Mobile Health Apps and Vendors of Health Records Beware! – the FTC has just started Enforcing the Breach Notification Rule.

• The FTC just enforced its Health Breach Notification Rule for the first time since the effective date 13 years ago!
• Vendors of Personal Health Records, and related entities, must comply with the FTC Health Breach Notification Rule.
• HIPAA covered entities and their business associates are, generally, excluded from compliance with the FTC Health Breach Notification Rule.

Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools to help you stay on top of the newest compliance challenges in 2023! 

Yesterday, the Federal Trade Commission (FTC) published a Press Release announcing that it has assessed a civil monetary penalty to the tune of $1.5 Million against GoodRx, a telehealth and prescription drug discount provider, for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.  If this sounds somewhat eerily familiar, that’s because it is (see our recent blog post “Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology).  However, GoodRx’s headaches are not stemming from HIPAA – rather, it’s the FTC’s first enforcement action under its Health Breach Notification Rule that has brought GoodRx’s chickens back home to roost.    

Never heard of the Health Breach Notification Rule?  Yea, well, you’re probably not alone. That is largely because even though the FTC published its Final Rule on August 24, 2009 and full compliance has been required since February 22, 2010, there has been no enforcement action taken against any entity for violation of said rule — until now.  At the core of its case, the FTC alleges that Good Rx violated the FTC Act (which, among other things, prohibits “unfair” consumer practices, like false advertising) by sharing sensitive personal information (for years and years…) with advertising companies and platforms (e.g., Facebook, Google) and then failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Let’s take a closer look at this lesser-known rule, who it applies to, and how it works.

First, it is important to point out that entities that fall within the Health Breach Notification Rule are (generally) not HIPAA covered entities or their business associates (although a “dual” role could be possible). Specifically, the Health Breach Notification Rule applies to just three types of entities, a: (1) Vendor of Personal Health Records, (2) PHR-related Entity, and (3) Third Party Service Provider. These terms are defined in the rule (see 16 CFR 318.2 et seq.) as follows:

• • 3. 1) “Vendor of Personal Health Records” means an entity, other than a HIPAA covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a “Personal Health Record” (I explain what qualifies as a “PHR” further below);
    8. 2) “PHR-related Entity” means an entity, other than a HIPAA covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that: 
    9. •   Offers products or services through the Web site of a Vendor of Personal Health Records;
       •   Offers products or services through the Web sites of HIPAA-covered entities that offer individuals Personal Health Records; or
       •   Accesses information in a Personal Health Record or sends information to a Personal Health Record.
       3) “Third Party Service Provider” means an entity that:Provides services to a Vendor of Personal Health Records in connection with the offering or maintenance of a Personal Health Record or to a PHR-related Entity in connection with a product or service offered by that entity;and

       Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses “unsecured” “PHR-Identifiable Health Information” as a result of such services. [Note: “unsecured” uses the same standard as HIPAA (i.e. not protected through the use of a technology or methodology specified by the Secretary of HHS in its “Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals”].

    14. To determine whether an entity’s activities fall within one of the foregoing three types of entities, we need to now examine additional defined terms. First, what is a “Personal Health Record” (i.e., a PHR)?  The Health Breach Notification Rule defines a PHR as “an electronic record of ‘PHR-Identifiable Health Information’ on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.  “PHR-Identifiable Health Information” is then defined to mean ‘‘Individually Identifiable Health Information’’ (i.e., “IIHI”), as defined in §1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information: (a) That is provided by or on behalf of the individual; and (b) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.Under 42 U.S.C. 1320d(6), Individually Identifiable Health Information is defined as “any information, including demographic information collected from an individual, that –
        • is created or received by a health care provider, health plan, employer, or health care clearinghouse;

        and

        • relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

         

        Yes, these defined terms are dense and challenging to parse through. Even attempting to just try and determine whether an entity is covered by the Health Breach Notification Rule is not a simple endeavor. In fact, this might have been a contributing factor to GoodRx’s noncompliance.  Meaning that, perhaps GoodRx was not aware or was mistaken as to the applicability of the FTC’s Health Breach Notification Rule to them.  They might have further concluded that the way they were collecting information (e.g., direct from the consumer) did not make them a HIPAA Business Associate, and therefore they were not restricted by HIPAA in how they may then further use and disclose such information collected – including sharing it with Facebook and Google (although, the FTC did note that even if GoodRx is not a BA under HIPAA, because GoodRx “held out” in its Privacy Terms that it would adhere to HIPAA in how it uses and discloses individuals’ identifiable information, their failure to do so violated the FTC Act (i.e., was a deceptive consumer practice)).  Unfortunately for GoodRx, ignorance of the law is not a viable defense.

        As health care moves rapidly towards adopting FHIR standards for connectivity to EHRs, and health care apps are springing up like mushrooms after a summer rainstorm, this FTC enforcement action may have come at just the right time. The FTC held its seventh annual PrivacyCon this past November 2022, where leading researchers and thinkers in the field get together to present on and discuss the most pressing issues for consumer privacy and security.  During PrivacyCon 2020, the FTC specifically honed in on risks to consumer data, particularly data held by Health Apps. Since then, the FTC has sent a strong signal to Health Apps and similar companies that the FTC intends to monitor this space and begin enforcement.  In fact, on September 15, 2021, the FTC published a Policy Statement warning companies that companies that are not covered by HIPAA yet hold and handle health data will have their feet held to the fire for compliance with the Health Breach Notification Rule.  Now, the FTC has shown its enforcement teeth with assessing a massive number in civil monetary penalties against GoodRx.

        Consider yourself on full notice.