CHIME Urges FTC to Stringently Enforce Health Breach Notification Rule
The College of Healthcare Information Management Executives (CHIME) has recently provided feedback to the Federal Trade Commission (FTC) on its Advance Notice of Proposed Rulemaking (ANPR) on the Trade Regulation Rule on Commercial Surveillance and Data Security and has urged the FTC to hold health apps and data brokers accountable for illegal disclosures of health data and unfair or deceptive data practices.
The ANPR was published in the Federal Register on August 22, 2022, with comment sought from healthcare industry stakeholders, specifically “on whether [the Commission] should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”
CHIME expressed broad support for the measures proposed by the FTC in response to the prevalence of commercial surveillance and data practices that are harming consumers, especially with respect to health data due to the extent to which mobile devices and health apps are now being used to collect, process, and transmit health data. Mobile apps are generally not covered by HIPAA, so the data collected, processed, and shared through those apps is not subject to the protections of the HIPAA Privacy and Security Rules, and the health data collected is often sold to data brokers.
CHIME praised the efforts of the FTC to protect consumer health information and for the clarification of its authority under the Health Breach Notification Rule – provided in its September 2021 Policy Statement On Breaches by Health Apps and Other Connected Devices – that vendors of personal health records and related entities are required to issue notifications to consumers and the FTC if there have been breaches of unsecured identifiable health information, and that civil penalties may be pursued for violations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Clarification was needed as the Health Breach Notification Rule was issued more than a decade ago and has never been enforced by the FTC, especially given the extent to which health data is being held by entities that are not required to comply with HIPAA. CHIME cited an IQVIA Institute for Human Data Science estimate that there are now around 350,000 publicly available health apps and suggests the amount of health data stored or transmitted by these apps could now exceed the amount of data held by HIPAA-covered entities.
“CHIME is broadly supportive of new trade regulation rules to utilize the FTC’s existing authority to protect consumers – we are strongly encouraging the FTC to push further into this space by utilizing and enforcing the clear, concise, and existing authority under the Health Breach Notification Rule to hold non-HIPAA covered third-parties (i.e., vendors of PHR and PHR-related entities) responsible when they illegally disclose – intentionally or not – covered information.” CHIME believes enforcement actions by the FTC will help to make consumers’ health data more secure and will encourage businesses with PHRs and PHR-related entities to strengthen their data security practices.
The FTC has confirmed that the Health Breach Notification Rule does not apply to HIPAA-covered entities and entities that act solely as HIPAA-business associates, but CHIME said its “members would appreciate clarification regarding the intersection of the potential future proposed rule regarding “Commercial Surveillance and Data Security”, the FTC’s existing authority under the Health Breach Notification Rule, and data held by HIPAA covered entities (CEs) which does not fall under HIPAA (i.e. de-identified data).”
Many Americans are unsure about when health information is protected under HIPAA and when their health information is not, such as when health data is collected through health apps. CHIME has called for “clear, transparent communication to consumers about how their data is being used, monetized, and secured,” and stresses this will be critical in future rulemaking.
CHIME believes it is now time for the FTC to take action against vendors of PHRs and PHR-related entities that have lax data security, or are blatantly disregarding the law, and for notices and penalties to be issued under the existing authority provided to FTC by the Health Breach Notification Rule. CHIME has also called for the FTC to do more to prevent data breaches and the sale of consumer health data before it happens, by enforcing real-world and stringent privacy and security protections on companies to better protect consumer data.
CHIME also recommends the FTC make sure consumers understand exactly how their data will be used prior to using any company’s technology, and suggested questions that should be asked of health apps which should be considered in future rulemaking.
