The Federal Trade Commission (FTC) recently received feedback from the College of Healthcare Information Management Executives (CHIME) regarding its Advance Notice of Proposed Rulemaking (ANPR) on the Trade Regulation Rule on Commercial Surveillance and Data Security. In this feedback, CHIME encouraged the FTC to hold health apps and data brokers accountable for criminal disclosures of health data and deceptive or misleading data practices.
On August 22, 2022, the ANPR was released in the Federal Register, asking stakeholders in the healthcare sector whether the FTC should introduce innovative trade regulation rules or other regulatory alternatives concerning the ways in which companies handle sensitive data in ways that are improper or deceptive. CHIME voiced their support for the FTC’s suggested measures in response to the prevalence of commercial surveillance and data practices that are harmful to consumers, particularly with regard to health information, given the extent to which mobile devices and health applications are now used to gather, process, and transfer health data. Since mobile applications are typically not protected by HIPAA, the information gathered, used, and shared through those apps is not covered by the HIPAA Privacy and Security Rules. As a result, the obtained health information is frequently sold to data brokers.
In its September 2021 Policy Statement On Breaches by Health Apps and Other Connected Devices, the FTC clarified its jurisdiction under the HIPAA Breach Notification Rule, stating that vendors of personal medical records and related entities are obligated to notify consumers and the FTC if there have been unauthorized breaches of improperly secured identifiable health information. CHIME commended the FTC’s measures aimed to safeguard consumer health information. However, numerous Americans remain unaware of when their health information is and isn’t covered by HIPAA. For example, in instances when medical information is gathered through health applications. In order to make future legislation effective, CHIME has urged for clear information to consumers about how their data is being utilized, monetized, and safeguarded.
In addition, CHIME has encouraged the FTC to penalize vendors of health record entities who do not adhere to the requirements set by the Breach Notification Rule, who fail to adequately secure the data they handle, and who disregard the law. CHIME has also urged the FTC to ensure that consumers are fully aware of how their personal data is being used before utilizing a company’s technology, and has offered a number of inquiries regarding health applications that should be taken into account in subsequent rulemaking.