By Susan Walberg, JD MPA CHC

As I have written in previous articles about HIPAA and health-tech, many apps in the marketplace have been largely unregulated with respect to the privacy and security of healthcare data. In order for healthcare-related apps to be regulated, for the most part, they needed to be covered under HIPAA. As a result, only the apps that were directly related to providing or billing for healthcare services, or those companies’ ‘Business Associates,’ were required to put specific controls and notifications in place. All the rest were not. The Federal Trade Commission (FTC), the agency responsible for consumer protection, hasn’t really been on the radar in terms of regulatory oversight in this arena.

The many thousands of apps that are selected and used by consumers to manage illnesses, track fitness, and other health-related services do not fall under HIPAA’s requirements and were, for the most part, unregulated. All of this has changed with a September 15, 2021, Policy Statement by the FTC.

According to the Statement, the Health Breach Notification Rule ‘Helps to ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) nevertheless face accountability when consumers’ sensitive health information is compromised.” The Breach Notification Rule is not new, but this clarification is, and signals likely enforcement of a rule that has largely gone unenforced to date. The push to regulate apps came from Congress, and further legislation is likely.

Who is Affected?

The FTC clarifies that vendors of ‘personal health records (PHRs) and PHR-related entities’ have to follow the breach notification procedures outlined in the Rule, which includes notification of consumers, the FTC, and even the media in some cases. These are not HIPAA ‘Covered Entities.’

Read full article.