Companies that collect and process health related data that does not fall under the requirements of the Health Information Protection and Portability Act (“HIPPA”) will want to pay close attention to new resources published on January 21, 2022 by the Federal Trade Commission. These documents provide guidance to help organizations comply with the Health Breach Notification Rule (the “Rule”).
As explained by the FTC in September 2021, the Rule applies to makers of health apps, connected devices and similar products. The Rule requires vendors of personal health records (PHR), PHR-related entities and service providers to those entities to notify consumers and the FTC (and in certain cases, the media) when a breach of unsecured identifiable health information occurs. Such a breach would include instances of cybersecurity intrusions and other unauthorized access.
One of these resources – “The Health Breach Notification Rule: The Basics for Business” – provides a brief overview of the Rule and what it requires. On September 15, 2021, the FTC issued a statement clarifying that the Rule applies to most health apps and similar technologies.
The FTC notes that this document will be of interest to companies that provide products or services or send or receive data to or from apps and connected devices, or that deal with health information while providing services to companies that offer those products. Failure to notify the FTC, consumers, or the media, as required by the Rule, could result in an enforcement action seeking significant civil penalties. Companies that fail to comply with the Rule could be subject to penalties of up to $46,517 per violation per day.
The second – “Complying with the FTC’s Health Breach Notification Rule” – provides more detail about when the Rule applies, when notification is required, how to notify people and what must be included in the notification, and other measures companies must take in the event of a breach. The publication provides FAQs that provide important information about various aspects of the Rule, such as possible penalties for violations, the relationship between the Rule and state breach notification laws, and what constitutes as a security breach.
While bipartisan legislation to establish a federal privacy law in the United States – the American Data Privacy and Protection Act – moves through Congress, the Federal Trade Commission (FTC) has now taken steps to address existing and emerging issues related to commercial data and to consider the possibility of updating requirements.