The Federal Trade Commission (“FTC”) has imposed hefty civil penalties up to $1.5 million each against digital health and wellness companies for alleged unauthorized disclosure of consumers’ personal health information in violation of the Health Information Technology for Economic and Clinical Health ("HITECH") Act's Health Breach Notification Rule ("HBNR").  Employers are increasingly exploring digital apps and online platforms to enhance member experience and improve employee health outcomes.  Navigating the compliance roadmap for these apps is complicated yet, as demonstrated by recent FTC penalties, the cost for failing to comply can be steep. Employers may want to consider the various laws and regulations outlined below when evaluating new digital health and wellness programs.

1.   HITECH Act HBNR

The FTC enforces the HBNR, which applies to vendors of personal health records that are not subject to HIPAA.  Last year, the FTC clarified that the HBNR applies to online services including websites, apps, and internet-connected devices that provide health care services or supplies related to medical and wellness issues.  As noted above, the FTC will take action against digital health and wellness companies for alleged violations of the HBNR.

2. HIPAA

HIPAA applies to covered entities, such as group health plans and health care providers, and their third-party vendors that create, receive, maintain, or transmit health information on their behalf. Importantly, HIPAA does not apply to health information maintained by anyone who isn’t a covered entity or business associate.  For example, HIPAA likely does not apply to consumer health information maintained in an app that isn’t offered by a HIPAA-covered entity or its business associate, even if the health information originated from a covered entity or business associate. 

3. DOL Cybersecurity Guidance

Employers should review the DOL Cybersecurity Guidance and its Tips for Hiring a Service Provider when engaging a service provider that will receive its employees' personally identifiable information from a group health plan that is subject to ERISA.  For more information about the DOL’s Cybersecurity Guidance, please see our previous Groom: In Brief post Beware of DOL Cybersecurity Audits.

4.  Section 5 of the FTC Act

Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, including those relating to the privacy and security of personal information (including health information).  In 2022, the FTC issued a policy statement outlining its intention to pursue Section 5 enforcement actions.  Importantly, the FTC has cautioned that it could bring enforcement action if an app’s privacy or security features do not comply with the app's privacy notice or any other security “promises” that it makes. 

5.  State Law Implications

Without a more comprehensive federal privacy framework governing non-HIPAA entities, states have scrambled to fill the void.  Many states are implementing comprehensive consumer data privacy laws.  Concurrently, states are also adopting separate biometric privacy rules and other health-specific data privacy laws.  All of these laws differ and many of them provide for a private right of action, dramatically expanding the scope of potential risk related to digital health apps.  As with other areas of the law, the volume and assortment of privacy laws is creating challenges for employers and other entities with broad geographic footprints. 

If you have any questions about how any of these laws may impact your business or your programs, please do not hesitate to reach out to the authors or your Groom attorney.