Apps & wearables now included in Health Breach Notification Rule: What you need to know

Consumers are fascinated with in-the-minute health tracking. We love to track our heart rhythms and rates, oxygen levels, gait dynamics, steps, and other bodily biometrics. We track mood, fertility cycles, and exercise stats.  

Advances in wearables technologies have also enabled more effective diagnosis and real-time management of chronic diseases, like diabetes and heart disease.  

The rise of wearable health tracking devices and health-focused apps reflect these incredible benefits and consumer fascination. Regulators seem equally fascinated, as recent investigations and penalties, along with subsequent updates to requirements, demonstrate. 

In part, regulator concerns about wearables come from unanticipated gaps in healthcare-specific regulation coverage of these apps and devices.  

On the one hand, wearables collect, combine, analyze, and present health data – sometimes very sensitive health data.  

On the other hand, the makers of many of these apps and wearables frequently fall outside of the healthcare provider/payer/clearinghouse perfecta and so HIPAA does not apply.  

A brief history of the FTC and Health Breach Notification Rule

Enter the Health Breach Notification Rule (HBNR), which imposes strict breach notification requirements for these types of entities not covered by HIPAA but working with health data. As the FTC also enforces the HBNR, combined with the FTC Act relating to unfair and deceptive practices work, the HBNR represents a second weapon in the FTC’s arsenal to combat misuse of non-HIPAA health data.  

In fact, a timeline of FTC enforcement and statements, along with a recent update to the HBNR, shows a steady and systematic FTC positioning to take on health data handling by non-HIPAA entities, like health tracking app and wearables developers.  

This evolution started several years ago in 2021, when the FTC announced an enforcement action against Flo Health, a provider of period and ovulation tracking. In this case, the FTC found that Flo Health had transferred sensitive health information without consumer knowledge or consent to third party advertising/marketing organizations, like Google and Facebook.  

Soon after this action, the FTC publicly warned companies of its plans to enforce the Health Breach Notification Rule, which had been on the books since 2009 but not actively enforced. Interestingly, in this same statement, the FTC also clarified that mobile devices and wearable devices can fall under the HBNR. 

Two more recent Federal Trade Commission (FTC) investigations highlight continued regulatory focus on enforcement of the FTC Act and the HBNR related to these types of products and services. In February 2023, the Department of Justice filed a proposed order on behalf of the FTC against GoodRX in response to investigation findings that the discount prescription provider inappropriately shared health information with Facebook and Google. That company also faced $1.5 million in penalties. In May 2023, Easy Healthcare faced a similar set of findings by the FTC and a fine of $100,000.  

Recent updates to HBNR

Perhaps even more importantly, in April 2024, the FTC finalized updates to the HBNR. Among other changes, the modernizations make clear that providers of health apps and similar online services must comply with the Rule.  

The changes also expand the required covered topics in a notice to consumers but extend the FTC reporting period from 10 days to no more than 60 days after discovery, and along with notice to impacted consumers.  

Along with these changes, in a press release, FTC Bureau of Consumer Protection Director Samuel Levine underscored, “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.” 

Given this timeline of developments, the FTC obviously feels strongly that health tracking apps and wearable device providers are accountable for privacy-sensitive practices, especially around incident response and sharing with third parties.  

What does this mean for health tracking apps and wearable device providers?

This means that any non-HIPAA organization that provides these devices and services may wish to take careful measure of its exposure and act quickly on any risks. Specifically, it may be useful to:

• Determine applicability of the HBNR. As noted, multiple FTC statements and actions underscore that health apps/trackers/wearables may fall under HBNR. Additionally, the updated HBNR makes even more clear the HBNR applicability to organizations that access or send Personal Health Record (PNR) health information to a personal health record. It also may be useful to point out that the HBNR updates additionally make it clear that the HBNR does not apply to organizations that access or send any information to a personal health record.  
• Carefully document data flows, including data flows through online ad networks. Online advertising sharing can be easy to miss in a data flow analysis, but FTC enforcement has emphasized that sharing data with online advertising companies is of as much or more concern as offline or direct information sharing practices. 
• Compare privacy notice assertions with actual practices. Review any privacy notices, just-in-time promises related to personal data, and the data collection and presentation experience holistically to identify promises made – implicitly as well as explicitly. Regard with suspicion any assertions of HIPAA compliance, assuming that HIPAA does not apply. Carefully confirm practical application of data sharing declarations. During this analysis, consider online as well as offline practices, including third party advertising cookies that could also be considered ‘sharing.’ 
• Review incident response policies and procedures with the revised HBNR in mind. Among other updates, it may be necessary to refer to the HBNR in policy documents, update notice content and timing requirements, and update requirements related to notice mechanisms.  
• Train developers and marketers on privacy matters. At a minimum, give these groups visibility into the limitations of health data sharing, including online sharing. Ask for privacy team involvement in future contemplations about the monetization of health data.  

These FTC enforcement actions and HBNR updates are an evolution spanning years, rather than a revolution of just a few months, but they also represent a consistent regulator approach to non-HIPAA health data protection.  

If before there were any doubts that providers of health trackers, apps, and wearable devices must take privacy seriously, be cautious of their promises, and carefully consider their approach to data sharing – there are no doubts now.