In the wake of a final rule issued by the Federal Trade Commission (FTC) on April 26th, digital health companies such as BetterHelp and Calmerry will face increased scrutiny regarding the use of personal health information. The FTC revised its Health Breach Notification Rule in response to multiple enforcement actions, ensuring that digital health apps and trackers will be penalized if they do not notify users of the disclosure of personal health information without consent.
The updated rule broadens the definition of personally identifiable health data to include both traditional health information like diagnoses and emergent health data such as location information and healthcare-related purchases. It also includes a broad definition of healthcare services, signaling to companies that even wellness apps passively tracking data for users may now fall under the FTC’s enforcement oversight.
Digital health companies offer privacy protections in their terms and conditions, but many are not subject to HIPAA regulations because they are not considered “covered entities” that submit electronic claims for insurance billing like traditional healthcare providers. The rule provides companies with examples of messages they can send to notify individuals of security breaches or improper disclosures.
Companies must comply with the new requirements for handling personal health information or face penalties from the FTC. The final rule will go into effect 60 days after its publication in the Federal Register, putting digital health companies on notice that they must take this matter seriously if they want to avoid legal consequences.
