FTC Healthcare App Breach Notification

Question 1

Failure to notify the FTC, consumers, or the media, as required by the Rule, could result in an enforcement action seeking significant civil penalties. Companies that fail to comply with the Rule could be subject to penalties of up to

Answer 1

$43,792 per violation per day.

Question 2

The FTC’s Health Breach Notification Rule applies only to identifying health information that is not secured through technologies specified by the Department of Health and Human Services. Also, the FTC’s Rule doesn’t apply to businesses or organizations

Answer 2

covered by the Health Insurance Portability & Accountability Act (HIPAA). In case of a breach, entities covered by HIPAA must comply with the U.S. Department of Health & Human Services (HHS) Breach Notification Rule.

Question 3

As more consumers use health apps and connected devices like fitness trackers, information about our health is increasingly collected and shared online. For most hospitals, doctors’ offices, and insurance companies, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of health records stored online. But many companies that collect people’s health information – whether it’s a fitness tracker, a diet app, a connected blood pressure cuff, or something else – aren’t covered by HIPAA. Does that mean this sensitive health information doesn’t have any legal protections? Not at all.

Answer 3

The Federal Trade Commission (FTC), the nation’s consumer protection agency, enforces Section 5 of the FTC Act, which prohibits companies from misleading consumers or engaging in unfair practices that harm consumers. In addition, the FTC enforces the Health Breach Notification Rule, which requires certain organizations (both businesses and nonprofits) not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. An FTC Policy Statement makes clear that makers of health apps, connected devices, and similar products must comply with the Rule.

Question 4

WHO’S COVERED BY THE HEALTH BREACH NOTIFICATION RULE

Answer 4

The Rule applies if you are:

a vendor of personal health records (PHRs);
a PHR related entity; or
a third party service provider for a vendor of PHRs or a PHR related entity.

Question 5

Vendor of personal health records.

Answer 5

Your business is a vendor of personal health records if it “offers or maintains a personal health record.” A personal health record is defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” For example, if you develop a health app that collects information from consumers and can sync with a consumer’s fitness tracker, you’re probably a vendor of personal health records. You’re not a vendor of personal health records if you’re covered by HIPAA.

Question 6

PHR related entity.

Answer 6

Your business is a PHR related entity if it interacts with a vendor of personal health records either by offering products or services through the vendor’s website – even if the site is covered by HIPAA – or by accessing information in a personal health record or sending information to a personal health record. For example, a company that offers a fitness tracker is likely a PHR related entity if it sends information to health apps (which are likely personal health records, as described above). Your company is not a PHR related entity if you’re already covered by HIPAA.

Question 7

Third party service provider.

Answer 7

Your business is a third party service provider if it offers services involving the use, maintenance, disclosure, or disposal of health information to vendors of personal health records or PHR related entities. For example, if a vendor of personal health records hires your company to provide billing, debt collection, or data storage services related to health information, you’re a third party service provider, and covered by the Rule.

Question 8

WHAT TRIGGERS THE NOTIFICATION REQUIREMENT

Answer 8

The Rule requires that you provide notice when there has been an unauthorized acquisition of unsecured PHR identifiable health information. How those terms are defined is important:

Question 9

Unauthorized acquisition.

Answer 9

If health information that you maintain or use is acquired by someone else without the affected person’s approval, it’s an unauthorized acquisition under the Rule. For example, say a thief steals an employee’s laptop containing unsecured personal health records or someone on your staff downloads personal health records without approval. Those are probably unauthorized acquisitions that trigger the Rule’s notification requirement. Keep in mind, though, that a “breach” is not limited to cybersecurity intrusions or nefarious behavior by hackers or insiders. Incidents of unauthorized access, including a company’s disclosure of covered information without a person’s authorization, triggers notification obligations under the Rule.

Question 10

PHR identifiable health information.

Answer 10

The notification requirements apply only when you’ve experienced a breach of PHR identifiable health information. This is health information that identifies someone or could reasonably be used to identify someone. Consider two examples. First, suppose you share your users’ medical information along with their mobile identifiers with an ad network for the purpose of targeted marketing without first getting the person’s consent. Second, say an intruder hacks into your database that contains email addresses, dates of birth, and medication information. Names weren’t disclosed in either example. But the information disclosed could still readily identify individual consumers, so it counts as PHR identifiable health information. By contrast, consider a hack of a database containing city and common medication data that reveals that ten anonymous individuals in New York City have been prescribed a widely-used drug. That probably wouldn’t be considered PHR identifiable health information because it couldn’t reasonably be used to identify specific people.

Question 11

Unsecured information.

Answer 11

The Rule applies only to unsecured health information, defined by the U.S. Department of Health and Human Services (HHS) to include any information that is not encrypted or destroyed. For example, if your employee loses a laptop containing only encrypted personal health records, you wouldn’t be required to notify people.

Question 12

Personal health record.

Answer 12

A personal health record (PHR) is an electronic health record that can be “drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” If your business experiences a breach involving only paper health records – not electronic records – the FTC’s Rule doesn’t require any notification. If your product draws information from multiple sources – let’s say a diet app that allows users to enter daily weights and an API for pulling calorie counts from restaurant menus – there’s a good chance you have a PHR covered by the FTC’s Rule.

Question 13

If your business is a vendor of personal health records or a PHR related entity and there’s a breach, the Rule spells out your next steps. You must notify:

Answer 13

each affected person who is a citizen or resident of the United States;
the Federal Trade Commission, using this form; and
in some cases, the media.

Question 14

People:

Answer 14

If you experience a breach of unsecured personal health information, you must notify each affected person “without unreasonable delay” – and within 60 calendar days after the breach is discovered. The countdown begins the day the breach becomes known to someone in your company or the day someone should reasonably have known about it. Although the Rule requires you to notify people within 60 calendar days, it also requires you to act without unreasonable delay. That means if a company discovers a breach and gathers the necessary information within, say, 30 days, it would be unreasonable to wait until the 60th day to notify the people whose information was breached.

Question 15

The FTC:

Answer 15

The Rule requires you to notify the FTC (use this form), but the timing depends on the number of people affected.

Question 16

If the breach involves the information of 500 people or more, you must notify the FTC

Answer 16

as soon as possible and within 10 business days after discovering the breach. To report the breach to the agency, you must use this form.

Question 17

If the breach involves the information of fewer than 500 people, you have more time. You must send the same standard form to the FTC – along with forms documenting any other breaches during the same calendar year involving fewer than 500 people –

Answer 17

within 60 calendar days following the end of the calendar year. So, if your company experiences one breach in April affecting the records of 100 people and a second breach in September affecting the records of 50 people, the 60-day countdown begins January 1st of the next year.

Question 18

The media:

Answer 18

When at least 500 residents of a particular state, the District of Columbia, or a U.S. territory or possession are affected by a breach, notification takes on an extra dimension. Without unreasonable delay – and within 60 calendar days after the breach is discovered – you must notify prominent media outlets serving the relevant locale. This media notice is a supplement to the individual notice you must give to people whose information was breached. It’s not a substitute for individual notices.

Question 19

If your company is a third party service provider to a vendor of personal health records or a PHR related entity, you have notice requirements under the Rule, too. As a preliminary matter, the Rule requires

Answer 19

those clients to tell you up front that they’re covered by the Rule. If you experience a breach, you must notify an official designated in your contract with your client – or if there is no designee, a senior official of the company – without unreasonable delay and within 60 calendar days of discovering the breach. You must identify for your client each person whose information may be involved in the breach. It isn’t enough just to send the notice and assume the ball is in your client’s court. You must get an acknowledgment that they received your notice. They, in turn, must notify the people affected by the breach, the FTC, and, in certain cases, the media.

Question 20

How to notify people

Answer 20

The best practice for notifying people is to find out from your customers in advance – perhaps when they sign up for your service – if they’d prefer to hear about a security breach by email or by first-class mail. If you collect only email addresses from your customers, you can send them a message – or let new customers know when they sign up – that you intend to contact them by email about any security breaches.

However, remember that if you plan to use email as your default method, you must give your customers the opportunity to choose first-class mail notification instead and that option must be clear and conspicuous. If email is a customer’s preference, explain how to set up any spam filters so they will get your messages.

Question 21

What if you’ve made reasonable efforts to reach people affected by the breach, but you haven’t been able to contact each of them?

Answer 21

If you fail to contact 10 or more people because of insufficient or out-of-date contact information, you must provide substitute notice through:

a clear and conspicuous posting for 90 days on your website home page; or
a notice in major print or broadcast media where those people likely live.

Both of these forms of substitute notice must include a toll-free phone number that must be active for at least 90 days so people can call to learn if their information was affected by the breach.

Question 22

Regardless of the form of notification, your notice to individuals must be easy to understand and must include the following information:

Answer 22

a brief description of what happened, including the date of the breach (if you know) and the date you discovered the breach;
the kind of PHR identifiable health information involved in the breach – insurance information, Social Security numbers, financial account data, dates of birth, medication information, etc.
if the breach puts people at risk for identity theft or other possible harm, suggested steps they can take to protect themselves. Your advice must be relevant to the kind of information that was compromised. You may want to refer people to the FTC’s page within IdentityTheft.gov, When Information Is Lost or Exposed. In addition:
if the breach involves health insurance information, you might suggest that people contact their healthcare providers if bills don’t arrive on time in case an identity thief has changed the billing address, check the Explanation of Benefit forms from their insurance company for irregularities, and review their medical records for errors. If people spot anything unusual, they should contact their insurance company about possible medical identity theft or to ask for a new account number.
if the breach includes Social Security numbers, you might suggest that people get a free copy of their credit report from www.annualcreditreport.com, monitor it for signs of identity theft, and place a credit freeze on their credit report. If they spot suspicious activity, they should visit IdentityTheft.gov to report it and get a personalized recovery plan.
if the breach includes financial information – for example, a credit card or bank account number – you might suggest that people monitor their accounts for suspicious activity and contact their financial institution about closing any accounts that may have been compromised.
If the breach involved an app or connected device, you might suggest that people review the app’s or device’s privacy settings and download the latest updates to fix any privacy or security glitches.
a brief description of the steps your business is taking to investigate the breach, protect against future breaches, and mitigate the harm from the breach; and
how people can contact you for more information. Your notice must include a toll-free telephone number, email address, website, or mailing address.

Question 23

Why did the FTC implement the Health Breach Notification Rule and issue its recent Policy Statement?

Answer 23

Congress directed the FTC to implement the Health Breach Notification Rule, which non-HIPAA covered businesses must follow if there’s a breach of consumers’ unsecured, individually identifiable health information.

The FTC issued the Policy Statement because, as one of only a handful of federal privacy laws protecting consumers’ health information, the Rule plays a vital role in holding companies accountable for how they disclose consumers’ sensitive health information.

Since the FTC first issued the Rule more than a decade ago, consumers have turned to apps, wearables, and other technologies for health advice, information, and tracking. It is imperative that the FTC’s enforcement of its Rule keep pace with changing technology.

Question 24

What is considered a “breach of security” under the Rule?

Answer 24

Under the rule, a “breach of security” is defined as the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the individual’s authorization. A breach is not limited to cybersecurity intrusions. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, trigger notification obligations under the Rule.

Question 25

It looks like we accidentally sent some of our users’ health information to a social media platform. It also looks like someone accessed our database without our consent. We don’t know if the social media company used the information and we don’t know if anyone downloaded anything. Are these the kinds of “unauthorized acquisitions” that would trigger the Rule’s notification requirements?

Answer 25

Both incidents should trigger an examination on your part to determine your obligations under the Rule. Importantly, with respect to the first incident, the FTC’s Policy Statement makes clear that the Rule does not just apply to cybersecurity intrusions or other nefarious behavior. To the contrary, if you disclose consumers’ unsecured, individually identifiable health information without their consent, a breach has occurred.

In the second incident – the database access – it’s not clear whether the data also has been “acquired” – that is, downloaded or copied. In these cases the Rule has a rebuttable presumption: Where there has been unauthorized access, unauthorized acquisition is presumed unless you can show that it hasn’t – or couldn’t reasonably have – taken place. For example, if one of your employees accesses a customer’s personal health record without authorization, the Rule presumes that because the data was accessed, it has been “acquired,” and you must follow the breach notification provisions of the Rule. But you can overcome that presumption by establishing and enforcing a company policy that requires an employee who inadvertently accesses a health record not to read it or share it, to log out immediately, and to report the access to a supervisor right away. If the employee says he or she didn’t read or share the information and you conduct a reasonable investigation that corroborates the employee’s version of events, you may be able to overcome the presumption.

Consider another situation involving a lost laptop that contains personal health records. You could rebut the presumption of unauthorized acquisition if the laptop is recovered and forensic analysis shows that files were not opened, altered, transferred, or otherwise compromised.

Question 26

My company makes a fitness app, in which consumers input their height, weight, age, and other information. The app, which consumers can download from the app store, can sync with wearable fitness trackers. Some of our users use this syncing feature, but others don’t. Is my company required to comply with the FTC’s Rule?

Answer 26

You are likely a vendor of personal health records. Your app includes identifiable health information, such as information about your health, weight, and steps taken; that information can be drawn from multiple sources – the consumer’s inputs of height and weight and the information from the fitness tracker; and the user manages, shares, and controls the information in the app.

Question 27

Our business is in the “HIPAA business associate” category. Does the FTC’s Rule apply to us?

Answer 27

If your business acts solely as a “HIPAA business associate” – that is, if you handle only the protected health information of HIPAA-covered entities – the FTC’s Rule doesn’t apply. Nor does it apply to HIPAA-covered entities, like a hospital, doctor’s office, or health insurance company. If you are a HIPAA-covered entity or act only as a HIPAA business associate, your responsibilities are in the Health and Human Services (HHS) Breach Notification Rule.

The HHS Rule requires HIPAA-covered entities to notify people whose unsecured protected health information is breached. If you are a business associate of a HIPAA-covered entity and you experience a security breach, you must notify the HIPAA-covered entity you’re working with. Then they must notify the people affected by the breach.

Question 28

We’re a HIPAA business associate, but we also offer personal health record services to the public. Which Rule applies to us?

Answer 28

If your company is a HIPAA business associate that also offers personal health record services to the public, you may be subject to both the HHS and FTC Breach Notification Rules. For example, say you develop an app that people can download from an app store and upload their health information. Separately, you sign a HIPAA business associate agreement with an insurance company to maintain the electronic health records of its customers. In the case of a breach affecting all your users, both the FTC Rule and HHS Rule would apply. Under the FTC’s Rule, you must notify the people who use your app. In addition, you must notify the insurance company so it can notify its customers.

If you have a direct relationship with all the people affected by the breach – your customers and the customers of the insurance company – you should contract with the insurance company to notify both your clients and theirs. People are more likely to pay attention to a notice from a company they recognize.

Question 29

What’s the relationship between the FTC’s Health Breach Notification Rule and state breach notification laws?

Answer 29

The FTC’s Rule preempts contradictory state breach notification laws, but not those that impose additional – but non-contradictory – breach notification requirements. For example, some state laws require breach notices to include advice on monitoring credit reports or contact information for consumer reporting agencies. While these content requirements are different from the FTC Rule’s requirements, they’re not contradictory. In this example, you could comply with both federal and state requirements by including all the information in a single breach notice. The FTC Rule doesn’t require you to send separate breach notices to comply with state and federal law.

Question 30

What’s the penalty for violating the FTC’s Health Breach Notification Rule?

Answer 30

The FTC will treat each violation of the Rule as an unfair or deceptive act or practice in violation of a Federal Trade Commission regulation. Businesses that violate the Rule may be subject to a civil penalty of up to $43,792 per violation.

Question 31

Law enforcement officials have asked us to delay notifying people about the breach. What should we do?

Answer 31

If law enforcement officials determine that notifying people would impede a criminal investigation or damage national security, the Rule allows you to delay notifying them, as well as the FTC and, if required, the media.