Blog

FTC Requires That Health Apps Must Notify Customers About Data Breaches

News & PR
September 23, 2021
The FTC warned the organizations behind apps and devices that collect personal health information that they must alert their customers if their data is breached or shared without their permission.

FTC requires that Health Apps must make customers aware of data breaches and incidents

In a policy statement, the Federal Trade Commission affirmed that health apps and connected devices that collect or use consumers health information must comply with the Breach Notification Rule, which requires that they alert individuals whose personal health information was involved in a breach. Under the rules requirements, vendors of personal health records and PHR related entities must notify consumers and the FTC, and in some cases the media, if there has been a breach of unsecured identifiable health information or face civil penalties. 

It is worth repeating that a breach is not merely limited to an intrusive attack, but can also include unauthorized access and sharing information without the data owners authorization.

In their statement, the FTC took note that these apps are able to track everything from glucose levels, physical activity, sleep, and even fertility are increasingly collecting sensitive data from consumers, and so have the duty to ensure that the data that they collect remains secure. According to FTC chair Lina Khan:

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said Khan in a statement, who pointed to a study published  by the British Medical Journal that discovered many health apps were using insecure transmissions of personal data as well as engaging in unauthorized sharing of data with advertisers.

To Date

These apps have been living in a wild-west with few laws and regulations affecting them, at least in the United States due to the lack of a federal privacy law. The relative lack of an emphasis on privacy and security of records has fed into low consumer confidence in their privacy. 

To all those health apps, we can’t say that we didn’t warn you. In our article describing what is and isn’t PHI, we noted that:

So if you are a startup developing an app, and you are trying to decide whether your software needs to be HIPAA Compliant, the general rule of thumb is this: If the product that you are developing transmits health information that can be used to personally identify an individual and that information will be used by a covered entity (medical staff, hospital, or insurance company), then that information is considered PHI and your organization is subject to HIPAA. If you have no plans on sharing this data with a covered entity, then you do not need to worry about HIPAA compliance - yet. 

While those organizations do not find themselves under the crosshairs of HIPAA or a broader data privacy rule, it is safe to assume that if they haven’t already, they should begin to treat these personal health records that they collect as carefully as Covered Entities and Business Associates do. 

More from the Blog

GenixTec has achieved HIPAA Compliance with Accountable
Compliant Tools

GenixTec has achieved HIPAA Compliance with Accountable

HIPAA and Workforce Training
HIPAA

HIPAA and Workforce Training

Understanding HIPAA Certification
HIPAA

Understanding HIPAA Certification

Is Google Docs HIPAA Compliant?
Compliant Tools

Is Google Docs HIPAA Compliant?

Is Calendly HIPAA Compliant?
Compliant Tools

Is Calendly HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is iCloud HIPAA Compliant?
Compliant Tools

Is iCloud HIPAA Compliant?

President Biden Looks to Boost Cybersecurity at U.S. Ports
Data Security

President Biden Looks to Boost Cybersecurity at U.S. Ports

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of ComplianceGet Support
Solutions
HIPAAGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
SitemapTerms of ServicePrivacy Policy