Rep. Schiff Urges FTC to Implement Stronger Protections for Patient Health Data on Apps
Washington, DC — Today, Representative Adam Schiff (D-Calif.) urged the Federal Trade Commission (FTC) to implement stronger protections for patient health data collected by digital health companies. A letter to the FTC, led by Schiff, also notes support for their proposed rule to require digital health companies that aren’t covered by HIPAA to notify individuals, the FTC, and in certain cases, the media when there is a breach of unsecured personal health data. The proposed rule would also require the companies to include in their notice any potential harm that could stem from the data breach and which third parties may have acquired the personal health data.
Representatives Greg Casar (D-Texas), André Carson (D-Ind.), Sara Jacobs (D-Calif.), Seth Magaziner (D-R.I.), and Kim Schrier (D-Wash.) also signed the public comment.
“Apps that seek to provide health care services inherently have access to deeply private consumer information, and therefore must be held to a higher standard. We have been disheartened to see various mental health apps fall short of their privacy promises, giving away their data to third parties using deceptive practices. Consumers using these resources place a level of trust into these apps – only for it to be exploited by the very apps claiming to provide care.” the lawmakers wrote. “The recent Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization has created a hostile political environment in which vulnerable consumers seeking abortion services live in fear that data collected through health apps could be used against them. These fears have been validated following cases of data breaches in which menstrual tracking app users have learned that their data has gone past the app they used and into the hands of third parties.”
They continued, “As Members of Congress, we have a duty to protect our constituents and their personal health information. We are glad to see the FTC take an important step in strengthening protections for consumers’ health data. We strongly encourage the FTC to finalize this proposed rule.”
The full letter can be found here and below:
Dear Commissioner Khan,
We write to express our support for the notice of proposed rulemaking (NPRM) announced by the Federal Trade Commission (FTC) on May 18, 2023, that would amend and strengthen the Health Breach Notification Rule (HBNR). Following recent settlements between FTC and online health applications, it is clear that digital health companies have been negligent with consumer data. Our constituents’ health information deserves to be protected and private, and we applaud efforts by the FTC to strengthen and modernize online privacy protections for health data.
In recent years, we have seen apps that have been advertised as safe and secure – such as GoodRx and BetterHelp – disclose consumer data without notifying consumers of the violation of their terms of agreement. These apps offer access to critical health services, such as menstruation tracking and mental and behavioral health services. But recent work by FTC has demonstrated that some of the most used digital health platforms have collected and disclosed vast amounts of personal health data to third parties, who are not bound to protect this data in any way.
Apps that seek to provide health care services inherently have access to deeply private consumer information, and therefore must be held to a higher standard. We have been disheartened to see various mental health apps fall short of their privacy promises, giving away their data to third parties using deceptive practices. Consumers using these resources place a level of trust into these apps – only for it to be exploited by the very apps claiming to provide care. The recent Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization has created a hostile political environment in which vulnerable consumers seeking abortion services live in fear that data collected through health apps could be used against them. These fears have been validated following cases of data breaches in which menstrual tracking app users have learned that their data has gone past the app they used and into the hands of third parties.
We agree with the assertion by FTC that apps that provide health services to users and have personal health records (PHR) qualify as vendors of personal health records and must be regulated as such. There is a need for much greater transparency when this data is mishandled, and the FTC rule will require these apps to notify individuals, the FTC, and in some cases the media of a breach of unsecured personally identifiable health information. We also support the portion of the rule that would require the consumer notice to “include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information.” We believe this is pivotal to allow consumers to take appropriate steps after a breach to protect themselves.
As Members of Congress, we have a duty to protect our constituents and their personal health information. We are glad to see the FTC take an important step in strengthening protections for consumers’ health data. We strongly encourage the FTC to finalize this proposed rule. We are looking forward to continuing to work with the FTC in the online privacy space.
###