FTC steps up scrutiny of digital health apps with proposed changes to data privacy rule

The Federal Trade Commission (FTC) is taking action to address the issue of digital health apps sharing sensitive medical information with tech companies. In an effort to enhance transparency and enforce regulations, the FTC has proposed changes to its Health Breach Notification Rule. This article discusses the proposed amendments and recent enforcement actions taken by the FTC.

Proposed Changes to Health Breach Notification Rule:

1.1 Expanding Application of the Rule:

The Federal Trade Commission (FTC) is clarifying that health apps and trackers, as well as medical practice management software, will be subject to enforcement actions and potential penalties if they fail to notify consumers when their health information is disclosed without their consent. This amendment ensures that the rule applies to the increasing number of health-related technologies in the market.

The FTC’s Health Breach Notification Rule, which was originally issued in 2009, requires covered entities to notify consumers of any breaches of their personal information. However, the rule did not specifically mention health apps and trackers, or medical practice management software. This meant that these companies were not required to notify consumers if their health information was breached.

The FTC’s proposed amendment would change this by specifically including health apps and trackers, as well as medical practice management software, within the definition of “covered entities.” This would mean that these companies would be required to notify consumers if their health information was breached.

The FTC says that the proposed amendment is necessary to protect consumers from the risks of data breaches. The agency says that health apps and trackers, as well as medical practice management software, are increasingly popular, and that they collect a wide range of sensitive health information from consumers.1.2 Addressing Evolving Technologies:

The proposed changes emphasize the need for timely notification of breaches involving sensitive health information collected by mobile health app developers and other parties covered by the Health Breach Notification Rule. By adapting to changing technology and market trends, the rule can effectively respond to new developments.

Definition of Personally Identifiable Health Information:

The FTC’s proposed rule identifies personally identifiable health information as encompassing traditional health data like diagnoses and medications, as well as information derived from fitness trackers and “emergent health data.” This emergent data refers to health information inferred from sources such as location data and health-related purchases.

Public Comment Period:

The opportunity for members of the public to provide comments on a proposed FTC rule is a crucial aspect of the regulatory process. Allowing stakeholders to express their opinions and concerns within a specified timeframe, typically 60 days, ensures that the rule undergoes a thorough evaluation and consideration of its potential impact. This practice promotes transparency, inclusivity, and democratic principles in the rulemaking process.

By providing a designated comment period, the FTC (Federal Trade Commission) enables individuals and organizations affected by the proposed rule to actively participate in shaping the outcome. This engagement allows stakeholders to share their expertise, experiences, and perspectives, which can greatly contribute to the FTC’s understanding of the potential benefits and drawbacks of the proposed changes.

Public comments serve as a vital source of information for the FTC. They provide valuable insights, data, and evidence that may have been overlooked during the initial drafting of the rule. Comments can help identify unintended consequences, potential loopholes, or alternative approaches that should be considered to ensure the rule achieves its intended objectives effectively.

Recent Enforcement Actions:

4.1 GoodRx Case:

In February, the FTC initiated enforcement action against GoodRx, a telehealth provider and discount prescription drug provider, for violating the Health Breach Notification Rule. GoodRx was accused of sharing sensitive personal health information with advertising entities without notifying users. Although GoodRx agreed to pay $1.5 million in civil penalties, it did not admit any wrongdoing.

4.2 Premom Case:

Premom, a period tracking app developer, faced charges from the FTC for misleading users by sharing sensitive health information for advertising purposes in violation of the Health Breach Notification Rule. The developer, Easy Healthcare, agreed to pay $100,000 in civil penalties. The proposed order mandates that Easy Healthcare obtains user consent before sharing health data and prohibits sharing protected health information with third parties for advertising purposes.

4.3 Flo Case:

Rcm companies, or retail-commerce marketing companies, are businesses that use data to target consumers with ads for products and services. Flo’s privacy policy stated that it would not share users’ health information with third-party companies, but the FTC found that the app had shared this information with rcm companies without users’ consent.

The FTC’s fine against Flo was $2 million. The agency also required Flo to make changes to its privacy policy and to get users’ consent before sharing their health information with third-party companies.

The FTC’s action against Flo sends a message to other companies that collect and use personal data. Companies must be transparent about how they collect and use this data, and they must get users’ consent before sharing it with third-party companies.


One key aspect of the proposed changes is the emphasis on timely notification of data breaches to consumers. Prompt notification is essential in enabling affected individuals to take appropriate actions to protect themselves, such as changing passwords, monitoring financial accounts, or seeking additional medical advice if their health data has been compromised. By requiring health app developers to promptly notify consumers of data breaches, the FTC aims to enhance transparency and empower individuals to mitigate potential harm resulting from such incidents.

Recent enforcement actions taken by the FTC further illustrate the agency’s commitment to enforcing regulations and holding companies accountable for mishandling sensitive health information. These actions send a strong message to the digital health app sector, underscoring the importance of complying with data protection and privacy requirements. By publicizing enforcement actions, the FTC aims to raise awareness among both developers and consumers about the potential risks associated with inadequate data security practices.

The proposed changes to the Health Breach Notification Rule, combined with enforcement actions, demonstrate the FTC’s dedication to safeguarding consumer interests in the digital health app sector. The agency’s efforts are aimed at fostering trust and confidence in the use of these apps, ensuring that individuals can leverage the benefits of digital health technology while maintaining control over their personal information.

In conclusion, the proposed changes to the Health Breach Notification Rule by the FTC reflect the need to address evolving technologies and protect consumer data in the digital health app sector. By expanding the rule’s scope and enforcing compliance, the FTC aims to promote transparency, accountability, and consumer protection in an increasingly interconnected and data-driven healthcare landscape.

Author Bio:

Nathan Bradshaw is a Senior Health IT Journalist, Researcher & Writer. With 15 years of Health reform, IT consulting, emerging technology assessment, quality programs, governance, compliance and information security experience, he is your go-to person for leveraging technology to gain competitive advantage. You can connect with Nathan at

To Top

Pin It on Pinterest

Share This