FTC to have oversight over third-party apps for data violations
Agency will look for deceptive and unfair practices and privacy issues, but healthcare organizations still bear education responsibilities.
The Federal Trade Commission expects to play a role in looking for abuses posed by third-party apps, which will have increasing access to patient data because of recent federal regulations.
In the past, the FTC has stepped in to address violations by companies that have misrepresented data use in the past or been negligent in protecting patient privacy, said Ryan Mehm, an attorney in the FTC’s Division of Privacy and Identity Protection.
Speaking at a symposium on security hosted last week by the Workgroup for Electronic Data Interchange (WEDI), Mehm said the oversight of apps will be an extension of the agency’s purview of health privacy work, especially as apps, enabled by application programming interfaces, enable more patient health data to migrate to settings not overseen by HIPAA.
However, the FTC role will not involve deeming which apps have good or bad security practices, and that will raise the ante for healthcare organizations to educate consumers about scrutinizing how apps enable downstream use of their data.
Traditionally, FTC has stepped into investigate and cite violations when health organizations don’t inform consumers about data use or insufficient privacy protections, Mehm said. Section 5 of the FTC Act prohibits deceptive and unfair practices.
“We often get asked if FTC enforces HIPAA, and we do not. But we do have jurisdiction over HIPAA-covered entities, and we do coordinate with (the Department of Health and Human Services),” he noted. For example, one such enforcement involved Flo Health, the developer of a period and fertility tracking app that shared users’ data with other organizations after promising consumers that it would not do so. The company settled with the FTC in June 2021.
The FTC also plays "a sister role" in support of breach notification rules that require healthcare organizations to file information with federal agencies and alert the public when patient data is inappropriately released. This also could come into play for third-party app developers if patient data is inappropriately released. "In the FTC's view, health apps are providers under the rule, and developers furnish what can be seen as healthcare services or supplies, i.e. the health apps. The important takeaway is that the rules apply to health apps."
In the feedback the FTC has received, there's been "broad support" from commenters that breach notification rules should apply to developers of health apps. While the FTC has not formally said whether a disclosure of patient information would be covered by breach policies, "the Commission has been clear that it can go beyond breach notifications" in its enforcement actions, Mehm said.
Healthcare organizations will play a significant role in helping patients realize they will bear increased responsibility for protecting their own information while interacting with third-party apps, said Andrew Tomlinson, director of federal affairs for the College of Healthcare Information Management Executives (CHIME).
Information blocking rules mean that "you have to fulfill requests in a digital format containing patients' information," he said. "You still need to comply." While the information blocking rules offer exceptions to not provide patient data, the onus is on the provider to prove that doing so would compromise its internal systems. Providers can't avoid compliance by contending an app is not secure. "That's up to the patient; you cannot dissuade them from using that application."
WEDI and CHIME are developing a joint resource with information about how to protect health data, toward which organizations can direct patients. "That's why it's important to talk to patients about this and how to direct their data." For example, consumers must be educated to read apps' privacy terms and conditions, find out what data the app is collecting and where it's stored, and to know if the app developers will share or sell the data.