“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by David LeDuc, VP for public policy at the Network Advertising Initiative.
In January, the Federal Trade Commission (FTC) updated its guidance pertaining to the Health Breach Notification Rule, making changes that are significant for any company using health-related data. The new FTC guidance greatly increases the likelihood that the agency will consider enforcement actions against companies sharing health data for advertising purposes.
The FTC’s new guidance builds on a revised interpretation published in September 2021, a major departure from when the rule was finalized in 2009. The rule was originally meant to hold non-HIPAA entities accountable in cases of health data breaches by requiring them to notify U.S. consumers and the FTC.
Now, the FTC has signaled its intent to expand enforcement, offering clearer guidance on which entities are covered, what health information is covered and what constitutes a data breach.
Who is covered?
Prior to the FTC’s Policy Statement, it was an unsettled interpretative issue whether the rule applies to health apps and devices – any applications that consumers use to “store and process data about anything related to health.”
In fact, the FTC requested public comment on this question as recently as 2020. The new Policy Statement, however, declares the rule does apply to such apps and devices because they are health-care providers. Thus, they are vendors of Personal Health Records (PHR).
What is covered health information?
The scope of covered health information includes not only data collected from device sensors (such as fitness trackers measuring steps and heart rate), but also data input by consumers, such as weight and calories, when combined with other data. Under the previous guidance, the FTC indicated the rule did not apply to data that consumers input.
However, the 2021 Policy Statement and updated guidance explicitly states that apps drawing information from multiple sources, “even if the health information comes from one source,” are vendors of PHR.
For example, a blood-sugar-monitoring app that draws health information from only one source (the consumer) but also takes non-health information from another source (such as dates from a calendar), would need to get explicit consumer consent before sharing covered data. Otherwise, the app could be found to have a breach of security.
The Policy Statement also explicitly states that the rule applies to apps and devices that have the “technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker.”
What constitutes a “data breach”?
Perhaps most important for the digital advertising industry, a “breach” of covered information now includes any sharing or acquisition of covered health information without an individual’s specific authorization.
For example, Republican FTC commissioners point out that Flo Health would have been liable for violating the new interpretation of the Health Breach Notification Rule by sharing device identifier information of its users with companies like Google.
One thing to note is that unauthorized access does not constitute a “breach” if the information cannot reasonably identify an individual. For example, “de-identified” information is exempt from the rule. However, the FTC does consider device identifiers and advertising identifiers as “reasonably identifiable” to an individual.
The rule isn’t exactly groundbreaking
The good news for responsible ad-tech and marketing companies is that industry self-regulation already limits uses of health data that’s likely to put them on the FTC’s radar. For example, existing best practices from other organizations (such as the NAI Code of Conduct) already restrict companies from using sensor data on users’ devices for digital advertising purposes without the user’s opt-in consent and limit the collection and use of data for health-related advertising.
Keep an eye on the FTC’s enforcement priorities related to the sharing of health data. Time will tell exactly what the updated guidance will mean for advertisers.