Mobile health apps must follow FTC breach notice rule after update

Many providers of direct health services, such as hospitals and doctors, are required to protect personal information under the Health Insurance Portability and Accountability Act (HIPAA). The HBNR pertains to health entities not beholden to HIPAA, such as certain vendors of health records, and requires them to notify individuals about data incidents.

The FTC has applied the HBNR to mobile health applications, as its recent enforcement actions against GoodRx and Easy Healthcare show.

With GoodRx disputing the applicability of the HBNR to its practices, the FTC decided an update was in order to spell out companies that provide apps and other products through online services are subject to the rule.

The agency approved the update in a 3-2 vote, it announced in a press release Friday. The rule will go into effect 60 days after publication in the Federal Register.

“With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in the release.

The update also expands the notification requirements for all the entities covered by the rule so that notices must include the names of any third parties who might have acquired the breached data.

Entities whose breaches involve 500 or more individuals must notify the FTC and those affected within 60 days after discovery.

The update clarified a “breach of security” includes unauthorized acquisition of personal health data that occurs because of a breach or unauthorized disclosure. The update also allows entities to use email to notify individuals about a breach.

FTC Chair Lina Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya voted in favor of the update, while Commissioners Melissa Holyoak and Andrew Ferguson opposed.