National Law Review January 20, 2022
Gicel Tomimbang, Kristin L. Bryan, Elliot Golding

The FTC’s recent policy statement on the Health Breach Notification Rule (the “Rule”) substantially impacts the consumer-facing digital health industry by significantly expanding (a) the scope of entities subject to the Rule and (b) data practices that constitute a breach. Under the new guidance, any entity that collects health data from both a connected device and the consumer (excluding entities already subject to HIPAA) will be treated as a “vendor of Personal Health Records” (“PHR Vendor”) subject to the Rule. Moreover, PHR Vendors that share such information without the individual’s authorization will trigger the Rule’s breach notification requirements.

PHR Vendors Include Health Apps, Too

The Rule applies to PHR Vendors, PHR related entities, and their third party service providers that collect data...

Today's Sponsors

H1
ZeOmega
Holon

Today's Sponsors

SalesSparx
Canton & Company

Today's Sponsor

Premier

 
Topics: Apps, Cybersecurity, Digital Health, Govt Agencies, Health IT, HIPAA, mHealth, Patient / Consumer, Provider, Technology
Period tracking apps raise security concerns
Study: Popular women's health apps don't meet basic privacy, security standards
New Framework Helps Healthcare Assess Privacy, Security of Digital Health Apps
The Quest to Improve Security, Privacy of Third-Party Health Apps
FTC Policy Statement: Mobile Health Apps Must Comply with Health Breach Notification Rule