FTC proposes new regulations on data collection and health apps

Health/tracking apps downloaded to smartphones have confounded employees and employers since the Supreme Court issued its 2022 Dobbs decision, which overturned Roe v. Wade. Smartphone apps generally aren’t covered by HIPAA and they receive only minimal attention in the FTC’s health breach notification rule, which currently requires notice to victims when there’s a data security breach involving their personal health information.

If you’re seeking out-of-state reproductive healthcare services, this could be a problem, because law enforcement can subpoena your phone and social media accounts for your activity.

A more robust health breach notification rule

The Federal Trade Commission has now proposed regulations to significantly change the health breach notification rule. The proposed regs would keep more health data private by broadening the definitions of healthcare provider and healthcare services to cover the vast majority of health-related smartphone apps:

• The regs would define a new term—healthcare provider—to mean a provider of services, a provider of medical or other health services, or any entity furnishing healthcare services or supplies.
• The regs would newly define the term health-care services or supplies to include any online service, website, mobile app, or internet-connected device with mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information or diet, or that provides other health-related services or tools.

The regs would also apply the health breach notification rule when a third party shares personal health information they have no right to share. While this wouldn’t stop a law enforcement agency from subpoenaing someone’s phone, it could hinder their ability to assemble information from multiple public sources.

State law may fill a gap

The FTC’s rule will take time and will probably be subject to litigation. So state laws may fill the gap. As far as we know, Washington state is the first to enact a health data privacy rule. Other states will surely follow.

The law, which is intended to complement HIPAA, becomes effective next year and requires regulated entities—those producing or providing products or services targeted to consumers and alone or jointly with others determining the purpose and means of collecting, processing, sharing or selling consumer health data—to:

• Maintain and prominently publish a consumer health data privacy policy.
• Not collect or share consumers’ health data, except with their consent or to the extent necessary to provide a product or service they requested.
• Restrict access to consumers’ health data by its employees, processors, and contractors to an as-needed basis to further the purposes for which consumers provided their consent or to provide a product or service they requested.
• Not implement a geofence around an entity providing in-person health-care services when a geofence is used to identify or track consumers seeking health-care services; collect consumer health data from consumers; or send notifications, messages, or advertisements to consumers related to their consumer health data or health-care services.

The takeaway

Neither the FTC’s regulations nor the Washington law would stop a law enforcement agency from subpoenaing individual users’ health app information, although app users could protect themselves by not allowing the app to collect their data in the first place.

Nevertheless, a good deal of caution is still necessary when downloading apps. Users of mobile health apps should read the app’s privacy statement carefully before they sign on and opt out of data collection, when necessary.

The Department of Health and Human Services also points out steps everyone can take to shield their medical records from public scrutiny:

• Avoid downloading unnecessary or random apps, especially free apps.
• Avoid giving any app permission to access a device’s location data, other than apps where the location is absolutely necessary (e.g., navigation and traffic apps).
• Turn off location services when traveling.

If you don’t know how to disable location trackers, the HHS provides a handy tutorial for iPhones and Android phones, too. Details are in the HHS link above.