• by Wendy Davis  @wendyndavis, April 26, 2024

Federal Trade Commission on Friday issued new regulations that will require operators of online health services and apps to notify consumers about “unauthorized” disclosures of their identifiable health data -- including, in some circumstances, transfers to outside companies for ad purposes.

The new regulations, approved by a 3-2 vote on party lines, apply to a broad range of online services, apps and connected devices -- including ones that offer mechanisms to track diseases and other medical conditions, or health-related information like diet and sleep patterns.

The rules also broadly characterize "identifiable" health-care data as information that identifies someone (or reasonably could be used to identify someone) and that relates to health conditions.

The FTC said in its commentary to the regulations that “unauthorized disclosures” includes not only data breaches but also the “sharing or selling of consumers’ information to third parties” in ways that are inconsistent with consumers' expectations.

For instance, if an app that allows people to keep track of prescriptions discloses identifiable health information to outside ad or analytics companies, in violation of the app's privacy policy, those disclosures would be “unauthorized," the FTC wrote.

The regulations revise the Health Data Breach Notification Rule, which Congress authorized in 2009 when it passed the American Recovery and Reinvestment Act. Among other mandates, that law tasked the FTC with issuing regulations requiring businesses that aren't covered by the Health Insurance Portability and Accountability Act (which applies to hospitals, doctors and other medical personnel) to notify consumers about breach of unsecured health records.

“Protecting consumers’ sensitive health data is a high priority for the FTC,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, stated Friday.

He added that revised regulations will ensure that the Health Breach Notification Rule “keeps pace with changes in the health marketplace,” including increased adoption of health apps and connected devices.

The new rules come as the FTC is increasingly cracking down on companies that allegedly disclose health data. Since the beginning of 2023, the agency has charged prescription discounter GoodRx, therapy app BetterHelp, and online mental health company Cerebral with privacy violations for allegedly sharing users' data for ad purposes.

The agency's three Democratic commissioners supported the new regulations, writing in a joint statement that they honor Congress's directive “that people must be notified when their health records are breached.”

The two Republican commissioners dissented, arguing that the rules cover a broader range of services and companies than Congress intended.

The new rules will take effect 60 days after publication in the Federal Register.