Flo Health, Inc., which marketed an app used by more than 100 million women interested in tracking their personal menstruation and fertility information, seems to be getting off easily as compared with HIPAA-covered entities who misuse individual health information. The FTC’s January 13, 2021 press release announcing its proposed settlement with Flo Health sidesteps mention (let alone enforcement) of a federal law (and the FTC’s own rule). This puzzling sidestep deserves attention, not only in light of the proliferation of the use of personal health apps, but given the particularly sensitive nature of the health information collected by the Flo Health app.
The Health Information Technology for Clinical and Economic Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), not only amended HIPAA, but added HIPAA-like breach notification requirements that apply to vendors of “personal health records” (PHRs) that are not covered entities, business associates, or subcontractors subject to HIPAA. As described by the FTC in a “request for comment” published last May:
The Recovery Act recognized that vendors of personal health records and PHR related entities (i.e., companies that offer products and services through PHR websites or access information in or send information to PHRs) were collecting consumers’ health information but were not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (‘‘HIPAA’’). The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information. Accordingly, the HBN [Health Breach Notification] Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission…
The [HBN] Rule requires notice ‘‘without unreasonable delay and in no case later than 60 calendar days’’ after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided ‘‘as soon as possible and in no case later than ten business days’’ after discovery of the breach.”
Yet, surprisingly, the FTC’s Flo Health press release and proposed settlement is completely silent with respect to Flo Health’s failure to abide by the Recovery Act and the FTC’s own breach notification rule.