Digital health apps must protect Americans’ data
- Randy Hutchinson is president & CEO Better Business Bureau of the Mid-South.
Most people are familiar with the Health Insurance Portability and Accountability Act, or HIPAA, that addresses privacy and security for most doctors’ offices, hospitals and insurance companies. Patients are often asked to sign a form acknowledging what a medical care provider will do with their information, including protecting it.
Some businesses that provide health care diagnostic and monitoring services aren’t covered by HIPAA. They include the ever-increasing array of fitness trackers and other internet-connected devices and apps that gather consumers’ health information. But since 2009, they have been covered by the Health Breach Notification Rule (Rule) that has recently been updated by the FTC.
The updated Rule clarifies the kinds of apps and other new technologies that are covered. They include any “online service, such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”
Untrustworthy tax preparers in the realworld and TikTok are scamming consumers
It covers online services related not only to medical issues (by including in the definition terms such as “diseases, diagnoses, treatment, medications”) but also wellness issues (by including in the definition terms such as “fitness, sleep, and diet”).
What happens if there’s a data security breach?
Covered companies that experience a breach of security of consumers’ identifying health information must notify affected consumers, the FTC, and, in some cases, the media.
If 500 or more people are affected, the company must notify them and the FTC “without reasonable delay,” which in no case should be more than 60 days after discovery of a breach of security. If less than 500 people are affected, they still have to be notified with the same urgency, but the FTC only has to be notified annually.
It’s important to note that a security breach includes not only breaches by hackers or other third parties, but also the company’s own disclosure of customers’ information in violation of its privacy policies. I wrote a column last year about an FTC settlement with a DNA testing company over charges that its security procedures were so lax that anyone with internet access could see the detailed health reports of almost 2,400 consumers and the raw genetic data of at least 227.
The company also retroactively changed its privacy policy without notifying affected consumers or getting their consent. The new policy expanded the types of third parties it could share consumers’ data with, including supermarket chains and nutrition and supplement manufacturers.
Notice to affected consumers must be ‘clear’ and ‘conspicuous’
The Rule requires that, in most cases, a notice about a security breach must tell affected consumers the identity of any third parties that acquired unsecured identifiable health information as a result of the breach and describe the types of health information involved (for example, a health diagnosis or condition, lab results, medications, other treatment information, and their use of a health-related app).
The notice has to be “clear and conspicuous” and “reasonably understandable.” That might include short explanatory sentences or bullet lists, plain-language headings, an easy-to-read typeface, wide margins, and ample spacing. It should not include legal or highly technical terminology, multiple negatives, and imprecise explanations.
The FTC says that even companies not subject to the Rule should heed its practical approach to the “clear and conspicuous” standard.
Randy Hutchinson is president & CEO Better Business Bureau of the Mid-South.
link
