September 26, 2023

The Federal Commerce Fee desires to make modifications to the Well being Breach Notification Rule to clarify the protections lengthen to customers of digital well being apps.

Whereas the company has thought of well being trackers, apps and different direct-to-consumer firms topic to the rule, proposed modifications would codify that digital well being firms dealing with medical data could be handled in lots of the identical methods as suppliers.

The present rule outlines two designations, suppliers together with “companies or provides,” however the proposed modifications flesh out what which means in better element. The proposal would additionally make clear the definition of a “breach of safety” to incorporate unauthorized acquisition of identifiable well being data that happens due to an information breach or unauthorized disclosure, the company mentioned in a information launch.

Any unauthorized disclosure would set off the rule, an company spokesperson mentioned. That features firms sharing person information willingly with out receiving correct person consent.

The proposed modifications observe the FTC’s latest enforcement actions in opposition to shopper drug advantages firm GoodRx and Premom, a digital girls’s well being firm.

In February, the FTC took motion in opposition to GoodRx alleging the corporate shared shoppers’ private well being data with Fb, Google and different third events. The Justice Division, on behalf of the FTC, filed a grievance and GoodRx agreed to a $1.5 million high quality.

As soon as the fee publishes the proposed modifications within the Federal Register, a 60-day public remark interval will start. 

In March, the FTC fined digital psychological healthcare supplier BetterHelp $7.8 million for sharing the non-public well being data of hundreds of thousands of shoppers with advertisers like Fb, Snapchat, Criteo and Pinterest throughout a seven-year interval.

The company alleged BetterHelp supplied shoppers’ electronic mail addresses, IP addresses and well being questionnaire data and the corporate uploaded lists containing greater than 7 million electronic mail addresses to Fb between 2017 and 2018. Greater than half of the emails had been matched with Fb person IDs, the company alleges.

Specialists mentioned the latest enforcement actions probably function a warning shot to digital well being firms sharing well being data.