FTC reminds health apps of obligations under Health Breach Notification Rule

Featured image

Share this article

FTC Reminds Health Apps of Obligations Under Health Breach Notification Rule - Paubox

The Federal Trade Commission (FTC) released a new policy statement on September 15, clarifying that health-related applications and connected device companies are subject to the Health Breach Notification Rule.

With health apps soaring in popularity, the announcement serves to shed light on the scope of the Rule and emphasize important requirements for reporting data breaches.

Keep reading to learn about key guidelines, recommended next steps, and how a HIPAA compliant email application programming interface (API) such as Paubox Email API can help organizations steer clear of security risks.

What does the policy statement say?

Introduced in August 2009, the Health Breach Notification Rule requires vendors of personal health records (PHR) containing “identifiable health information created or received by healthcare providers” to notify the FTC and affected consumers of data security incidents. It was issued to ensure that entities not covered by HIPAA are held accountable when sensitive health information is compromised.

In the new policy statement, the FTC confirms that developers of health apps and connected devices fall under the “health provider” definition because they “furnish healthcare services or supplies.” Specifically, apps are covered by the Rule if they have the ability to collect information from multiple sources. For instance, an app that retrieves data from a combination of consumer inputs and APIs is obligated to comply.

Additionally, the policy statement includes a reminder that these security breaches are not limited to cybercrimes or other types of external malicious activity. Any instance of unauthorized access, including the disclosure of personal information without an individual’s consent, would warrant a notification. While these requirements were not heavily enforced in the past, companies that fail to comply can now face civil penalties of $43,792 per violation.

FTC recommendations 

The FTC urges businesses with mobile health apps to carefully review this guidance and determine whether it applies to their operations. If covered, companies are advised to evaluate their existing security strategy and make the appropriate changes. This may include implementing the necessary systems to identify data breaches and notify consumers, as well as updating privacy policies to reflect this information.

The Commission highlights that the Health Breach Notification Rule is particularly critical for technology that tracks diseases, diagnoses, treatments, medications, fitness regimens, diet plans, mental health, sleep, and other essential areas. Therefore, firms that offer these services should take extra precautions to protect sensitive data.

Stay prepared with Paubox 

Reassessing your health app’s security measures is an important step to maintain compliance with the latest regulations, but partnering with the right vendor lowers the risk of a data breach from the start.

Designed to quickly integrate into your current applications, Paubox Email API offers a reliable way for covered entities with sophisticated technology solutions to securely send transactional emails at scale.

With our HIPAA compliant and HITRUST CSF certified product, your patients are able to receive your encrypted messages directly in their inbox without having to navigate any additional passwords or portals. Easy to implement with clear documentation, the developer experience is just as seamless as the email recipient’s.

SEE ALSO: Why healthcare businesses choose Paubox Email API

Try Paubox Email API for FREE today.
Author Photo

About the author

Sara Uzer

Read more by Sara Uzer

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022