New FTC Rule Requires Digital Health Companies To Notify Users of Data Breaches

Digital health companies such as BetterHelp and Calmerry will be subject to more scrutiny regarding the use of personal health information under a final rule issued by the Federal Trade Commission (FTC) on Friday, April 26.

Following multiple enforcement actions by the FTC, the agency revised its Health Breach Notification Rule to ensure that digital health apps and trackers will face penalties if they do not alert users of the disclosure of personal health information without consent.

The rule’s definition of personally identifiable health data includes traditional health information such as diagnoses as well as emergent health data such as location information and healthcare-related purchases. The rule also adds a broad definition of healthcare services, sending a strong signal to companies that might not have previously considered themselves to be providing healthcare services — such as wellness apps that passively track data for users — that the FTC’s enforcement oversight applies to them.

Although most digital health companies offer privacy protections in the terms and conditions for use of their product, many are not subject to privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). This is because they are not “covered entities” under HIPAA since they do not submit electronic claims for insurance billing purposes like most traditional healthcare providers.

An appendix to the rule provides examples of messages that companies can send to notify individuals of security breaches or improper disclosures under the rule. The rule becomes effective 60 days from the date of its publication in the Federal Register.