The Federal Trade Commission is taking a closer look at how health apps and internet-connected medical devices handle and safeguard the data they collect, the agency made clear Wednesday.
The FTC issued a policy statement on the scope of its Health Breach Notification Rule, a regulation from 2010 that requires personal health records vendors and related companies that collect health data but aren’t covered by the Health Insurance Portability and Accountability Act to notify users of data breaches.
The new guidance clarifies that the rule not only covers personal health records, but also newer health apps and fitness trackers.
Apps that collect fertility, glucose, heart and other health data have proliferated in recent years, without the safeguards afforded by HIPAA.
Digital health companies collectively raised $14.9 billion in the first half of 2021, a record for the sector, according to data from Mercom Capital Group. Health app companies collected $1.6 billion of those investments.
The FTC may look beyond data breaches and investigate how the companies themselves use the information they gather on their customers, FTC Chair Lina Khan said in a news release.
“While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan said. “The commission should be scrutinizing what data is being collected in the first place.”
Under the FTC’s Health Breach Notification Rule, companies are required to notify customers and the agency within 60 days of an incident. When breaches affect more than 500 people, companies must notify the FTC within 10 business days. That’s separate from HIPAA, which only applies to providers, insurers and their business associates.
Companies that don’t comply with the Health Breach Notification Rule could be subject to up to $43,792 in monetary penalties per violation per day.
Privacy has been a growing area of concern about apps and other technology tools.
In June, the FTC finalized a settlement with fertility tracker Flo Health, which allegedly shared personal health data with marketing and analytics firms like Facebook and Google.
The following month, an investigation found several popular opioid treatment recovery apps were sharing sensitive user data with third parties. Ahead of data-sharing regulations from the Health and Human Services Department going into effect earlier this year, provider groups raised concerns about patients using apps that aren’t covered by HIPAA to access health data.
Source link : https://www.modernhealthcare.com/technology/ftcs-health-data-breach-rule-covers-apps-fitness-trackers-agency-says
