Experts urge FTC to modernize health breach notification rules as comment period closes

The public comment period for the Federal Trade Commission’s (FTC) proposed changes to its health breach notification rules closed Tuesday, with a variety of consumer protection and privacy organizations urging their adoption, while highlighting how inadequate health privacy regulations are for the digital age.

The FTC announced the proposed rules change in May, saying it sought to clarify how the existing Health Breach Notification Rule — which requires those storing personal health information to alert consumers to data breaches — applies to health apps and similar technologies.

Numerous apps collect an unprecedented amount of health data and share it with third parties for marketing and other purposes, the agency said in explaining the proposed update to the rules. Many of these practices are not covered by the narrowly defined Health Insurance Portability and Accountability Act (HIPAA), the agency said in a press release.

HIPAA created national standards to prevent disclosure of patient health information without their consent, but it only covers health care providers, insurers and similar entities — not digital age apps and devices.

Among the changes the FTC has proposed: revising several definitions to clarify the health breach notification rule can be applied to health apps and similar technologies not covered by HIPAA; clarifying that a “breach of security” under the rule includes the unauthorized acquisition of identifiable health information triggered by a data security breach or an unauthorized disclosure; and expanding requirements for what consumers whose data has been breached should be told.

Many of the 117 individuals and organizations to comment noted the extreme privacy risks individuals using apps, wearable devices, and other digital health technologies face in the absence of a well-equipped watchdog.

For example, Mozilla, which is owned by the nonprofit foundation behind the Firefox browser, noted that its online privacy research arm has found that many apps use and share mental health and reproductive data for targeted advertising, with limited opportunities for consumers to object.

It said that a pregnancy tracking app with more than 1 million downloads operates without any privacy policy at all. It also found deceptive claims on app stores about sharing data with third parties.

The American Psychiatric Association urged the FTC to adopt the stricter rules and suggested a public awareness campaign, noting that people with major mental health challenges and low internet literacy are most vulnerable to having their data breached or exploited.

“Data that can indicate the presence of mental illness can be derived from many non-HIPAA protected sources, including search terms, social media, and consumer behavior and can be combined with data from other generative sources to produce highly granular individually-identifiable information,” said the letter from APA CEO Saul Levin.

The post-Dobbs environment has led to “significant” issues in the sharing and mishandling of personal health information, Laurel Sakai, the national director for public policy at the Planned Parenthood Federation of America, said in her letter.

Data can be used to “threaten or criminalize individuals who seek SRH (sexual and reproductive health) care,” she wrote. “At the same time, the rapid proliferation of health technologies not regulated by HIPAA has made individuals’ personal data more vulnerable.”

A ‘kitchen table topic’

In the proposed rulemaking, the FTC argues that a great deal of data privacy is not covered by HIPAA and is therefore “falling through the gaps,” according to Sara Geoghegan, counsel at the Electronic Privacy Information Center (EPIC), which also filed a letter.

“Privacy protections have not kept up to date with tech,” Geoghegan said. “And this [FTC rules update] is one pretty substantial measure to try to remedy that.”

Geoghegan noted that Amazon, for example, has asserted that some of their health care offerings are not covered by HIPAA. The Washington Post reported in May that Amazon’s low-cost health service Amazon Clinic asks patients to sign a form saying they understand Amazon can use and share their protected health information and notes that Amazon can then “redisclose” customers’ patient files, after which they “will no longer be protected by HIPAA.”

Amazon did not respond to a request for comment.

“Data privacy is becoming a kitchen table topic,” Geoghegan said. “And that’s both because of things like wearable tech and this concept that these tech giants have all of our information, including really sensitive information, and there's nothing it feels like we can do about that.”

The FTC has had some success applying the existing HBNR rule in recent months. In May it announced a proposed order settling allegations against the fertility app Premom and in February it announced an enforcement action against telehealth and prescription drug discount provider GoodRx Holdings Inc., alleging that each violated the rule by failing to notify users about the companies’ unauthorized disclosure of users’ personally identifiable health information to third parties.

But FTC commissioners appear to have been stewing about the issue for some time. In a little noticed February statement, FTC Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter noted how inadequate HIPAA is to the task at hand and how many people misunderstand its privacy protections. Citing the Amazon acquisition of One Medical — and as they put it “hundreds of thousands of people’s health data” — Bedoya and Slaughter said the sale reminded them “U.S. privacy law is both aging and incomplete.”

In an unusual rebuke of a fellow agency, Bedoya and Kelly Slaughter appeared to take the Department of Health and Human Services (HHS) to task for not covering “de-identified” health data under its privacy rule. If a company says it abides by HIPAA “it does not mean that they cannot use your data for other purposes.”

“Rather, it means they must simply remove from that data certain markers that would tie that data back to you,” they wrote.

De-identified data has been stripped of personally identifiable information but researchers have shown it is possible to “re-identify” it by linking unencrypted parts of medical records with known information such as medical procedures and year of birth.

Returning to the Amazon acquisition of One Medical, the commissioners said HHS must consider updating its privacy law to reflect a world few anticipated when HIPAA was drafted where the “world’s largest retailer — a company of profound technological sophistication — would amass people’s health information on this scale.”

Geoghegan said EPIC pushed the FTC to establish a de-identification standard similar to the one proposed in the American Data Privacy and Protection Act, last year’s stalled federal privacy bill that is now being renegotiated. It is also urging the FTC to push HHS to set a data minimization standard which would discourage entities from collecting data not immediately relevant to the purpose at hand and would prevent them from storing it.

“That is one way and a very effective way to render information unreadable and indecipherable,” she said.