In a bid to safeguard personal health information, the Federal Trade Commission (FTC) has issued a final rule on April 26, which expands the definition of personally identifiable health data and broadens the scope of healthcare services. This new rule will apply stricter regulations on digital health companies that do not alert users of the disclosure of their personal health information without consent.
The Health Breach Notification Rule, as it is known, applies to digital health apps and trackers that collect and store personal health information. It includes both traditional health data such as diagnoses and emerging data such as location information and healthcare-related purchases. The rule aims to ensure that these companies are held accountable for protecting personal health information, even if they are not subject to privacy and security regulations under HIPAA.
While most digital health companies already offer privacy protections in their terms and conditions, many are not considered “covered entities” under HIPAA because they do not submit electronic claims for insurance billing purposes. With this new rule in place, these companies will now have to comply with stricter regulations regarding the use and protection of personal health information.
An appendix to the rule provides examples of messages that companies can use to notify individuals of security breaches or improper disclosures as required by the rule. The rule goes into effect 60 days from its publication in the Federal Register, giving digital health companies more accountability for protecting personal health information going forward.
The FTC’s enforcement oversight is now being applied to a wider range of companies in the digital health space with this new rule, signaling a shift towards greater transparency and accountability in the industry.
