New FTC rule requires digital health apps to notify users of data breaches

The Federal Trade Commission has issued a final rule aimed at protecting consumer medical information on digital health apps.

The revised Health Breach Notification Rule (HBNR) requires vendors that manage digital health records that are not covered by HIPAA to notify individuals, the FTC and, in some cases, the media of a breach of unsecured personally identifiable health data. The agency defines this type of data as traditional health information such as diagnoses and medications, as well as data collected from fitness trackers and “emergent health data.”

“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, director of the agency’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

The existing rule stipulated that a covered entity must disclose leaks of unsecured data to consumers. Until recently, however, the FTC didn’t use its authority to penalize violations. Since the rule’s issuance, health apps and other direct-to-consumer health technologies, such as fitness trackers, have become commonplace.

The FTC highlighted several specific aspects of the final rule:

• The rule applies to health apps and similar technologies not covered by HIPAA.
• The definition of “breach of security” includes both data security breaches and unauthorized disclosures.
• The revised definition of “personal health data-related entity” establishes that the rule applies to entities that offer products and services through online services of vendors of personal health records, including mobile apps.
• In the definition of “personal health record,” the technical capacity to draw information from multiple sources matters.
• The final rule expands the use of electronic notice to consumers.
• Notices to consumers must include more information and must be “clear and conspicuous” and “reasonably understandable.”
• Covered entities must move quickly to notify consumers — and the FTC — about breaches involving 500 or more people.
• The final rule adds cross-references, citations and more information about penalties for noncompliance.

In February 2023, the FTC resolved several claims under the rule against GoodRX, which it alleged had failed to notify customers and regulators of unauthorized disclosures of consumers’ personal health information. GoodRx agreed to pay a $1.5 million civil penalty. Last May, the FTC reached a settlement with the developer of the fertility app Premom over allegations it had deceived users by sharing their sensitive personal information with third parties, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule.

Related: FTC fines GoodRx $1.5M for sharing sensitive health data with Facebook, Google & others

“Today’s issuance of the final rule codifies this approach, honoring the statutory directive that people must be notified when their health records are breached,” FTC Chair Lina Khan, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro M. Bedo wrote in a joint statement.

The updated rule will go into effect 60 days after it appears in the Federal Register.