One would expect those who create rules to stand firmly as the strictest adherents. However, that’s not always so. And the FTC has been actively illustrating that unfortunate reality. In March 2021, Congress called out the commission for failing to adhere to its Health Breach Notification Rule for mobile apps that share personal health records with third parties. In response, the FTC issued a policy statement, assuring the public that they would henceforth enforce the rule. As of the end of 2022, little evidence exists to back their promise.
About the Health Breach Notification Rule
In general, the rule states that organizations—not under HIPAA governance—that have experienced a breach must notify the media, the FTC, and all persons whose data was compromised. “The Rule covers vendors of personal health records that contain individually identifiable health information created or received by health care providers. The Rule is triggered when such entities experience a ‘breach of security.’ Under the definitions cross-referenced by the Rule, the developer of a health app or connected device is a “health care provider” because it ‘furnish[es] health care services or supplies.’ When a health app, for example, discloses sensitive health information appropriately without users’ authorization, this is a ‘breach of security’ under the Rule.”
If enforced properly, non-HIPAA-regulated apps would be held accountable—through fines or other penalties—when they accidentally expose or knowingly share personal data and fail to notify users.
Why the Rule Is Important for Mobile Health Apps
Technology has super-powered convenience and accessibility, particularly for consumer health tracking. Users have, at their disposal, a hoard of mobile health (mHealth)apps that can track glucose levels, sleep cycles, eating habits, weight loss progress, exercise data, heart rate, etc. These apps are undoubtedly loaded with massive health and personal information. They’re also rife with security gaps and covert data usage. So, entwined with their many benefits are many security and privacy dangers.
At least three recent studies have revealed that many mHealth apps regularly share user data with third-party entities without consent or notifying users of the practice: BMJ conducted a study that pointed out 19 out of the 24 apps reviewed had shared user data with 55 unique entities that received or processed that data with developers and third-party providers. Also, 67 percent of those apps shared user data unrelated to the app, such as user browsing history, device name, operating system, and email addresses.
Almost 50% of mental health apps send user data to third parties and failed to disclose the transmissions.
Assessment of the Data Sharing and Privacy Practices of Smartphone Apps for Depression and Smoking Cessation, JAMA
JAMA performed a study reporting that almost 50 percent of mental health apps send user data to third parties and failed to disclose the transmissions, lacked a privacy policy, or faslely declared data would not be shared.
Finally, a leading cybersecurity analyst, Alissa Knight, conducted another report suggesting that the data of at least 23 million mental health app users have been compromised because of privacy and security flaws.
More About the FTC’s Health Breach Notification Rule Enforcement Failure
The FTC states it began enforcing the breach notification in February 2010. A review of its enforcement history, however, seems to paint a picture of enforcement cherry-picking, at least for mHealth apps. In its complaint, Congress wrote, “Despite several high-profile cases of period-tracking apps disclosing personal health information to third parties without their users’ authorization, the FTC has never taken any enforcement actions related to the Health Breach Notification Rule.”
The FTC bears the greatest authority to protect user privacy within mHealth apps. The mHealth apps are outside of HIPAA regulation, as HIPAA can only govern apps that are explicitly affiliated with healthcare providers. Therefore, mobile health app users have their privacy and security largely in the hands of FTC. Why hasn’t the FTC stayed true to its claim to “bring actions to enforce the Rule consistent with this Policy Statement” and impose “civil penalties of $43,792 per violation per day” for violations of the rule?
FTC’s Mobile Health App Interactive Tool
Though its enforcement of the Health Breach Notification Rule appears to be lacking, the FTC did update its Mobile Health App Interactive Tool recently. Businesses can use this app to determine if their app might violate the FTC's rule, HIPAA, the 21st Century Cures Act, ONC Information blocking Regulations, and the Food, Drug, and Cosmetic Act. The tool now contains new, more specific questions, examples, and use cases.
In March 2022, the FTC also published two additional resources to supplement and clarify its policy statement. The first offers a brief, high-level overview of the rule; the second dives into greater details about notification triggers and requirements, and the rule’s applicability.
Are additional resources and updated apps enough to protect the data of mHealth app users? Will the FTC step up in 2023 to aptly guard consumer privacy and security within these apps? Consumers expect those who make the laws to enforce those laws and protect their privacy—because no one else can.
To learn more about healthcare regulations and compliance, visit CompliancePro Solutions.
