The Federal Trade Commission wants to make changes to the Health Infringement Notification Rule to clarify the protections that extend to users of digital health apps.
While the agency has considered health-monitoring devices, apps and other direct-to-consumer companies to follow the rule, the proposed changes would encode that the companies Digital health companies that process medical information will be treated in many of the same ways as providers.
The current rule outlines two names, supplier and “service or item,” but the proposed changes would clarify what that means in more detail. The proposal would also clarify the definition of a “breach of security” including the unauthorized collection of identifiable health information that occurs as a result of a data breach or unauthorized disclosure, the agency said in a statement. a press release.
An agency spokesperson said any unauthorized disclosure would trigger the rule. That includes companies willing to share user data without the user’s consent.
The proposed changes follow recent enforcement actions by the FTC against consumer drug benefit company GoodRx and Premom, a digital women’s healthcare company.
In February, the FTC took action against GoodRx alleging the company shared consumers’ personal health information with Facebook, Google and other third parties. The Department of Justice, on behalf of the FTC, filed the complaint and GoodRx agreed to a $1.5 million fine.
After the committee publishes the proposed changes to the Federal Register, a 60-day public comment period will begin.
In March, the FTC fined digital mental health provider BetterHelp $7.8 million for sharing the personal health information of millions of consumers with advertisers like Facebook, Snapchat, Criteo and Pinterest over a 7 year period.
The agency alleges BetterHelp provided email addresses, IP addresses and consumer health inquiry information, and that the company uploaded a list containing more than 7 million email addresses to Facebook between 2017 and 2018.Read More half of the emails were matched with Facebook user IDs, the agency alleges.
Experts say recent enforcement actions could serve as a warning shot for digital health companies that share health information.
