In an increasingly digital and interconnected world, the privacy and security of personal information is a significant concern. Applications and connected devices collect a bevy of personal information from consumers, including sensitive information about consumers’ health. Because of the sensitivity of health information, the United States has developed a variety of legal protections and enforcement mechanisms regarding the privacy and security of health information, including state and federal law, regulations, and federal agency guidance. At times, these legal protections and enforcement mechanisms intersect, bringing the enforcement powers of multiple federal regulations and agencies to bear to protect the privacy and security of consumers’ health information.
On September 15, 2021, the Federal Trade Commission (“FTC”) released a policy statement addressing the scope of the FTC’s Health Breach Notification Rule with respect to applications and connected devices that collect health information. At first glance, the FTC’s Health Breach Notification Rule and the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations appear to operate in similar spaces, both regulating access to health information. However, HIPAA and the FTC Rule apply to different entities. HIPAA applies to covered entities and their business associates (e.g. health care providers that submit claims electronically, health plans, and health care clearinghouses, and third parties that provide services for or on behalf these types of organizations that generally require access to protected health information) and the FTC Rule applies to businesses not regulated by HIPAA. Therefore, while the regulations operate in similar spaces, the scope of the regulations differs.