Back in September, the Federal Trade Commission (FTC) issued (by a 3-2 vote) a policy statement (the Statement) regarding the oft-forgotten Health Breach Notification Rule (the Rule). I was at the FTC when the Statement was released and have since joined BakerHostetler. Around the time I joined BakerHostetler, my new colleague Melissa Hewitt published an informative blog about the Statement and what it could mean for non-HIPAA covered health apps. Now that the dust has settled, we thought it would be a good time to do a deeper dive into the Rule and provide some food for thought regarding compliance with it.

For starters, let’s get one thing out of the way. For many years, the FTC has brought case after case regarding a range of health privacy issues, and there is no reason to think that will change, particularly given congressional interest in vastly increasing the agency’s funding for privacy work. It is worth noting that the Rule is one of the FTC’s few privacy tools that allows for civil penalties (up to $43,792 per violation per day), a particularly important enforcement consideration for the agency after the Supreme Court’s AMG ruling substantially curtailed the agency’s ability to obtain equitable monetary relief. When appropriate, the Rule is a logical enforcement tool for the agency in the post-AMG era.

Prior to issuance of the Statement, there was conspicuously little talk about the Rule, as seemingly evidenced by perhaps minimal compliance. The Rule requires notice to consumers and to the FTC following a breach. And after more than a decade of the Rule’s being in effect, the FTC’s website indicates that a total of five companies have provided notice to the agency. I am quite certain that even the most optimistic among us would look at this and conclude rampant noncompliance, especially given the frequency with which we read about breaches of health information generally. Now, admittedly, prior to the issuance of the Statement, the FTC appeared to have a much narrower interpretation of the Rule’s application. Commissioner Christine Wilson makes this the thesis of her dissent, stating that rather than “clarifying” the scope of the Rule, the Statement “expands it” and contradicts “existing FTC business guidance” about the limited scope of the Rule. Commissioner Noah Phillips raised similar concerns.

As a former FTC official, I am always intrigued by dissenting and concurring opinions issued by commissioners, but the bottom line is that, at the moment, a compliance-minded company should assume that a broader interpretation of the Rule will apply, even though the third vote for the statement, former Commissioner Chopra, is now Director Chopra at the CFPB and Alvaro Bedoya has not yet been confirmed to be a third Democratic vote at the Commission. So, what does this mean for businesses that aren’t covered by HIPAA and that are capable of drawing health information from multiple sources, in the broadest sense of that phrase?

At its core, the Rule requires non-HIPAA covered entities that collect and handle sensitive health data to provide notice to consumers and the FTC (and possibly the media) in some circumstances if there is a breach of unsecured health information. For today’s purposes, I am not going to delve into precisely when and how the Rule is triggered, but suffice it to say that if you come across a health-related breach (broadly defined), be mindful of the Rule and carefully assess whether it applies, particularly as specified by the new Statement. For example, there are third parties that may be covered by HIPAA in some areas but not in others. It is unclear at the moment whether and how the FTC would apply the Rule against such parties, but such entities should heed the Rule’s requirements. As an aside, it may also be helpful to review the HHS/FTC Mobile Health Apps interactive tool that was issued in 2016 to help mobile apps assess which laws apply. I have looked at the tool recently, and from what I can tell, the Statement has not undermined the utility of that tool.

Regardless of the scope of the Rule and the limited nature of the Rule, the starting point should be the same – ensuring that the sensitive health data that you collect or handle does not get accessed by someone who shouldn’t have it. In order to provide some helpful guidance, I elected to focus on a few of the nontechnical practical types of data security failings that I would encounter during my FTC days and that we often see in FTC cases.

Probably the most common failing would fall into the category of “What do you mean, someone copied that database and no one else knew it was there and unencrypted?” Companies with otherwise robust protections simply aren’t always aware of where all their sensitive data is located, and that is a significant failing. It is hard enough to protect what you know exists, but the location of unknown duplicates of databases with sensitive information in various places, is a recipe for disaster.

Another frequent issue that surfaces is the collection of far more data than is necessary and the failure to keep the voluminous data either in a deidentified form or encrypted at rest and in transit. I’m not going to use this blog to preach about data minimization, but if you are collecting a lot of data, the burden of securing it all necessarily increases. From a regulator’s perspective, if you are arguably collecting more data than necessary (even if it is with clear consent) and it is breached, that may generally be viewed unfavorably.

The final category of failings would be that of personnel challenges, and this could certainly be exacerbated by the current wave of resignations that we keep hearing about. As employees move on, responsibilities transfer and new hires come on board, important information about security obligations gets lost, such as who was overseeing the third-party vendor at issue. Frequent staffing turnovers can create inherent compliance challenges that have to be addressed.

From a compliance perspective, it is advisable for companies that maintain health data (especially those companies that operate at the fringes of HIPAA or fall between the cracks in HIPAA and do not have the benefit of a HIPAA compliance program) to heed the Statement as a warning sign to promptly conduct a compliance tune-up and ensure things are in order. Particular attention should be paid to the following areas in light of the Statement:

  • Privacy Policy/User Consents. The Statement clarifies that disclosure of sensitive health information without user consent triggers a “breach of security” under the Rule, and such a breach is not limited to “nefarious behavior.” According to FTC Chair Lina Khan, “a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics.” Accordingly, health companies should closely review their data-use and data-sharing practices. They need to ensure these practices are consistent with the company’s terms of use and privacy policy as well as with any consents and with notifications provided to users indicating how the health data will be used. Companies then make modifications if necessary.
  • Due Diligence/Representations and Warranties. Digital health companies are growing at a record-breaking pace and are a primary target of private equity and venture capital firms. Previously, many of these companies operated outside the boundaries of HIPAA, and while they were subject to state privacy laws in many cases, they may have been viewed as lower-risk investments as a result. The Statement makes clear that robust due diligence into privacy and security policies and practices is required of these potential targets, given the renewed potential for fines in the event of a breach or security incident. In addition, obtaining comprehensive representations and warranties ensuring that the company operates in a manner that is compliant with, and minimizes risk under, the Statement is also crucial.
  • Breach/Security Incident Response. Whereas health companies that were not subject to HIPAA may have previously thought their breach notification obligations were limited to state law obligation, the Statement makes clear that the FTC could significantly increase the company’s potential liability in the event of a breach. Accordingly, companies subject to the Rule should take steps to mature their privacy and security compliance program and infrastructure to minimize risk of enforcement action. It is important to note that the Rule applies only to a breach of unsecured health information. Accordingly, taking action to secure and encrypt health information could also reduce regulatory risk.

So, bottom line, it’s time to start paying a bit more attention to the Rule. It promises to be much more prominent than it was in the past decade. In addition, it may reemerge in conjunction with other enforcement tools. Please stick with me and my colleagues as we continue to share information and insights about emerging FTC privacy issues.