Connected devices such as fitness trackers also obliged to follow tougher privacy rules

US policy change means healthcare apps must follow breach notification rules

Updated policies from US federal regulators will mean that health-related apps and connected device vendors will need to comply with health data breach notification rules.

Healthcare apps – which can track everything from glucose levels for those with diabetes to heart and sleep health – are collecting more and more sensitive and personal data from consumers.

Healthcare and connected device vendors have a responsibility to secure data and to notify consumers when anything goes awry. Now, regulators have ruled that they ought to comply with the same data privacy and breach disclosure rules as mainstream healthcare providers.


Catch up on the latest healthcare breach and security news


The healthcare industry continues to explore how technology can benefit patients through app-based services including telehealth and self-monitoring – a trend that has picked up speed and urgency during the coronavirus pandemic.

Additional privacy concerns arise because data harvested through connected devices, and healthcare apps might potentially be used to feed behavioral ads or power user analytics.

Meanwhile, the need to protect healthcare data is also increasing as this information is valuable to scammers and cybercriminals.

In response, regulators at the US Federal Trade Commission (FTC) have extended the existing Health Breach Notification Rule to cover healthcare app providers, makers of wearable fitness tracking devices, and related software.

The rule itself – which is underpinned by provisions in the American Recovery and Reinvestment Act of 2009 – was extended to healthcare app and wearable makers through a policy change.

Argument for change

The policy change was voted through by the FTC 3-2 in a split-decision that shows privacy regulations to regulate healthcare apps is an emerging area of policy that even regulators are still arguing about.

“The rule ensures that entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) face accountability when consumers’ sensitive health information is breached,” according to an FTC statement on the decision issued last week.

For example, a health app would be covered under the FTC’s rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables synching with a consumer’s fitness tracker. There will be tough financial penalties for companies that fail to comply with the rules.

The policy change means that vendors that hold fertility, heart health, glucose levels, and other health data must notify consumers in the event of a breach. App makers would need to notify the FTC, consumers, and (in some cases) the media.

Big data

Trade journal eMarketer reports that 90,000 health apps were released last year. The vast majority (an estimated 88%) have the ability to collect and share user data.

Some surveys suggest most consumers aren’t concerned with the privacy of their data collected by smartwatches or fitness trackers, though this is beside the point for vendors who face huge fines for non-compliance.

The revamped regulatory regime adds extra compliance headaches for affected technology providers, several which have suffered security and privacy breaches over recent months.

For example, an Android fitness app was caught sending sensitive information without encryption back in June, while flaws in an electronic health records software package discovered in June 2020 might also have become a candidate for disclosure, but only in the event any personal healthcare information was disclosed by software flaws in LibreHealth.


RELATED Convenience over security: Mobile healthcare apps open up fresh risks to patients’ data