Governance & Risk Management , Healthcare , Industry Specific

FTC Makes Moves to Enhance Data Privacy Oversight

Includes Proposal to Expand Techs, Apps Under Health Breach Notification Regs
FTC Makes Moves to Enhance Data Privacy Oversight
The U.S. Federal Trade Commission has issued proposed rule-making to modernize its 14-year-old Health Breach Notification Rule. (Image: FTC)

The Federal Trade Commission on Thursday made a few bold moves to ramp up its oversight of data privacy, including initiating an effort to codify sweeping changes to the Health Breach Notification Rule and releasing a policy statement warning of heightened scrutiny over the use of biometric information.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

FTC leadership also indicated publicly that the commission will forge ahead with its privacy litigation against data analytics firm Kochava.

The proposed rule-making changes build on a 2021 policy statement that expanded the commission's interpretation of the breach notification rule. The policy statement attracted unanimous opposition from the two Republican commissioners, who accused their Democratic counterparts of going beyond the agency's statutory authority. Both Republican commissioners have since resigned, leaving the FTC with a majority of three Democratic commissioners.

Thursday's notice of proposed rule-making would enshrine changes from the policy statement including applicability of the health breach notification rule to health apps, fitness trackers and other consumer products.

When the FTC first issued its rule more than a decade ago, the regulations pertained to a more narrow definition of "personal health records" not covered under HIPAA. The rule reflected brief-lived Obama-era expectations that consumers would take advantage of the portability requirements of HIPAA to store medical data in personal digital records.

The rule went unenforced until earlier this year, when the agency used its expanded interpretation to fine discount prescription drug provider GoodRX $1.5 million (see: FTC Hits Firm With $1.5M Fine in Health Data-Sharing Case).

"As an outgrowth of the COVID-19 pandemic, consumers' use of health-related technologies has increased significantly," FTC Chair Lina Khan said during a public meeting Thursday shortly before the commission voted to publishing the proposed rule-making. Once published in the Federal Register, the rule-making proposal will be open to public comment for 60 days.

"Companies these days are collecting, using and disposing of vast amounts of consumers' sensitive data. Consistent with the commission's priorities, we are committed to use every tool available to protect the American public from privacy harms - not just through longer privacy policies and more boxes to check, but through real guardrails on the use and abuse of people's sensitive information," Khan said.

The agency undertook a second health rule enforcement on Wednesday when the developer of fertility logging app Premom agreed it shouldn't share user information with advertisers (see: FTC Fines Fertility App Vendor, Bars It From Data Sharing).

Biometric Information

Commissioners also voted unanimously to issue a policy statement warning that the proliferation of using consumers’ biometric information and related technologies, including those involving machine learning, raises "significant privacy and data security concerns" and the potential for bias and discrimination."

Commissioner directed the agency to ramp up its scrutiny in determining whether companies collecting and using biometric information or marketing or using biometric technologies are comply with prohibitions against unfair or deceptive practices.

"If you are making marketing claims about how accurate your technology is or how it isn't biased, you need proof of that. And not just proof from the laboratory where your cameras are high definition or your photos are of perfect quality," said Commissioner Alvaro Bedoya.

Kochava Case Forging Ahead

Khan also indicated that the FTC will forge ahead in its data privacy enforcement action against data analytics vendor Kochava.

An Idaho federal court on May 4 dismissed the agency's lawsuit against Kochava, a bid by the FTC to permanently stop the company from selling geolocation data collected from mobile devices (see: Court Dismisses FTC Complaint Against Data Broker Kochava).

The court also provided 30 days for the FTC to file an amended complaint with a strengthened argument against Kochava.

"This is really an important case for us at the commission," Khan said, adding that FTC attorneys who are leading the case "are all excited to see it move forward."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.