On April 26th, the Federal Trade Commission (FTC) issued a final rule that will increase scrutiny of digital health companies such as BetterHelp and Calmerry regarding the use of personal health information. The FTC revised its Health Breach Notification Rule in response to multiple enforcement actions, ensuring that digital health apps and trackers will be penalized if they do not notify users of the disclosure of personal health information without consent.
The updated rule broadens the definition of personally identifiable health data to include both traditional health information like diagnoses and emergent health data such as location information and healthcare-related purchases. It also includes a broad definition of healthcare services, signaling to companies that even wellness apps passively tracking data for users may now fall under the FTC’s enforcement oversight.
Many digital health companies offer privacy protections in their terms and conditions, but they are not subject to HIPAA regulations because they are not considered “covered entities” that submit electronic claims for insurance billing like traditional healthcare providers. The rule provides companies with examples of messages they can send to notify individuals of security breaches or improper disclosures.
The final rule will go into effect 60 days after its publication in the Federal Register, putting digital health companies on notice that they must comply with the new requirements for handling personal health information to avoid penalties from the FTC. The rule serves as a reminder that digital health companies must prioritize the security and privacy of their users’ personal health information, just like traditional healthcare providers do with their patients’ sensitive medical data.
