The Federal Trade Commission wants to change the health breach notification rule to clarify the security detail for users of digital health apps.
While the agency has considered subjecting health trackers, apps and other direct-to-consumer companies to the rule, the proposed changes would codify that digital health companies that handle medical information would be treated in many ways similar to providers.
The current rule outlines the two designations, providers, as well as “services or supplies”, but the proposed changes explain what that means in more detail. The proposal also would clarify the definition of a “breach of security,” to include the unauthorized acquisition of identifiable health information resulting from a data breach or unauthorized disclosure, the agency said in a news release.
An agency spokeswoman said any unauthorized disclosure would trigger the rule. This includes companies voluntarily sharing user data without obtaining proper user consent.
The proposed changes follow the FTC’s recent enforcement actions against consumer drug benefit company GoodRx and Premom, a digital women’s health company.
In February, the FTC took action against GoodRx alleging that the company shared consumers’ personal health information with Facebook, Google and other third parties. The Department of Justice filed a complaint on behalf of the FTC and GoodRx agrees to pay $1.5 million fine,
Once the commission publishes the proposed changes to the Federal Register, a 60-day public comment period will begin.
In March, the FTC fined a digital mental health service provider BetterHelp $7.8 million To share the personal health information of millions of consumers with advertisers such as Facebook, Snapchat, Criteo, and Pinterest over a seven-year period.
The agency alleged that BetterHelp provided consumers’ email addresses, IP addresses and health questionnaire information, and that the company uploaded a list containing more than 7 million email addresses to Facebook between 2017 and 2018. More than half of the emails matched Facebook user IDs, the agency alleges.
Experts said the recent enforcement actions could serve as a warning to digital health companies sharing health information.