In testimony to a Congressional subcommittee last week, FTC Bureau of Consumer Protection Director, Jessica Rich, explained the Commission’s efforts to protect consumers’ health data and repeated the Commission’s request for additional authority to go even further.  Bureau Director Rich began by noting the proliferation of consumer-directed health products, such as websites, wearable technology, and communications portals – many of which are not subject to the Health Insurance Portability and Accountability Act (HIPAA).  They are within the FTC’s jurisdiction, however, and the agency is concerned about the safekeeping of the massive amounts of consumer health information generated by these platforms.  She explained how the Commission has thus far addressed the privacy and security issues posed relative to health privacy and data security through enforcement, policy initiatives, and education. 

The Commission could be even more effective in deterring unfair and deceptive practices, she asserted, if Congress would pass legislation that would strengthen the Commission’s existing data security authority and expand the breach notification requirements to include a broader range of entities, such as health websites or online newsletters, which are not covered by current rules.  In addition, Bureau Director Rich called for Congress to expand the FTC’s civil penalty authority, jurisdiction over non-profits, and rulemaking authority under the Administrative Procedures Act. 

All in all, Bureau Director Rich’s testimony was consistent with the Commission’s approach of continually assessing new developments and emerging trends and threats in the privacy area and with the soon-departing Commissioner Brill’s remarks from February 2016 when she stated that “Neither new technologies nor small companies get a pass under the FTC Act.  So, trying to ‘fly under the radar’ as a small company is not a strategy that I recommend.”