One would expect those who create rules to stand firmly as the strictest adherents. However, that’s not always so. And the FTC has been actively illustrating that unfortunate reality. In March 2021, Congress called out the commission for failing to adhere to its Health Breach Notification Rule for mobile apps that share personal health records with third parties. In response, the FTC issued a policy statement, assuring the public that they would henceforth enforce the rule. As of the end of 2022, little evidence exists to back their promise.
If enforced properly, non-HIPAA-regulated apps would be held accountable—through fines or other penalties—when they accidentally expose or knowingly share personal data and fail to notify users.
Technology has super-powered convenience and accessibility, particularly for consumer health tracking. Users have, at their disposal, a hoard of mobile health (mHealth)apps that can track glucose levels, sleep cycles, eating habits, weight loss progress, exercise data, heart rate, etc. These apps are undoubtedly loaded with massive health and personal information. They’re also rife with security gaps and covert data usage. So, entwined with their many benefits are many security and privacy dangers.
At least three recent studies have revealed that many mHealth apps regularly share user data with third-party entities without consent or notifying users of the practice: BMJ conducted a study that pointed out 19 out of the 24 apps reviewed had shared user data with 55 unique entities that received or processed that data with developers and third-party providers. Also, 67 percent of those apps shared user data unrelated to the app, such as user browsing history, device name, operating system, and email addresses.
Almost 50% of mental health apps send user data to third parties and failed to disclose the transmissions.
Assessment of the Data Sharing and Privacy Practices of Smartphone Apps for Depression and Smoking Cessation, JAMA
JAMA performed a study reporting that almost 50 percent of mental health apps send user data to third parties and failed to disclose the transmissions, lacked a privacy policy, or faslely declared data would not be shared.
Finally, a leading cybersecurity analyst, Alissa Knight, conducted another report suggesting that the data of at least 23 million mental health app users have been compromised because of privacy and security flaws.
The FTC bears the greatest authority to protect user privacy within mHealth apps. The mHealth apps are outside of HIPAA regulation, as HIPAA can only govern apps that are explicitly affiliated with healthcare providers. Therefore, mobile health app users have their privacy and security largely in the hands of FTC. Why hasn’t the FTC stayed true to its claim to “bring actions to enforce the Rule consistent with this Policy Statement” and impose “civil penalties of $43,792 per violation per day” for violations of the rule?
Though its enforcement of the Health Breach Notification Rule appears to be lacking, the FTC did update its Mobile Health App Interactive Tool recently. Businesses can use this app to determine if their app might violate the FTC's rule, HIPAA, the 21st Century Cures Act, ONC Information blocking Regulations, and the Food, Drug, and Cosmetic Act. The tool now contains new, more specific questions, examples, and use cases.
In March 2022, the FTC also published two additional resources to supplement and clarify its policy statement. The first offers a brief, high-level overview of the rule; the second dives into greater details about notification triggers and requirements, and the rule’s applicability.
Are additional resources and updated apps enough to protect the data of mHealth app users? Will the FTC step up in 2023 to aptly guard consumer privacy and security within these apps? Consumers expect those who make the laws to enforce those laws and protect their privacy—because no one else can.
To learn more about healthcare regulations and compliance, visit CompliancePro Solutions.