Makers of health-related mobile apps and other businesses soon covered by the Federal Trade Commission’s amended rule on health data breach notifications set to take effect July 29 could have to endure increasing litigation.
The amendments, finalized in April, make companies that provide health-care services and pull health information from multiple sources subject to the FTC’s breach notification rule. These companies make up a growing class of health apps not currently covered by the Health Insurance Portability and Accountability Act.
Some attorneys raised concerns that the agency’s unwillingness to more clearly define what constitutes authorized access could lead to compliance questions. Lack of a more specific definition of “authorization” in the agency’s guidance on security breaches could stymie companies’ compliance efforts, and lead to fines plus litigation.
Stakeholders’ comments during the FTC’s rule-making process asked for clarity on that point. The agency declined to give a fuller definition, though it noted unauthorized disclosures could include—but are not limited to— “unauthorized sharing or selling of consumers’ information to third parties that is inconsistent with the company’s representations to consumers.”
“The reason for that is, you want predictability. You want to know what this means,” said J. Malcolm DeVoy, a partner at Holland and Hart, of the comment requests. “But from the regulator’s viewpoint, as soon as I define this, you’re looking for what’s not defined to try to reduce your obligation to notify consumers and to notify the government.”
The FTC’s updated health data breach rule requires covered businesses to provide notice of a breach affecting 500 or more individuals within 60 days “without undue delay.” Failure to comply could result in civil penalties, currently set at up to $51,744 per violation.
In the broadest scope, the updated language “really transforms it from functioning as a data security breach rule” into “a required opt-in consent” to share personal health data, said Hintze Law associate Felicity Slater. The FTC estimated the rule would cover an additional 170,000 entities, though trade groups have contended the number will be higher.
While many covered entities may already have security programs in place, implementing robust notification programs could be new territory said Edward G. Zacharias, a partner at McDermott Will & Emery. The amended rule “substantially” expands the number of entities now required to report breaches, he said, adding that many of his clients now covered by it weren’t before.
The rule’s expanded coverage could fuel a growing trend of lawsuits against healthcare-related entities exposing user data to third-party advertisers, DeVoy and Zacharias warned. Lawsuits involving pixel-tracking technologies, including those deployed by health-care entities, already surged by 89 percent from 2022 to 2023 according to a Bloomberg Law analysis.
The expanded reporting requirements could have a “significant” impact on litigation, DeVoy said.
“People wouldn’t necessarily know where the pieces are in order to pick them up and start bringing them together if there wasn’t that notification requirement,” said DeVoy.
A potential clue to how the FTC may define the term is how it’s deployed the rule before. The FTC first cited its Health Breach Notification Rule amid enforcement actions against online pharmacy GoodRx in February 2023 and Easy Healthcare Corp. that April over its Premom fertility tracker. Both companies were cited for sharing users’ health information with advertisers using pixel tracking technology. In both cases, the agency included “unauthorized access” in its definition of a breach.
“From the FTC perspective, if you have, for example, a privacy policy that isn’t sufficiently descriptive in terms of the type of information that you’re capturing and that you’re disclosing and for what purpose it’s being disclosed, I think the FTC position would be that constitutes an unauthorized disclosure,” said Zacharias.
“I think in general this FTC is being aggressive in the interpretations of the rule and people in industry should be taking note of those interpretations,” Slater said.
Being unclear on how authorization is defined by the agency could lead to other challenges. While there is a mechanism to contest whether unauthorized access led to actual acquisition of data, the updated language said “whether a disclosure is authorized under the Rule is a fact-specific inquiry that will depend on the context of the interactions between the consumer and the company.”
That could leave companies in a pickle when it comes to providing “sufficient” evidence to contest violations, Zacharias said.
Moreover, attorneys said the revised rule could leave some confusion as to who’s responsible for reporting breaches concerning personal health records, or PHR.
“In a lot of situations, I don’t think it’s going to be entirely clear whether an organization is acting as like a downstream service provider or as a PHR-related entity itself,” said Zacharias. “Sometimes it’s both, sometimes you’re a third-party service provider and PHR-related entity. And so in which context are you holding that data?”
Continue ReadingTo contact the reporter on this story: Tonya Riley in Washington at triley@bloombergindustry.com
To contact the editors responsible for this story: Tonia Moore at tmoore@bloombergindustry.com; Kartikay Mehrotra at kmehrotra@bloombergindustry.com
AI-powered legal analytics, workflow tools and premium legal & business news.
Log in to keep reading or access research tools.
