Federal Trade Commission tightens grip on health app privacy

WASHINGTON, UNITED STATES — The Federal Trade Commission (FTC) has finalized changes to its Health Breach Notification Rule (HBNR).
In a move to reinforce data privacy protections, the revised rule underscores its applicability to health apps, requiring them to notify individuals, the FTC, and potentially the media in case of a breach involving unsecured personally identifiable health information.
The FTC’s definition of such data encompasses traditional medical records, fitness tracker data, and even health information inferred from other sources.
Safeguarding patient privacy
While the original rule dates back to 2009, the FTC had previously refrained from actively enforcing violations. However, the proliferation of health apps and direct-to-consumer health technologies prompted the agency to take a firmer stance.
“Today’s issuance of the Final Rule codifies this approach, honoring the statutory directive that people must be notified when their health records are breached,” stated FTC Chair Lina Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedo, in a joint statement.
The move follows the FTC’s recent settlement with the fertility app Premom, which allegedly shared users’ sensitive data with third parties without proper disclosure or consent.
Key changes in the final rule
Below are the key changes in the FTC’s updated HBNR.
- Consumers are required to receive more detailed breach notifications, such as identifying third parties that acquired data and describing the types of health information involved.
- Mandating notifications be “clear and conspicuous” with guidance on using plain language, avoiding legalese, and leveraging visuals like bullet points.
- Expediting notification timelines, with breaches affecting 500+ people requiring simultaneous notice to the FTC and consumers within 60 days.
The updates follow recent FTC enforcement actions against companies like GoodRx, Flo, and BetterHelp for mishandling consumer health data.
“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened.”