With data breaches on the rise, the FTC is looking to make health apps more accountable for telling patients when their data has been exposed.
The FTC released a new statement specifying that all health apps that capture sensitive patient information notify users, the commission itself and in some cases the media when a security breach has compromised identifiable health data. If the company fails to do so it could face a fine of $43,792 per day of violation.
The ruling is actually more than ten years old, but according to the FTC statement, it was never enforced and was misunderstood by many companies. The ruling includes vendors of personal health records (PHR) and PHR-related functions, which draw information from multiple sources.
This new statement specifies that apps which draw information from multiple outlets (i.e. ones that pull in wearable data through an API and also collects user input) are now subject to this ruling. The commission said that apps that “track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet and other vital areas.”
The Federal Trade Commission today issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule, which requires that they notify consumers and others when their health data is breached … The Rule ensures that entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) face accountability when consumers’ sensitive health information is breached.
Full statement available HERE (opens PDF)
News in Context:
- Consumer Reports finds unclear, questionable privacy practices and policies among popular mental health apps
- Anticipating the Privacy and Informed Consent issues of the Neurotechnology Era
- A call to action: We need the right incentives to guide ethical innovation in neurotech and healthcare
- The National Academy of Medicine (NAM) shares discussion paper to help empower 8 billion minds