For many, when an individual's Protected Health Information (PHI) is unlawfully accessed, the first law that comes to mind is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While the HIPAA Breach Notification Rule "requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information," the Federal Trade Commission's (FTC) Health Breach Notification Rule (hereinafter "FTC Breach Rule") is getting renewed interest.
While HIPAA's Breach Notification Rule only applies to covered entities, business associates, and subcontractors, the FTC Breach Rule casts a broader net and relates to consumer protection, as required by the American Recovery and Reinvestment Act of 2009. The FTC's foray into PHI privacy and security issues is not new. For example, on February 18, 2009, the FTC announced that CVS Caremark settled charges related to the following conduct:
It failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated … HIPAA.
Importantly, HHS and the FTC coordinated both the investigations and the settlements.
The purpose of this article is to provide a brief synopsis of the HIPAA Breach Notification Rule and the FTC Breach Rule, as well as a recent situation involving the use of consumer's PHI, which prompted Congressional action.
Analysis
A breach of PHI is generally "an impermissible use or disclosure under the Privacy Rule that compromises [its] security or privacy." If a potential privacy or security violation arises and PHI is suspected of being compromised, then the entity must do a four-step risk assessment to ascertain the probability of whether or not the PHI has been compromised. If the outcome indicates that the incident is a reportable breach, then the following steps should be taken under HIPAA and/or the FTC Breach Rule, as identified in Table A.
On January 13, 2021, the FTC announced that Flo Health, Inc. ("Flo"), the developer of a fertility-tracking and menstruation app utilized by more than 100 million consumers settled allegations that it "shared the health information of users with outside data analytics providers after promising that such information would be kept private."
The FTC's complaint is notable for several reasons:
- Flo promised users that it would only utilize PHI for an app's services to that particular individual;
- Flo disclosed millions of users' PHI to third parties that "provided marketing and analytics services to the app, including [Facebook, Google, AppsFlyer, and Flurry]";
- Flo did not limit how the third parties could use the data; and
- EU-US Privacy Shield and Swiss Privacy Shield frameworks were violated.
The FTC not only reached a settlement agreement with Flo, but it also published a consumer awareness bulletin highlighting ways to protect privacy and reduce fraud when utilizing a health app. One notable take-away is the FTC's statement that, "When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,792."
The Flo settlement with the FTC prompted Members of Congress to write a letter, dated March 4, 2021, to the FTC's Acting Chair, Rebecca Kelly Slaughter. The two-page letter highlights the need for strong enforcement of the misuse of PHI because the data is "deeply personal and highly valuable." As Senator Menedez, Congress Members Coleman and Sherrill articulated,
We write in support of the Federal Trade Commission (FTC) using its full existing authorities to protect personal health data. Specifically, we urge the FTC to take enforcement action against menstruation-tracking mobile apps that violate the Health Breach Notification Rule or other applicable regulations. The FTC must fulfill its mandate from Congress to protect Americans from bad actors who betray their trust and misuse their personal health data.
Flo started the re-emphasis on the FTC's Breach Rule. The FTC's focus is notable because it also involved international data privacy and security issues, as well as prompting subsequent Congressional attention.
Conclusion
The FTC and HHS work synergistically with each other to effectuate Congressional intent. For over twenty-five years, PHI privacy and security has been given increasing importance and scrutiny. For any person creating, receiving, maintaining, and/or transmitting PHI, it is important to appreciate the obligations and the potential liability which may arise under the FTC Breach Rule.
Rachel V. Rose, JD, MBA, is an Attorney at Law, in Houston, TX. Rachel advises clients on healthcare, cybersecurity, securities law and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer’s Top 25. She can be reached at rvrose@rvrose.com.
www.rvrose.com
 is unlawfully accessed, the first law that comes to mind is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). ){kind=small}
