The Federal Trade Commission (FTC) has issued a final rule that will subject digital health companies to greater scrutiny when it comes to the use of personal health information. This move is a response to multiple enforcement actions and aims to ensure that these companies are held accountable for the protection of personal health information.
The Health Breach Notification Rule, which was revised by the FTC, expands the definition of personally identifiable health data to include both traditional health information like diagnoses as well as emerging health data like location information and healthcare-related purchases. Additionally, it broadens the definition of healthcare services, signaling to companies that may not have previously considered themselves as such. This includes wellness apps that passively track data for users.
While many digital health companies already offer privacy protections in their terms and conditions, many are not subject to privacy and security regulations under HIPAA because they are not considered “covered entities” under HIPAA as they do not submit electronic claims for insurance billing purposes. With the new rule in place, these companies will now have to comply with stricter regulations regarding the use and protection of personal health information.
An appendix to the rule provides examples of messages that companies can use to notify individuals of security breaches or improper disclosures as required by the rule. The rule will go into effect 60 days from its publication in the Federal Register, holding digital health companies more accountable for the protection of personal health information going forward.