On Wednesday, the Federal Trade Commission authorized a policy statement reminding developers of health applications and connected devices that gather health-related data to follow a ten-year-old data breach reporting regulation.
The regulation is indicative of Chair Lina Khan’s efforts toward more robust technology enforcement. Khan hinted that firmer monitoring of data-based ecosystems tied to such applications and gadgets might be on the way.
After being entrusted with analyzing and creating measures to secure health information as part of 2009’s American Recovery and Reinvestment Act, the FTC established the Health Breach Notification Rule. The reason to form this rule was to compel vendors not protected by existing medical information privacy norms, such as the Health Insurance Portability and Accountability Act (HIPAA), to notify users, the agency, and the media in the event of a breach of health information.
Since the rule’s inception, there has been a proliferation of mobile applications for tracking anything from menstruation and fertility to mental health. The number of connected gadgets that collect health-related data, such as fitness trackers, also increased significantly.
In March, a group of prominent politicians wrote a letter to the FTC urging it to implement the Health Breach Notification Rule against data-leaking mobile apps. This letter mentioned a Wall Street Journal story concerning Flo Period & Ovulation Tracker, a prominent fertility tracking software that shared sensitive data with third parties.
The FTC reached a settlement with the app’s developer in June with the court requiring the company to obtain user approval before disclosing sensitive health information and undergo an independent assessment of its privacy policies.
Last year, the agency launched a review of the rule and previously issued guidelines advising health-tracking app developers to evaluate whether their products were under its jurisdiction. The new policy statement warns that failure to comply could result in “fines of up to $43,792 per breach per day.”