FTC Issues Policy Statement Clarifying Data Privacy Obligations for Digital Health  

By Jennifer K. Wagner

On September 15, the Federal Trade Commission (FTC) issued a Policy Statement “On Breaches by Health Apps and Other Connected Devices,” the most recent step taken by the FTC to signal its interest in preventing abusive data practices and ensuring relevant consumer protections for digital health. This step came about through a 3-2 vote by the commissioners during an open commission meeting.

The focus of the statement is the Health Breach Notification Rule (HBN Rule), which we reported last year in May 2020 was undergoing a 10-year review by the FTC. During the 90-day public comment period, only 26 comments were submitted. Among them, for example, the American Medical Informatics Association (AMIA) criticized the HBN rule as “structurally flawed” and recommended that the FTC take the opportunity to develop guidance to clarify the scope of identifiable health information in a personal health record (PHR) and ultimately “reorient” the HBN rule so that it is more suitable for the ever-changing digital health industry. The Healthcare Information and Management Systems (HIMSS) and Personal Connected Health Alliance (PCHAlliance) submitted joint comments, describing the HBN Rule as “a critical piece in a broader, overarching health data privacy regulatory system” but also calling for the FTC to modernize its terminology to suit today’s digital health environment. The CARIN Alliance expressed its ongoing support for the HBN Rule, while the Connected Health Initiative suggested broader legislative reform for data privacy was needed. It appears that only one Attorney General submitted public comments: then California Attorney General Xavier Becerra—notably now serving as Secretary of the Department of Health and Human Services. In those comments, Becerra called upon the FTC to “align” the HBN Rule with the HIPAA rule on breach notifications, underscoring that such a tighter alignment “benefits consumers and serves Congress’s intent.”

The FTC policy statement issued this month was accompanied by comments or remarks by each of the commissioners. Commissioners Wilson and Phillips each filed dissenting statements criticizing the approach taken, with Wilson framing the statement not as a clarification but as an expansion of the HBN Rule and Phillips claiming the majority is “reimagining” the scope and, in effect, circumventing “two ongoing rulemaking processes.” FTC Chair Khan’s remarks responded to the dissents and indicated the policy statement is “consistent with—and, in fact, serves to clarify—the FTC’s earlier guidance” on the HBN Rule. Commissioner Chopra’s statement called attention to the failures of predecessors on the Commission to enforce the HBN Rule and confirmed that the FTC has “not collected a single penny in penalties” for consumer data breaches. In Commissioner Slaughter’s prepared remarks, she reminded everyone that the policy statement does not change the underlying law for the HBN Rule and made a bold closing, calling for the FTC to “lead a market shift towards data minimalism.”

The substance of the FTC Policy Statement is straightforward. Apps that collect data from multiple sources through APIs (application programming interfaces) are covered by this rule. Breaches triggering the required notifications are any form of unauthorized access to individual’s information, not merely malicious activity. Violations of the HBN Rule are punishable by civil penalties of up to $43,792 per violation per day. The FTC Policy Statement references the FTC Best Practices for Mobile Health App Developers as well as the interactive tool to help mobile health app developers understand which laws apply to their products issued five years ago in 2016.

In the months and years ahead, we expect increasing attention by the FTC to digital health technologies. While the June 25, 2021 Supreme Court decision in Transunion LLC v. Ramirez might have made it a bit trickier for the FTC to fulfill its consumer protection role, the digital health sector is an obvious target for more stringent enforcement of cybersecurity and privacy measures for the apps and platforms as well as closer scrutiny of mergers and acquisitions, data engineering practices, and health claims through the doctrinal lenses of anti-competition, fairness, and deception. Additionally, with President Biden’s nomination of Alvaro Bedoya to replace Commissioner Chopra at the FTC and increasing pressure from senators for new consumer data privacy rulemaking, all signs point toward the FTC taking a more aggressive approach to ensure fairness in digital health.

Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and an assistant professor of law, policy & engineering at Pennsylvania State University. She is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Nature Communications; Nature Medicine; American Journal of Human Genetics; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own. Dr. Wagner discloses she has related research on Consumer Protections for Genomics & Precision Health funded by NHGRI Grant No. R01HG0011051.