September.23.2021
The Federal Trade Commission ("FTC") recently announced its intent to "vigorously" enforce its 2009 Health Breach Notification Rule (the "Rule") via a policy statement that sheds light on the Rule's scope. The policy statement includes an expanded interpretation of entities subject to the Rule and clarifies that not only does the acquisition of health data by a bad actor constitute a reportable breach but that the disclosure of it to a third-party without an individual's authorization is also a reportable breach. Health tech companies need to take action immediately and determine if they are subject to the Rule. If they are, they may need to update their privacy and security policies. Learn more about the Rule in this update and how Orrick can help.
The Rule requires vendors of personal health records ("PHRs") and PHR-related entities to report breaches of security to the FTC, individuals, and in certain circumstances, the media. The Rule was intended to bridge the gap in breach reporting obligations for entities not covered by the Health Insurance Portability and Accountability Act ("HIPAA") but collecting individually identifiable health information. Under the Rule, a vendor of personal health records is an entity not subject to HIPAA that collects individually identifiable health information drawn from multiple sources into an electronic record managed, shared, and controlled by, or primarily for, the individual (a "PHR"). PHR-related entities include entities not subject to HIPAA that send information to PHRs. For example, the Rule applies to an online service that allows individuals to pull their medical records from multiple health care providers and store them electronically.
In its policy statement, the FTC expands those entities subject to its Rule. Health care providers not otherwise subject to HIPAA are within the Rule's scope due to cross-references incorporated into the definitions section of the Rule. In the policy statement, the FTC states that health apps and connected devices are health care providers because they "furnish health care services or supplies." As such, if they are not otherwise subject to HIPAA and pull information, some of which is health information, from multiple sources, they are subject to the Rule. Health care providers are not subject to HIPAA unless they enter into certain electronic HIPAA standard transactions related to billing payment for healthcare. For these purposes, drawing from multiple sources includes pulling from application programming interfaces ("APIs") and information input directly by the individual (for example, blood pressure input by the individual). This is true, according to the policy statement, even if the health information is drawn from one source, but the app or device collects other non-health information from another source (for example, dates from the calendar on the individual's cell phone).
Additionally, the FTC provides guidance in its policy statement on the definition of a reportable "breach of security." The Rule defines a "breach of security" as an acquisition of the individually identifiable health information in the PHR "without the authorization of the individual." In the policy statement, the FTC cautioned that a "breach of security" is broader than cybersecurity intrusions by bad actors. It includes disclosures by a health app or connected device of "sensitive health information" without the consumer's authorization. An entity subject to the Rule will need to review its privacy policy and/or obtain consumer opt-in consent prior to making any disclosures of health information to third parties. Disclosures that would not raise to the level of a breach under state laws may now raise to the level of a reportable breach under the Rule.
As far as the nuts and bolts of the Rule, entities subject to it must notify individuals and the FTC following the discovery of a security breach. Similarly, in the event of a security breach, downstream third-party service providers must provide notice to vendors of personal health records or PHR-related entities and obtain acknowledgment that the notice was received. If the breach involves 500 or more individuals, the notification to the FTC must be made no later than ten business days following the discovery of a breach of security. If the breach involves fewer than 500 individuals, the entity may maintain a log and submit the log annually to the FTC no later than 60 calendar days following the end of the calendar year. The individual notifications must be sent "without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security."
While significant in its own right, the policy statement takes on particular significance during the global pandemic. We have seen a rapid expansion in tech companies offering apps that collect and track health-related information, including mental health, diet, sleep, fertility, fitness, and COVID-19 health and vaccination status. If not subject to HIPAA and if drawing information from more than one source, these tech companies should closely evaluate their apps' collection of health information and the company's privacy and security policies and incident response plans.
As acknowledged in the policy statement itself, in the decade since the Rule's issuance, the FTC has never enforced it. Moreover, there have only been four instances of a company providing notice to the FTC under it. The FTC, however, is loudly signaling that the days of non-enforcement are now over. According to the Chair of the FTC, it plans to "enforce this Rule with vigor." Moreover, given the limitation on the FTC's ability to seek equitable monetary relief under Section 13(b) of the FTC Act arising from the recent decision in AMG Capital Management, LLC v. FTC, 593 U.S. __ (2021), the FTC may be even more likely to pursue actions under the Rule because it offers a civil penalty. Under the Rule, the FTC can seek a civil penalty of $43,792 per violation, per day.
If you have any questions about your company's approach to health information, incident response preparedness, or are responding to a breach, please contact Orrick for additional guidance.