Skip to main content
close search
site logo
Dive Brief

FTC warns app makers fall under breach notification rule

Published Sept. 16, 2021
Shannon Muchmore's headshot
Senior Editor
FTC
Carol Highsmith. (2005). "Apex Bldg." [Photo]. Retrieved from Wikimedia Commons.

First published on

Healthcare Dive

Dive Brief:

  • The U.S. Federal Trade Commission issued a policy brief Wednesday clarifying when healthcare apps would be subject to the Health Breach Notification Rule that requires entities not covered by HIPAA to notify consumers if private health information is compromised.
  • The FTC said that developers of health apps and connected devices are considered healthcare providers, and if they disclose sensitive information without authorization that would be considered a breach.
  • The agency also noted that a breach must be reported regardless of whether it was the result of malicious action. Any unauthorized access, including sharing information without consent, would trigger the rule.

Dive Insight:

The FTC said apps are subject to the breach notification rule if they are capable of drawing health records from multiple sources. For example, if an app takes information that a user inputs along with data retrieved through an API from the fitness tracker or calendar on that person's phone, it would count.

Many apps available now have that capability, and more are coming on the market frequently. The FTC said the rule "was issued more than a decade ago, but the explosion in health apps and connected devices makes its requirements with respect to them more important than ever."

Healthcare data breaches have been a serious issue for many years now. So far this year, more than 400 breaches have been reported to HHS by entities that are covered by HIPAA.

That problem has been exacerbated by the COVID-19 pandemic as providers quickly built out telemedicine platforms. The number of breaches increased by 36% from the first half of last year to the second half, according to CI security.

The device side has also raised increasing alarm about cybersecurity attacks and breaches. Legacy medical devices still in use at hospitals  — without the latest security measures — are particularly troublesome.

FTC warned it is prepared to bring actions to enforce the rule. "As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever," according to the brief. "Firms offering these services should take appropriate care to secure and protect consumer data."

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Innoventric Secures $28.5M and Unveils Groundbreaking Tricuspid Regurgitation Treatment to Hel…
From Innoventric
October 29, 2024
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
SYNDEO Medical Announces European MDR Approval for Two Product Brands
From SYNDEO Medical
November 06, 2024
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Editors' picks
Latest in COVID-19
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell