On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Bonnie Watson Coleman (D-New Jersey) and Mikie Sherrill (D-New Jersey) wrote a letter urging the Federal Trade Commission (FTC) to start enforcing the Health Breach Notification Rule.
The Federal Trade Commission (FTC) has a mandate to protect Americans from bad actors that betray consumer trust and misuse consumers’ healthcare data and has the authority to take enforcement action but is not enforcing compliance with the Health Breach Notification Rule.
The Health Breach Notification Rule was introduced as part of the American Recovery and Reinvestment Act of 2009 and requires vendors of personal health records, PHR related entities, and third-party service providers to inform consumers about unauthorized disclosures of personal health information.
The Health Breach Notification Rule applies to entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), and has similar provisions to the HIPAA Breach Notification Rule. While the HHS’ Office for Civil Rights has enforced compliance with the HIPAA Breach Notification Rule, the FTC has yet to take any enforcement actions against entities over violations of the Health Breach Notification Rule.
In the letter to the Honorable Rebecca Kelly Slaughter, FTC Acting Chair, the lawmakers urged the FTC to take enforcement actions against companies that fail to notify consumers about unauthorized uses and disclosures of personal health information, specifically disclosures of consumers’ personal health information to third parties without consent by menstruation tracking mobile app providers.
The FTC filed a complaint against Flo over the privacy violations and a settlement was reached between Flo Health and the FTC that required the app developer to revise its privacy practices and obtain consent from app users before sharing their health information, however, the complaint did not address the lack of notifications to consumers.
“Stronger [Health Breach Notification Rule] enforcement would be especially impactful in the case of period-tracking apps, which manage data that is both deeply personal and highly valuable to advertisers,” wrote the lawmakers. “Looking ahead, we encourage you to use all of the tools at your disposal, including the Health Breach Notification Rule, to protect women and all menstruating people from mobile apps that exploit their personal data.”