How Evolving Privacy Regulations Affect Consumer Health AppsAttorney Brad Rostolsky Discusses FTC's Health Breach Notification Rule, State Laws
Health technology providers - including makers of mobile health apps, personal health records, fitness devices and an array of other related products and services - must keep a watchful eye on critical evolving privacy and regulatory issues in the months ahead, says attorney Brad Rostolsky of the law firm Reed Smith.
For instance, the Federal Trade Commission in September issued guidance warning that certain entities not covered under HIPAA, including vendors of personal health records and mobile health apps, will face potential monetary penalties for failure to comply with the commission's 12-year-old- and so far never-enforced - Health Breach Notification Rule (see: FTC: Health App, Device Makers Must Report Breaches).
The guidance has prompted health technology providers that intentionally framed their businesses directly to consumers, in part to help avoid falling under the HIPAA umbrella, to now reassess the privacy and security regulatory considerations of their products.
It's a matter of time before the FTC issues its first enforcement action under that rule, Rostolsky says, "and it will be interesting to see what the facts look like and who are the targets. Will [regulators] be looking at health app vendors through a magnifying glass, or will it be broader that that?"
In the meantime, states - including California, Virginia and Colorado - are implementing new privacy regulations that also potentially affect makers of medical devices and health apps, Rostolsky says.
"These laws generally incorporate a private right of action so that the individuals who are adversely affected by an incident are able to take some sort of [legal] action themselves, utilizing the state law. This is different from HIPAA where there is no private right of action."
In the interview (see audio link below photo), Rostolsky also discusses:
- Other effects state privacy law trends may have on the makers of mobile health apps, medical device makers and other health product vendors that fall outside the scope of HIPAA;
- Other critical considerations involving the FTC Health Breach Notification Rule;
- His advice to makers of digital health products regarding data security and privacy regulatory issues.
Rostolsky is a partner with Reed Smith’s HIPAA and health privacy and security practice. He advises clients - including hospitals, medical practices, electronic health records providers, medical device companies and others - on privacy and security issues, such as cyber and ransomware attack readiness and response, and compliance with new developments concerning federal regulations and state laws.