FTC Holds Health Apps Accountable for Breaches

In the spirit of Thanksgiving, we are sharing some news to be grateful for this year. Earlier this Fall, the Federal Trade Commission (FTC) issued a statement clarifying that the 2009 Health Breach Notification Rule (“the Rule”) provisions apply to Health Apps or other connected devices, holding them accountable for health data breaches.

Here we will tell you more and what this means for compliance with the Information Blocking Rule.


At the time of the Rule’s publication in 2009, the prevalence of health applications was not as it is today. However, with the sharp increase in consumer usage of health apps, the Federal Trade Commission realized the general public makes assumptions regarding the privacy and security of the health data they enter into health apps. Consumers generally assume that the health information they enter in these apps is automatically protected by the Health Insurance Portability and Accountability Act (HIPAA).

Because of the lack of specific language referring to apps in the 2009 rule, developers of health apps or other connected devices have operated under the assumption that it does not apply to them and have bypassed the health data breach notification requirements.

When Does This Go Into Effect?

Because this is a clarification of the intent of an existing rule, rather than a change to the rule, it is already in effect.

How Does This Impact Health Apps and Patients?

The Rule requires vendors of personal healthcare records or personal healthcare record entities to notify the FTC and consumers of breaches of unsecured identifiable health information. Failure to report the breach results in a $43,792 per violation per day penalty.

The FTC determined that health apps fall into this category and provided the following additional clarifications regarding health apps:

  • The developer of the health app or connected device is considered the “healthcare provider” because it furnishes health care services or supplies.
  • Breaches of security include disclosure of sensitive health information without the users’ authorization, in addition to cybersecurity hacks.
  • A “personal health record” is an electronic record drawn from multiple sources of which healthcare apps have the capability to draw from the consumer inputs and application programming interfaces (API).
    • For example, an app is covered if it collects information directly from consumers and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker.
    • Similarly, an app that draws information from multiple sources is covered, even if the health information comes from only one source. For example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it is covered under the Rule.

What Does This Mean for Information Blocking Compliance?

As we explained in our April 5 webinar on information blocking, healthcare providers are considered to be information blocking if they refuse to share a patient’s health information with a third party app of the patient’s choosing. Although the exceptions, such as being technologically incapable of sending the information to that app, are still available as applicable, many clinicians have voiced concern about the lack of HIPAA regulation of these third part health apps. As we noted in the webinar, clinicians are permitted to issue a blanket disclaimer to patients that third party apps are not covered by HIPAA to allow for informed decision making.

Under these circumstances, we have received questions about what this FTC clarification means for information blocking compliance. Although you can still issue the blanket this-app-is-not-covered-by-HIPAA disclaimer, it may behoove you to mention that it is covered by the breach notification rule. You can recommend that your patients carefully read the permitted disclosures that they agree to when signing on to the app to ensure that the app meets their privacy and security needs. Unlike HIPAA, under the Rule, any disclosure that a patient agrees to is considered fair and lawful, even if the patient did not realize that they were agreeing to it.

Next Steps

  • Share this information with your practice colleagues.
  • If you’re not a MarsdenAdvisors client and you want hands-on, personalized information blocking compliance assistance, contact us and we will have your back.


If you have any questions on this, contact us and let us know!