FTC seeks Health Breach Notification Rule clarity for apps

The Federal Trade Commission wants to make changes to the Health Breach Notification Rule to make clear the protections extend to users of digital health apps.

While the agency has considered health trackers, apps and other direct-to-consumer companies subject to the rule, proposed changes would codify that digital health companies handling medical information would be treated in many of the same ways as providers.

The current rule outlines two designations, providers along with “services or supplies” but the proposed changes flesh out what that means in greater detail. The proposal would also clarify the definition of a “breach of security” to include unauthorized acquisition of identifiable health information that occurs because of a data breach or unauthorized disclosure, the agency said in a news release.

Any unauthorized disclosure would trigger the rule, an agency spokesperson said. That includes companies sharing user data willingly without receiving proper user consent.

The proposed changes follow the FTC’s recent enforcement actions against consumer drug benefits company GoodRx and Premom, a digital women’s health company.

In February, the FTC took action against GoodRx alleging the company shared consumers’ personal health information with Facebook, Google and other third parties. The Justice Department, on behalf of the FTC, filed a complaint and GoodRx agreed to a $1.5 million fine.

Once the commission publishes the proposed changes in the Federal Register, a 60-day public comment period will begin. 

In March, the FTC fined digital mental healthcare provider BetterHelp $7.8 million for sharing the personal health information of millions of consumers with advertisers like Facebook, Snapchat, Criteo and Pinterest during a seven-year period.

The agency alleged BetterHelp provided consumers’ email addresses, IP addresses and health questionnaire information and the company uploaded lists containing more than 7 million email addresses to Facebook between 2017 and 2018. More than half of the emails were matched with Facebook user IDs, the agency alleges.

Experts said the recent enforcement actions likely serve as a warning shot to digital health companies sharing health information.