CHIME Prompts FTC to Strictly Implement Health Breach Notification Rule

The College of Healthcare Information Management Executives (CHIME) has lately offered responses to the Federal Trade Commission (FTC) about its Advance Notice of Proposed Rulemaking (ANPR) on the Trade Regulation Rule on Commercial Surveillance and Data Security. It has advised the FTC to make health apps and data brokers responsible for unlawful health data disclosures and unjust or misleading data practices.

On August 22, 2022, the ANPR was posted in the Federal Register seeking feedback from healthcare sector stakeholders, particularly about whether or not the Commission ought to implement new trade regulation rules or other regulatory options regarding the ways in which businesses gather, aggregate, secure, utilize, analyze, and keep consumer information, and also transmit, share, sell, or perhaps generate income from that information in ways, which are unjust or misleading.

CHIME has shown extensive support for the actions suggested by the FTC in view of the incidence of commercial surveillance and data practices that are doing harm to individuals, particularly regarding health information because of the degree to which mobile gadgets and health applications are now used to gather, process, and transfer health information. HIPAA typically does not cover mobile applications, therefore the information gathered, processed, and disclosed via those applications is not covered by the HIPAA Privacy and Security Rules, and the health information gathered is usually offered to data brokers.

CHIME lauded the initiatives of the FTC to secure consumer health data. and for the explanation of its authority that is covered by the Health Breach Notification Rule. The September 2021 Policy Statement On Breaches by Health Apps and Other Connected Devices states that personal health records vendors and associated entities must send notifications to FTC and consumers when there are breaches of unsecured identifiable health data and that the violations may be issued civil penalties.

An explanation was necessary because the Health Breach Notification Rule was given more than 10 years ago and was never enacted by the FTC, specifically considering the degree to which health information is being kept by entities that aren’t expected to be compliant with HIPAA. CHIME mentioned an IQVIA Institute for Human Data Science approximate that there are currently about 350,000 publicly accessible health applications and indicates the volume of the health information kept or transmitted by these applications can now go over the volume of data kept by HIPAA-covered entities.

CHIME is very supportive of new trade regulation guidelines to make use of the FTC’s present authority to safeguard consumers. It is urging the FTC to move into this space by using and enforcing the obvious, concise, and current authority as per the Health Breach Notification Rule to make non-HIPAA covered third-parties (namely, PHR and PHR-related entities’ vendors) accountable when they unlawfully disclose – deliberately or not – covered data. CHIME is convinced the FTC’s enforcement actions will help secure consumers’ health information and will inspire businesses with PHRs and PHR-associated entities to reinforce their information security practices.

The FTC has stated that the Health Breach Notification Rule is not applicable to HIPAA-covered entities and entities that behave exclusively as HIPAA-business associates, however, CHIME stated its members would appreciate the explanation concerning the possible upcoming proposed rule on Commercial Surveillance and Data Security, the FTC’s current authority as per the Health Breach Notification Rule, and information kept by HIPAA covered entities (CEs) which aren’t covered by HIPAA (i.e. de-identified data).”

A lot of Americans are not sure when health data is covered by HIPAA and when it is not, for example when health information is obtained via health apps. CHIME has required clear, transparent communication with consumers regarding how their data is being utilized, monetized and protected and it states this is going to be crucial in future rulemaking.

CHIME feels it’s time for the FTC to do something against PHR and PHR-associated entities’ vendors that have slack information protection, or are blatantly ignoring the legislation, and for notices and penalties to be given as per the current authority given to FTC by the Health Breach Notification Rule. CHIME has additionally required the FTC to do a lot more to avoid data breaches and the selling of consumer health information prior to it happening, by implementing real-world and strict privacy and security defenses on organizations to better secure consumer information.

CHIME likewise advises the FTC to be sure consumers know precisely how their information will be employed before making use of any company’s technology, and recommended questions that ought to be questioned regarding health apps which must be thought about in upcoming rulemaking.