In a move to strengthen consumer protection and enhance transparency, the Federal Trade Commission (FTC) has finalized revisions to its Health Breach Notification Rule (HBNR), targeting digital health applications that handle sensitive personal health information. These changes are designed to address the unique challenges posed by digital health technologies that fall outside the Health Insurance Portability and Accountability Act (HIPAA). Under the revised rule, not only are health apps required to report breaches involving unsecured personal health data to affected individuals, the FTC, and sometimes the media, but they must also ensure that third-party service providers notify them of any breaches. This expanded reach now includes a wide range of data, from traditional health information such as diagnoses and treatments to data harvested from fitness trackers and inferred health details derived from user behaviors like location tracking and health-related purchases.
The motivation for these regulatory updates stems from the increasing use of health apps and wearables, which has surged in recent years, particularly during the COVID-19 pandemic. The FTC’s intensified focus is a response to ongoing concerns about the expansive use of consumer health data by these applications, often extending beyond the users’ knowledge and consent for marketing and other purposes. This revised rule aims to clamp down on unauthorized data disclosures by mandating strict reporting requirements and clarifying the types of data considered personally identifiable health information. The FTC’s approach includes defining emergent health data to cover any information that could potentially infer an individual’s health status, ensuring that companies recognize their obligations to protect this sensitive information.
Recent FTC enforcement actions illustrate the agency’s commitment to leveraging the HBNR to hold companies accountable. Noteworthy cases include the settlements with GoodRx and Easy Healthcare’s fertility app Premom, where both companies faced penalties for failing to safeguard consumer health data. GoodRx’s $1.5 million settlement for sharing personal health information with advertisers like Facebook and Google marked an important step in the FTC’s enforcement of privacy violations under the HBNR. The settlement with Premom, which involved deceptive practices concerning data sharing with third-party advertisers, shows the FTC’s commitment to monitoring digital health platforms. These actions highlight the FTC’s readiness to use its regulatory power to ensure compliance and protect consumer privacy in the digital health sector.
Despite these positive steps, the revised HBNR has not been without contention. The FTC commissioners approved the rule changes with a 3-2 vote, reflecting a partisan divide on the issue. Commissioners opposing the rule argued that it could impose unrealistic compliance burdens on companies, potentially leading to non-compliance and legal challenges that might compromise the FTC’s authority and effectiveness. These concerns spotlight the ongoing debate over the balance between consumer data protection and the regulatory burdens placed on businesses operating in the digital health space. As the rule takes effect, the digital health industry will need to navigate these new regulations carefully to align their operations with the FTC’s enhanced consumer protection standards while managing the potential for increased compliance costs and legal challenges.