties of up to $43,792 per violation per day.
The Commission voted 3-2 on a party line basis to adopt the new policy statement, with the two commissioners appointed by former Pres. Donald Trump dissenting.