Resolution Resources
The Rise of Mobile Health Triggers Increased FTC Enforcement By Janice L. Sperow
Janice L. Sperow is a full-time neutral arbitrator, mediator, dispute prevention facilitator, and hearing officer specializing in mass claims, healthcare, technology, employment, and all commercial matters. ©2021 Janice L. Sperow. All rights reserved.
The pandemic changed how we work, shop, communicate, and meet. It changed our world’s “normal.” Most significantly, it changed the healthcare industry, but not only regarding new vaccines and protocols. It revolutionized the way we maintain our health and wellness, as healthcare app development now shapes the very future of medicine. Spurred by rapid significant advances in mobile technology, artificial intelligence, and the internet of things, medical apps have accelerated at an unprecedented rate. Even before the pandemic’s uptick in the use of healthcare mobility tools, the Physicians Practice medical publication conducted a mobile health survey in 2018 and found that over 75 percent of respondents used some form of mobile health solutions on a weekly basis. Since the pandemic, the use of mobile applications in healthcare, MedTech, and eHealth has skyrocketed. A $21.3 billion market in 2017, the global mobile health market is anticipated to reach $151 billion by 2025. The Food and Drug Administration defines a health app as mobile software that diagnoses, tracks, or treats disease. A wellness app uses mobile software to enhance or track overall user health. These apps can and do address every facet of life impacting wellness from mental, physical, social, environmental, nutritional, behavioral, to even spiritual factors. In response to the market’s dramatic growth, the Federal Trade Commission (FTC) issued its “Statement on the Commission of Breaches by Health Apps and Other Connected Devices” (“the Statement”) on Sept. 15, 2021. The Statement stresses the FTC’s commitment to protecting private medical and health information inputted into these apps and devices and explains the FTC’s Health Breach Notification Rule (“the Rule”) in more detail. Importantly, the Statement unequivocally declares the Rule’s scope and the FTC’s intention to enforce the rule.
FTC’s Health Breach Notification Rule The Rule itself has been in effect since 2009, when the American Recovery and Reinvestment Act of 2009 became effective. The Rule addresses the security of personal health records (PHR), defined to include an
electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.1 “PHR identifiable health information” includes “individually identifiable health information,” as defined in section 1171(6) of the Social Security Act.2 It also includes individual information provided by or on behalf of the individual that actually identifies or reasonably can be used to identify the individual.3 The Rule applies to (1) vendors of personal health records; (2) PHR-related entities who interact with vendors of PHRs or HIPAA-covered entities by offering products or services through their sites; (3) PHR-related entities who access information from or send information to a PHR; (4) PHR-related entities who process unsecured PHR identifiable health information as part of providing their services; and (5) third-party service providers for vendors of PHRs. The rule does not apply to HIPAA-covered entities or any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity. Under the Rule, vendors of PHRs and PHR-related entities must report a “breach of security” involving PHRs to the FTC, the consumers, and, in some cases, to the media. Service providers that process information for PHR vendors and PHR-related entities also have a duty to notify their business customers of a security breach. Typically, these service providers handle data storage or billing as a third-party provider. The Rule defines a “breach of security” as the acquisition of unsecured, PHR identifiable health information without the individual’s authorization. Upon discovering a security breach, the entity must notify the required recipients within 60 days; but it must alert the FTC within 10 business days if the breach involves more than 500 individuals. Noncomplying entities face civil penalties of $43,792 per violation per day.
Rule Clarification The FTC’s new Statement clarifies the Rule’s scope and application. It explains that the Rule covers vencontinued on page 45 January/February 2022 • THE FEDERAL LAWYER • 13
