The Federal Trade Commission has recently adopted an aggressive approach to regulating mobile health app companies’ data security and retention policies. We can glean much useful information from the FTC’s enforcement actions to inform data security, privacy, and retention policies for health information and other types of data.
The FTC’s Toolbox
The FTC has two significant tools in its arsenal regarding data retention and security. The first is the 2009 Health Breach Notification Rule. This Rule seeks to cover the gaps left by HIPAA, which only regulates health plans, health care providers that conduct transactions electronically, and health care clearinghouses. In its 2024 update of the Rule, the FTC clarified its scope regarding both covered information and entities.
The Rule requires vendors of personal health records (PHRs), related entities, and third-party service providers to notify customers, the FTC, and sometimes the media, when breaches occur.
PHRs are records of an individual’s identifiable health information that can be drawn from multiple sources. The Rule only applies to information that is unsecured, meaning information that is neither encrypted nor destroyed. Companies covered by the Rule include health app producers but also companies that produce related accessories such as fitness trackers. Companies that provide services such as billing or data storage to PHR vendors also qualify.
In addition to the Rule, the FTC is guided by Section 5 of the Federal Trade Commission Act, which prohibits deceptive or unfair practices that affect commerce. As this language suggests, the FTC applies the Act quite broadly with respect to health data.
Lessons from Recent FTC Actions and Guidance
In business guidance published in 2023, the FTC emphasized how extensive the umbrella of health information truly is. The Commission confirmed any data conveying information or that even “enables an inference” about consumers’ health qualifies. For example, a consumer’s mere use of a fertility or mental health app produces health information. In separate guidance, the FTC also highlighted that location data can provide insight beyond a person’s whereabouts like other sensitive information, such as health data. The FTC recommends companies “take a broad view of what constitutes health data and protect it accordingly” to avoid running into trouble. The FTC further explained that security breaches do not refer only to malicious attacks but also to instances where companies share consumer data with other parties who have not been disclosed in their privacy notice.
Privacy policies were another major target for the FTC. In a complaint against the mental health app Cerebral, the FTC alleged that Cerebral used unfair or deceptive practices under Section 5 by sharing customer data with third parties like LinkedIn and TikTok. Cerebral’s privacy policy promised customer data would only be used internally, barring customer consent to do otherwise.
In a similar case, the FTC took action against online alcohol addiction treatment service Monument, Inc., alleging that the company disclosed users’ information after promising to keep it completely confidential. The FTC provided several takeaways from these cases. First, privacy and security representations in company policies are in fact product claims that must be substantiated. Secondly, the Rule applies to omissions, meaning that companies must disclose all material facts about their use of consumer data.
Moving Forward
Companies who collect or process data should be aware of the broad definitions of both covered entities and of what constitutes health data under the Health Breach Notification Rule. The Rule’s limitation to unsecured information also reinforces the importance of encrypting data diligently.
These days almost every company has a privacy policy, either by choice or by requirement. The FTC’s recent actions make it even clearer that privacy policies must be carefully crafted and specific about privacy and security procedures. Companies should review their policies to make sure that they don’t overpromise or under-include relevant activities related to collecting, processing, and sharing personal health records.
Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.