The Federal Trade Commission confirmed Sept. 15 that non-HIPAA covered entities such as health apps and connected devices that collect or use consumers' health information must comply with the agency's breach notification rule.
Six notes:
1. In 2009, the FTC issued its Health Breach Notification Rule, which requires vendors of personal health records and related entities to alert consumers, the FTC and the media when data is disclosed or acquired without the consumers' permission.
2. The FTC said its Health Breach Notification Rule ensures that entities not covered by HIPAA are held accountable when consumers' sensitive health data is breached.
3. HIPAA only applies to covered entities including health plans, most healthcare providers and healthcare clearinghouses. But the FTC rule requires covered entities to keep patient health data confidential and safe from security threats.
4. Apps and connected devices such as wearable fitness tracking devices must comply with the FTC's Health Breach Notification Rule if they can collect data from multiple sources and aren't covered under HIPAA, the agency said in the policy statement.
5. For example, a health app is covered under the FTC's rule if it collects health information from a consumer and has the technical capacity to draw information through an application programming interface that can sync with a consumer's fitness tracker.
6. Companies that don't comply with FTC's rule could be subject to financial penalties of up to $43,972 per violation each day, the agency said.