FTC reminds health apps of obligations under Health Breach Notification Rule
by Sara Uzer
The Federal Trade Commission (FTC) released a new policy statement on September 15, clarifying that health-related applications and connected device companies are subject to the Health Breach Notification Rule.
With health apps soaring in popularity, the announcement serves to shed light on the scope of the Rule and emphasize important requirements for reporting data breaches.
Keep reading to learn about key guidelines, recommended next steps, and how a HIPAA compliant email application programming interface (API) such as Paubox Email API can help organizations steer clear of security risks.
What does the policy statement say?
Introduced in August 2009, the Health Breach Notification Rule requires vendors of personal health records (PHR) containing “identifiable health information created or received by healthcare providers” to notify the FTC and affected consumers of data security incidents. It was issued to ensure that entities not covered by HIPAA are held accountable when sensitive health information is compromised.
In the new policy statement, the FTC confirms that developers of health apps and connected devices fall under the “health provider” definition because they “furnish healthcare services or supplies.” Specifically, apps are covered by the Rule if they have the ability to collect information from multiple sources. For instance, an app that retrieves data from a combination of consumer inputs and APIs is obligated to comply.
Additionally, the policy statement includes a reminder that these security breaches are not limited to cybercrimes or other types of external malicious activity. Any instance of unauthorized access, including the disclosure of personal information without an individual’s consent, would warrant a notification. While these requirements were not heavily enforced in the past, companies that fail to comply can now face civil penalties of $43,792 per violation.
The FTC urges businesses with mobile health apps to carefully review this guidance and determine whether it applies to their operations. If covered, companies are advised to evaluate their existing security strategy and make the appropriate changes. This may include implementing the necessary systems to identify data breaches and notify consumers, as well as updating privacy policies to reflect this information.
The Commission highlights that the Health Breach Notification Rule is particularly critical for technology that tracks diseases, diagnoses, treatments, medications, fitness regimens, diet plans, mental health, sleep, and other essential areas. Therefore, firms that offer these services should take extra precautions to protect sensitive data.
Stay prepared with Paubox
Reassessing your health app’s security measures is an important step to maintain compliance with the latest regulations, but partnering with the right vendor lowers the risk of a data breach from the start.
Designed to quickly integrate into your current applications, Paubox Email API offers a reliable way for covered entities with sophisticated technology solutions to securely send transactional emails at scale.
With our HIPAA compliant and HITRUST CSF certified product, your patients are able to receive your encrypted messages directly in their inbox without having to navigate any additional passwords or portals. Easy to implement with clear documentation, the developer experience is just as seamless as the email recipient’s.