NAI Regulatory Summary and Analysis: Statement of the Federal Trade Commission on Breaches by Health Apps and Other Connected Devices
The NAI has published a Regulatory Summary and Analysis in response to the FTC’s September 2021 Policy Statement on the Health Breach Notification Rule, and its recent guidance updated in January 2022.
In September 2021, the Federal Trade Commission issued a Policy Statement that is intended to clarify the scope of the FTC’s Health Breach Notification Rule (“The Rule”). The purpose of the Rule, finalized in 2009, was to hold non-HIPAA entities accountable in cases of health data breaches by requiring them to notify relevant stakeholders, such as U.S. consumers and the FTC.
The Policy Statement published in September 2021 signals the FTC’s intent to expand enforcement under the Rule, and it interprets the following elements more broadly: (1) covered entities, (2) covered health information, and (3) breach of security.