By Janice L. Sperow
The pandemic changed how we work, how we shop, how we communicate, and how we “meet.” It changed our world’s “normal.”
Most significantly, it changed the healthcare industry, but not only with new vaccines and protocols. It revolutionized the way we maintain our health and wellness, as healthcare app development now shapes the future of medicine.
That, in turn, provides an opportunity for a new application for alternative dispute resolution—specifically, a recent Federal Trade Commission statement puts health-care industry managers on notice that they should institute dispute prevention steps and protocols to avoid potentially costly civil penalties as their products face closer federal scrutiny.
Spurred by rapid significant advances in mobile technology, artificial intelligence, and the internet of things, medical apps have accelerated at an unprecedented rate. Even before the pandemic’s uptick in the use of healthcare mobility tools, the Physicians Practice medical publication conducted a mobile health survey in 2018 and found that more than 75% of respondents used some form of mobile health solutions on a weekly basis.
Since the pandemic, the use of mobile applications in healthcare, MedTech (see www.medtech.org), and eHealth has skyrocketed. A $21.3 billion market in 2017, the global mobile health market is anticipated to reach $151 billion by 2025. See, e.g., Grand View Research, mHealth Apps Market Size, Share & Trends Analysis Report By Type (Fitness, Medical), By Region (North America, APAC, Europe, MEA, Latin America), And Segment Forecasts, 2021–2028 (February 2021) (available at https://bit.ly/2Zqo5bR).
The U.S Food and Drug Administration defines a health app as mobile software that diagnoses, tracks, or treats disease. A wellness app uses mobile software to enhance or track overall user health. They can and do address every facet of life impacting wellness from mental, physical, social, environmental, nutritional, behavioral, to even spiritual factors.
In response to the market’s growth, the Federal Trade Commission issued its “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (Sept. 15) (available at https://bit.ly/3bgLv63). The statement stresses the FTC’s commitment to protecting private medical and health information inputted into these apps and devices, and explains the FTC’s Health Breach Notification Rule in more detail. (The Rule is available at https://bit.ly/3nFzkpk.) The Statement unequivocally declares the Rule’s scope and the FTC’s intention to enforce the rule.
The FTC’s Health Breach Notification Rule has been in effect since 2009, when the American Recovery and Reinvestment Act of 2009 (text at https://bit.ly/3pGHtMy) became effective. The Rule addresses the security of personal health records, or PHR, defined to include an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. See 16 C.F.R. § 318.2(d).
“PHR identifiable health information” includes “individually identifiable health information,” as defined in section 1171(6) of the Social Security Act. See 42 U.S.C. 1320d-6. It also includes individual information provided by or on behalf of the individual that actually identifies or reasonably can be used to identify the individual. See 16 C.F.R. § 318.2(e) (“reasonable basis to believe that the information can be used to identify the individual”).
The Rule applies to (1) vendors of personal health records; (2) PHR-related entities that interact with vendors of PHRs or HIPAA-covered entities by offering products or services through their sites; (3) PHR-related entities that access information from or send information to a PHR; (4) PHR-related entities that process unsecured PHR identifiable health information as part of providing their services; and (5) third-party service providers for PHRs vendors.
The Rule does not apply to HIPAA-covered entities or any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.
Under the Rule, vendors of PHRs and PHR related entities must report a “breach of security” involving PHRs to the FTC, the consumers, and in some cases to the media. Service providers that process information for PHR vendors and PHR related entities also have a duty to notify their business customers of a security breach.
Typically, these service providers handle data storage or billing as a third-party provider. The Rule defines a “breach of security” as the acquisition of unsecured, PHR identifiable health information without the individual’s authorization.
Upon discovering a security breach, the entity must notify the required recipients within 60 days; but it must alert the FTC within 10 business days if the breach involves more than 500 individuals. Noncomplying entities face civil penalties of $43,792 per violation per day.
The FTC’s new Statement clarifies the Rule’s scope and application. It explains that the Rule covers PHRs vendors that contain individually identifiable health information created or received by health care providers. The Statement then specifies that health app and connected-device developers qualify as “health care providers” under the Rule because they “furnish health care services or supplies.”
Consequently, the Rule’s protections encompass any personally identifiable information developers create or receive that relates to the past, present, or future physical or mental condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for healthcare to an individual.
The Statement also emphasized that an electronic health record must draw information from multiple sources and be managed, shared, or controlled by or primarily for the individual before the FTC will consider it to be a PHR under the Rule.
The Statement, however, interprets multiple sources liberally to include other non-health related information. An electronic health record can draw information “from multiple sources” in the context of a health app, for example, through a combination of consumer inputs and application programming interfaces.
Hence, the Rule would apply to an app if it collects information directly from consumers and can technically draw information through an application programming interface that enables syncing with a consumer’s fitness tracker or phone, even if only one source provided the health information. For example, the Rule would cover a blood sugar monitoring app that collects health information only from the user’s blood sugar levels if it then uses non-health information from the user’s phone, such as date, time, or percentage figures.
The Statement also warns entities that the Rule does not limit a “breach of security” to cybersecurity intrusions, illegal behavior, or ill-intentioned activities. Rather, any unauthorized access will trigger the Rule’s notification duties, much like under HIPAA. Thus, a health app developer faces a reportable breach of security if it accidentally discloses private health information to a third party without the individual’s consent.
Rule Enforcement Change
In addition to clarifying the Rule’s scope, the FTC’s new Statement also signaled an enforcement sea change. Even though the Rule was enacted more than a decade ago, the FTC has not enforced it once since 2009.
The FTC admitted that it has not used the Rule. The Statement cautioned, however, that the FTC considers the Rule’s notification duties critical now in light of the surge in health apps and connected devices. The Statement explicitly declares the FTC’s intent to notify entities of their continuing obligation to publicize breaches under the Rule.
The Statement’s message is unequivocal: the FTC will enforce the Rule and its notice requirements from now on.
A Dispute Prevention Opportunity
Instead of being in a “more bad news” category, healthcare managers should file the FTC’s Statement as a new opportunity to prevent future disputes. The FTC Statement serves as a warning, affording the healthcare industry some time to implement strategies to protect itself from class actions, mass claims arbitration, and other costly disputes. By taking the warning seriously, the industry can assess and then minimize its risk.
The bottom line: Healthcare and wellness app developers should assess the Rule’s application to their services and the adequacy of their current security measures in order to prevent triggering the Rule’s notification provisions or even the possibility of a noncompliance finding.
And then they can breathe a sigh of relief if the current measures adequately protect the business, or implement new measures now to upgrade them until they do. Either way, the FTC handed the healthcare industry an opportunity to prevent costly future risk.
* * *
The author is a full-time neutral, arbitrator, mediator, dispute prevention facilitator, and Hearing Officer specializing in mass claims, healthcare, technology, employment, and all commercial matters. She works on domestic and international matters, and is based in La Mesa, Calif.