As we start 2022, as part of our Spotlight series, we connect with Reece Hirsch, the co-head of Morgan Lewis’s privacy and cybersecurity practice, to discuss the recent policy statement issued by the US Federal Trade Commission regarding the Health Breach Notification Rule and how it applies to health app developers that handle consumers’ sensitive health information. Our Tech & Sourcing @ Morgan Lewis blog also published a summary of the policy statement.

Since the FTC policy statement was issued in September, what kind of measures should organizations take to ensure their compliance with the Health Breach Notification Rule?

Mobile health apps and other digital health companies should review the Health Breach Notification Rule and confirm whether it applies to their business as a personal health record vendor or PHR-related entity. The policy statement indicates that the FTC appears to be taking an expansive view of those definitions. The statement also reflects the agency’s awareness that often sensitive medical information is being maintained and transmitted by entities that are not covered entities or business associates subject to HIPAA. If you conclude that the Health Breach Notification Rule applies to your business, then your security incident response plan should be updated to reflect the Rule’s requirements, and the FTC standards should be incorporated into any tabletop exercises that are conducted.

Do you anticipate greater enforcement of the Health Breach Notification Rule following the policy statement?

The FTC had received some criticism for failing to enforce or provide guidance regarding the Health Breach Notification Rule for more than 10 years after its issuance. Now that the FTC policy statement has refocused attention on the Rule, I would expect to see some enforcement action to put mobile health app developers on notice regarding these breach notification requirements.

What are some of the biggest challenges that organizations face in light of this policy statement?

The Health Breach Notification Rule highlights the bifurcated nature of privacy regulation for many digital health companies. Mobile health apps and other digital health products are typically governed by HIPAA privacy principles when they are offered through health plans, hospitals or other HIPAA covered entities. However, when the same sorts of products are offered directly to consumers, they may instead be regulated under FTC privacy principles, including the Health Breach Notification Rule. The FTC’s policy statement makes clear that robust, healthcare-specific breach notification rules apply to companies regardless of whether they are governed by HIPAA or FTC rules.

We thank Reece for sharing his insights regarding the FTC policy statement and its application to health app developers. Reece counsels clients on a wide range of US privacy issues, specializing in healthcare privacy and digital health. Reece counsels clients on the development of privacy policies, procedures, and compliance programs, security incident planning and response, as well as online, mobile app, and Internet of Things privacy.