A recent final rule issued by the Federal Trade Commission (FTC) on April 26 is set to bring more scrutiny to digital health companies. The Health Breach Notification Rule aims to ensure that companies in the digital health space are held accountable for the use and protection of personal health information. This rule expands the definition of personally identifiable health data to include both traditional health information and emerging data, such as location information and healthcare-related purchases. Additionally, it broadens the definition of healthcare services, encompassing wellness apps that passively track data for users.
While many digital health companies already offer privacy protections in their terms and conditions, they are not subject to privacy and security regulations under HIPAA as they are not considered “covered entities.” With the new rule in place, these companies will now have to comply with stricter regulations regarding the use and protection of personal health information.
The appendix of the rule provides examples of messages that companies can use to notify individuals of security breaches or improper disclosures as required by the rule. The rule will go into effect 60 days from its publication in the Federal Register, holding digital health companies more accountable for the protection of personal health information going forward. Overall, this new regulation marks a step towards ensuring that consumer privacy is protected in the rapidly evolving world of digital health technology.
