By: Alex Rankin

By: https://unsplash.com/@lukechesser

On September 15, the Federal Trade Commission voted 3-2 to issue a policy statement (“Statement”) that health apps are included under the Health Breach Notification Rule (“HBNR”)[1] requirement that vendors of personal health records (“PHR”) and PHR-related entities notify the FTC and any affected U.S. users following a breach of those users’ PHR.  HBNR has gone unenforced since its enactment in 2009,[2] including in any instance of PHR breaches experienced by health apps which could track sensitive information ranging from one’s sleep cycle to one’s menstrual cycle.[3]  According to the FTC, it intends to “bring actions to enforce the Rule” against noncompliant companies, noting the potential for “civil penalties of $43,792 per violation per day.”[4]

The Statement was bolstered by supporting remarks from the three affirming commissioners, Chair Lina Khan, Commissioner Rohit Chopra, and Commissioner Rebecca Kelly Slaughter. [5]  However, Commissioners Christine Wilson and Noah Phillips issued critical responses to the Statement,[6] which have been echoed by outside legal commentators.[7]  Wilson’s and Phillips’ dissents focus on two general points:  first, that the majority’s holding that HBNR applies to health apps expands the Rule’s scope beyond what was originally intended by the Commission and Congress;[8] and second, that the Statement undermines ongoing rulemaking by the FTC and the Department of Health and Human Services (“HHS”) meant to address the same or similar issues.[9]

In the first point, the dissenting commissioners argue that the majority misapplies the meaning of the term “health care providers” as intended under the Social Securities Act when construing HBNR’s use of that phrase to include health apps.[10]  They note that HHS guidance limits that phrase to imply “traditional forms” of health care providers (i.e., doctors, nurses, nursing homes, pharmacies, and the like).[11]  Furthermore, the dissenters dispute the majority’s interpretation of HBNR’s definition of PHRs.  According to HBNR, PHRs contain a user’s data “that can be drawn from multiple sources…”[12]  Specifically, Wilson and Phillips argue that the Statement’s assertion that “an app that draws information from multiple sources is covered [by HBNR], even if the health information comes from only one source” directly conflicts with the Commission’s existing online business guidance defining PHR-related entities.[13]

In the second point, Wilson and Phillips argue that the Statement undermines ongoing rulemaking by the FTC designed to determine whether HBNR applies to health apps, as well as parallel rulemaking HHS has undertaken to address its approach to health apps under the Health Insurance Portability and Accountability Act (“HIPAA”) privacy standards.[14]  By disregarding the public notice and comment process for these ongoing rulemakings, Commissioner Phillips argues that the majority undermined the spirit of the Administrative Procedure Act in issuing the Statement.[15]  Commissioner Wilson likewise notes that the FTC already sought input from the public in its ongoing rulemaking to a number of questions which the Statement’s “clarification” essentially renders null.[16]

Despite the detailed arguments offered by Commissioners Wilson and Phillips, the separate remarks issued in support of the Statement by Chair Khan and Commissioners Chopra and Slaughter offer only cursory defenses in reply.[17]  So, it seems the majority is willing to push past such arguments to advance a shift in the FTC’s approach to protecting digital health data.  After not enforcing HBNR for more than a decade, the Commission’s assertion that it will begin pursuing hefty civil penalties against all HBNR violators, including health apps, should put the consumer data industry on notice that regulators are placing renewed focus on privacy.  While some corporate players have expressed support for the FTC’s move,[18] some legal experts have voiced concern over the scope of the Statement, suggesting that the Commission’s attempt to clarify HBNR as applying to health apps may raise more questions than it answers.[19]

The FTC’s move can be viewed as part of a broader federal (and international) trend toward stricter regulation of tech companies’ use of consumer data, as seen in the heightened scrutiny recently faced by major players like Facebook and Google.[20]  Although one may sympathize with the majority’s aim of curbing lax data controls and illegal consumer data sharing by health apps, affected companies have cause to criticize the Statement for those reasons expressed by Commissioners Wilson and Phillips.  Although the Statement sought to clarify the meaning of HBNR as applied to health apps, its arguably over-broad interpretation of HBNR could open ground for affected companies to challenge the Commission’s interpretation.  Furthermore, by disregarding ongoing FTC and HHS rulemaking addressing the same or similar issues, the Statement undermines regulatory predictability needed by industry for effective business planning.  Thus, though privacy and consumer advocates may applaud the FTC’s recent move, many large and small health tech businesses may find cause for concern in the Commission’s aggressive new HBNR enforcement approach.

[1] See generally 85 Fed. Reg. 31,085, 31,087 (codified at 16 C.F.R. pt. 318) [hereinafter C.F.R.]; see also FTC Warns Health Apps and Connected Device Companies to Company With Health Breach Notification Rule, Fed. Trade Comm’n (Sept. 15, 2021), https://www.ftc.gov/news-events/press-releases/2021/09/ftc-warns-health-apps-connected-device-companies-comply-health [hereinafter FTC Warns].

[2] Statement of the Commission on Breaches by Health Apps and Other Connected Devices, Fed. Trade Comm’n (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf [hereinafter Statement].

[3] FTC Warns, supra note 1.

[4]  Statement, supra note 2.

[5] See Comm’r Rebecca Kelly Slaughter, Prepared Remarks of Commissioner Rebecca Kelly Slaughter Regarding the Commission’s Policy Statement on Privacy Breaches by Connected Health Apps, Fed. Trade Comm’n (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596320/rks_remarks_on_health_breach_policy_statement_09152021.pdf; See Comm’r Rohit Chopra, Prepared Remarks of Commissioner Rohit Chopra Regarding the FTC Policy Statement on Privacy Breaches by Health Apps and Connected Devices, Fed. Trade Comm’n (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596352/20210915_final_chopra_oral_remarks_health_breach_notification_rule.pdf; See Comm’r Lina M. Khan, Remarks by Chair Lina M. Khan on the Health Breach Notification Rule Policy Statement Commission File No. P205405, Fed. Trade Comm’n (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596360/remarks_of_chair_lina_m_khan_regarding_health_breach_notification_rule_policy_statement.pdf.

[6] See Comm’r Noah Joshua Phillips, Dissenting Statement of Commissioner Noah Joshua Phillips Regarding the Policy Statement on Breaches by Health Apps and Other Connected Devices, Fed. Trade Comm’n (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596328/hbnr_dissent_final_formatted.pdf; see Comm’r Christine S. Wilson, Dissenting Statement of Commissioner Christine S. Wilson, Policy Statement on Breaches by Health Apps and Other Connected Devices, Matter No. P205405, Fed. Trade Comm’n (Sept. 15, 2021) https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf.

[7] Kate Kaye, Health app makers are on notice amid FTC data rule refresh, but some privacy experts say the regulator has gone too far, Digiday (Sept. 27, 2021), https://digiday.com/marketing/health-app-makers-are-on-notice-amid-ftc-data-rule-refresh-but-some-privacy-experts-say-the-regulator-has-gone-too-far/

(quoting an attorney saying the Statement marks a “significant expansion” from the FTC’s previous interpretation of HBNR).

[8] Supra note 6.

[9] Id.

[10] Id.

[11] See Phillips, supra note 6.

[12] C.F.R., supra note 1, at pt. 318.2(d).

[13] See Wilson, supra note 6 (italics added); see also Phillips, supra note 6.

[14] See Wilson, supra note 6. (noting that HBNR was designed “as a gap-filler” to cover “health care providers not already covered by HIPAA”).

[15] See Phillips, supra note 6.

[16] See Wilson, supra note 6.

[17] See Chopra, supra note 5 (noting that the Statement is not “the launch of a new proposed rule or an advanced notice of proposed rulemaking” and that the “proposed policy guidance is consistent with the existing rule, but more clearly articulates which types of apps and services are covered…”); see Khan, supra note 5 (stating that the Statement is “entirely consistent with” existing guidance, and that no notice of proposed rulemaking is pending on HBNR, but that the FTC only solicited comments as part of its periodic review).

[18] See Kaye, supra note 7 (quoting the CEO of a company that manages a fertility tracking app expressing sympathy for the FTC’s move and objecting to some companies’ sale of users’ health data).

[19] Id. (quoting an attorney-specialist suggesting the FTC has not “identified where the guardrails are” in its expanded interpretation of HBNR, and that the Statement “raises so many questions… [which] the [S]tatement doesn’t answer…”)

[20] Nicole Westman, FTC resurrects a decade-old rule as a guardrail on the health app explosion, The Verge (Sept. 22, 2021), https://www.theverge.com/2021/9/22/22688497/ftc-health-app-privacy-transparency-data (noting that federal and state governments are placing increased regulatory focus on data privacy).

Share this post