FTC Proposed Rule Would Help Protect Health Information Collected by Consumer Apps, Websites

HIMSS submitted a public comment letter Aug. 8 to the Federal Trade Commission, leveraging member expertise to give feedback on the movement to align privacy compliance requirements for health information. HIMSS supports an expansion of breach notification responsibility for applications and devices that collect identifiable health information and are not covered under HIPAA.

The FTC released the Breach Notification Proposed Rule on June 9 in response to comments collected during a 10-year review of FTC’s current Breach Notification rule in 2020.

The proposed rule responded to stakeholder feedback that with the explosion of health apps and other direct-to-consumer health technologies, such as fitness trackers, there has been an increase in both the amount of health data collected from consumers and the incentive for companies to use or disclose that sensitive data for marketing and other purposes.

The rulemaking proposes revising the definitions of “personal health records,” “personal health record identifiable health information,” and “healthcare services and supplies” to clarify that FTC breach notification requirements cover any online service — such as a website, mobile application or internet-connected device — that provides mechanisms to track health information — such as diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet — or that provides other health-related services or tools that have the technical capacity to draw information from multiple sources and that is managed, shared and controlled by or primarily for the individual.

The rule also clarifies what constitutes a breach and the responsibilities of the manufacturers to notify impacted parties when a breach occurs.

HIMSS strongly supports the intent of the FTC proposals: to ensure that all entities outside of HIPAA’s purview collecting identifiable health information are covered by federal oversight and have responsibilities to protect health information, update impacted parties when a breach occurs and take appropriate action to mitigate the impact of the breach. These changes would be huge wins for consumers.

To ensure a seamless, secure, ubiquitous and nationwide exchange of data, a careful balance must be made between the need to keep information private and secure while also remaining shareable across various environments to help ensure patient health and care is not impeded.

In its comment letter, HIMSS expressed concern that the legislative language empowering FTC uses the term “personal health record,” which is a term that is rarely used since patients more frequently utilize websites, web applications and mobile applications to collect and track their health data.

HIMSS called on Congress to work with the FTC toward constructing appropriate legislative language formulating functional definitions that ensure all platforms that handle, collect, and share electronic health information and are not covered by HIPAA have the responsibility to protect consumer health information. In addition, HIMSS called for FTC to create a more user-friendly online tool to report breaches and other suspected violations of the rule.