The Federal Trade Commission (FTC) has recently updated its health data breach notification measures to encompass a broader range of apps and technologies that are not currently covered by federal health privacy laws. The revisions to the health breach notification final rule (RIN 3084-AB56) were issued on Friday and include changes to the definition of “public health record related entity” to clarify that these entities include individuals offering products and services online, such as mobile applications, or vendors of personal health records.
This move by the FTC is significant as it addresses a gap in current regulations, as many health apps are not covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA primarily focuses on healthcare providers, health plans, and healthcare clearinghouses when it comes to protecting health information. By expanding the definition of entities subject to health data breach notification requirements, the FTC is working to ensure that individuals’ health information is protected regardless of the platform or technology being used.
These updates to the health data breach notification measures aim to enhance privacy and security measures for consumers using health-related apps and technologies. By bringing more entities under the umbrella of health data protection regulations, the FTC is taking proactive steps to safeguard sensitive health information and promote accountability in the digital health landscape. Overall, this action by the FTC highlights the importance of ensuring that all platforms and technologies that handle sensitive consumer data are subject to robust privacy protections.