In an aggressive growth of its stability and privateness enforcement systems, on September 15, 2021, the FTC issued what it characterised as a “Policy Statement” reinterpreting an previous rule about personal wellness documents.
Very first, some qualifications. In 2009, Congress directed the FTC to generate a rule requiring companies to supply detect when there is an unauthorized acquisition of selected wellness information and facts not covered by HIPAA. At the time, the FTC described that its Wellness Breach Notification Rule was slender, constant with the textual content of the regulation, making use of only to security breaches by sellers of specified wellbeing info repositories (called “personal health and fitness records” or “PHRs”) and selected corporations that get the job done with PHR vendors.
Flash forward to September 2021. The FTC’s Policy Statement declares a wide vary of well being, exercise, wellness, and connected systems to be included by the Rule if they can attract information from “consumer inputs” and APIs that contain “personal wellbeing data.” This scope is markedly broader than the agency’s formerly-issued guidance, which reiterated the slim software of the Rule. To further more illustrate, the FTC now says that health and fitness apps, these as glucose displays or health and fitness trackers, are subject to the Rule if they draw facts from a device or wearable and a phone calendar. In an unparalleled, expansive software of a slim breach recognize rule to consumer privateness, presumably to address what Chair Khan characterizes as “surveillance-based mostly advertising,” the Assertion also asserts that the “sharing of included data without the need of an individual’s authorization” triggers breach notification obligations. The FTC issued this policy assertion even as the Fee was in the midst of trying to get general public comment on the rule as element of its periodic rule critique process.
Companies violating the Rule experience civil penalties of $43,792 for every violation.
Commissioners Wilson and Phillips issued powerful dissents, contacting the Fee vast majority to process for abandoning prior small business guidance and ignoring the Administrative Treatment Act’s see and remark requirements. FTC Chair Khan, in convert, lamented the point that the Commission experienced not introduced an enforcement motion beneath the Rule, cautioning that “the Commission need to not hesitate to find significant penalties from builders of wellbeing applications and other technologies that dismiss [the Rule’s] prerequisites.”
App developers and other businesses supplying wellness, wellness, physical fitness, and connected applications need to think about the implications of the FTC’s Statement, and assess the opportunity applicability to their small business, even if they do not commonly look at by themselves as covered by HIPAA or functioning in an adjacent room. Certainly, the FTC’s Policy Assertion underscored that its advice was meant to sweep broadly, noting its relevance for applications and other systems that “track disorders, diagnoses, procedure, remedies, health, fertility, slumber, mental health, diet program, and other critical areas.” Unfortunately, the Coverage Statement raises much more concerns than it solutions. For instance:
- Is all individual facts gathered by this sort of technologies matter to the FTC’s new interpretation of the Wellbeing Breach Notification Rule?
- Do current facts governance policies and tactics deliver suitable safeguards?
- Are existing purchaser disclosures and consents adequate to mitigate danger? For instance, what degree of “authorization” would be expected for sharing own information for curiosity-primarily based promoting and analytics reasons?