Complying with the FTC’s Health Breach Notification Rule, January 2022.
Introduction
“As more consumers use health apps and connected devices like fitness trackers, information about our health is increasingly collected and shared online. For most hospitals, doctors’ offices, and insurance companies, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of health records stored online. But many companies that collect people’s health information – whether it’s a fitness tracker, a diet app, a connected blood pressure cuff, or something else – aren’t covered by HIPAA. Does that mean this sensitive health information doesn’t have any legal protections? Not at all.
“The Federal Trade Commission (FTC), the nation’s consumer protection agency, enforces Section 5 of the FTC Act, which prohibits companies from misleading consumers or engaging in unfair practices that harm consumers. In addition, the FTC enforces the Health Breach Notification Rule (16 CFR Part 318), which requires certain organizations (both businesses and nonprofits) not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. An FTC Policy Statement makes clear that makers of health apps, connected devices, and similar products must comply with the Rule.
“Is your business covered by the Health Breach Notification Rule? Do you know your legal obligations if you experience a security breach?”
This document is accessible at: https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0