FTC’s Statement of the Commission on Breaches by Health Apps and Other Connected Devices
On September 15, 2021, the Federal Trade Commission (FTC) issued a policy statement affirming that developers of health apps and other connected devices and their service providers must comply with the Health Breach Notification Rule, 16 C.F.R. Part 318.
You need to understand the implication of this policy statement by the FTC. What does it mean for your privacy? Does it mean that our privacy hasn’t always been protected? To answer all these questions, you’ll need to understand what the rule is, and why the FTC made this statement at this point.
Understand the Health Breach Notification Rule
Health Breach Notification Rule provides that “vendors of personal health records (“PHR”) and PHR-related entities must notify U.S. consumers and the FTC, and, in some cases, the media, if there has been a breach of unsecured identifiable health information, or face civil penalties for violations”. Information covered under the rule is electronic personal health records provided by or on behalf of an individual, and that identifies the individual.
According to the statement, a privacy breach also includes sharing a customer's health information without authorization.
Why the FTC Issued the Policy Statement
The Health Breach Notification Rule has been in operation for over a decade, so why is the FTC releasing this policy statement now? When you look at the COVID-19 induced surge in the number of health apps downloads, you'll understand why this rule is critical now. What does it mean for your privacy?
There’s a real danger that your health information may not be adequately protected by some health apps. A security report revealed that a database containing over 61 million records related to health and fitness tracking devices including Fitbit, Apple Healthkit, and GoogleFit was left unprotected online.
Why You Should Be Concerned About Your Health Data
Privacy by Design