Consumer Health Data Needs More Protections – Is the FTC Up to It?
Proposed changes unveiled this week by the Federal Trade Commission to its health breach rule have many advocates agreeing that personal health data needs stronger protections even as some question whether the agency has the legal authority to enact its proposal.
Commissioners voted unanimously Thursday for a rule-making codifying an earlier policy change made in 2021 that expanded the scope of a previously obscure and unused rule governing data breach notification requirements for personal health data (see: FTC Makes Moves to Enhance Data Privacy Oversight).
Among the major changes of the policy statement – and of the proposed rule – is that reportable security breaches aren’t limited to cybersecurity incidents, and that the rule applies to a broader set of companies beyond the providers of personal health records that the original rule-makers envisioned as their principal subjects.
The FTC instead said the Health Breach Notification Rule applies to mobile apps and wearable fitness tracking devices that collect consumer health data and that a breach occurs when that consumer data is shared with third parties without individuals’ authorization.
Few disagree that personal health data captured by the app and tracker economy needs more protections that it currently receives. The FTC’s breach notification rule dates to the enactment of the Health Information Technology for Economic and Clinical Health Act in February 2009, “18 months after the first iPhone was released,” said Lucia Savage, chief privacy and regulatory officer at Omada Health.
The years since have seen a Wild West approach to consumer health data privacy, said regulatory attorney Brad Rostolsky of the law firm Reed Smith. Unconstrained by requirements imposed by HIPAA onto clinical settings, data from apps that collect ovulation cycles, mental health, prescriptions and exercise frequency has freely sloshed into targeted advertising databases.
“As the healthcare industry becomes even broader in terms of the types of businesses and products that individuals use on a regular basis, these proposed changes seek to concretely address the plethora of digital health offerings out there that are not directly connected to a HIPAA-covered entity,” Rostolsky said.
A formal rule-making process will almost certainly gives the agency firmer legal ground when asserting that its interpretation is valid, but some close observers warn that the agency could be setting itself up for another humiliating reversal by the Supreme Court.
The high court in 2021 ruled unanimously against the FTC in a case filed by AMG Capital Management, finding the agency had inflated its authority to seek monetary relief on behalf of wronged consumers.
“The Supreme Court now takes a pretty hostile view of super creative interpretations of federal statute, so conditions are not the best for super broad interpretations,” said Graham Dufault, general counsel at ACT – The App Association and a former counsel to the House Energy and Commerce Committee.
The FTC could benefit from an inadvertently broad definition of breach of security in the original rule that defines breaches as “unauthorized access” to personal data. But “it’s a little bit of trying to hammer a nail with a wrench,” he said.
When the FTC first issued the Health Breach Notification Rule more than a decade ago, the regulations pertained to a more limited definition of “personal health record.” It reflected brief-lived Obama-era optimism that consumers would take advantage of the portability requirements of HIPAA to store medical data in personal digital records. Personal health records didn’t catch on, and major companies such as Google took offerings offline after encountering consumer indifference and data portability difficulties.
“For many years, the FTC guidance on the rule presented a much narrower view of what sort of health products were covered,” said attorney Daniel Kauffman of the law firm BakerHostetler and a former acting director of the FTC’s Consumer Protection Bureau.
“It’s really important to conduct a rule-making like this so that the language of the rule comports with this broader interpretation,” he told Information Security Media Group. “A policy statement is not legally enforceable, but a rule is legally enforceable.”
The rule as currently written hews “pretty closely to the text in the statute,” said attorney Deven McGraw, a former privacy official at the Department of Health and Human Services’ Office of the National Coordinator for Health IT and the Office for Civil Rights.
“What I’ll be looking at in these new provisions is whether the FTC is seeking to expand the scope of entities covered and whether the congressional language can reasonably be interpreted to allow for such an expansion,” said McGraw, now a privacy and regulatory executive at Invitae, a genetic screening company.
The FTC took its first-ever health breach rule enforcement action in February against discount drug and telehealth provider GoodRx Holdings and made a second enforcement on Wednesday against Easy Healthcare, the developer of fertility tracking app Premom, saying in each case that the companies should not have been sharing user information with advertisers (see: FTC Fines Fertility App Vendor, Bars It From Data Sharing).
FTC officials have privately said industry acceptance of the agency’s expanded policy statement would be key to cementing its legitimacy.
Attorney Linda Malek, chair of law firm Moses Singer’s healthcare privacy and cybersecurity group, said the two successful enforcement actions could aid the FTC in the event of a challenge.
“The FTC has consistently, over the last year, through enforcement actions, policy statements, opinion pieces in major newspapers and now with this notice of proposed rule-making, sent the message that it has the authority to protect the privacy and security of the health information of individuals who utilize health apps and other healthcare technologies not covered by HIPAA,” she said.