On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Mikie Sherrill (D-New Jersey) and Bonnie Watson Coleman (D-New Jersey)wrote a letter advocating the Federal Trade Commission (FTC) to begin imposing the Health Breach Notification Rule.
The Federal Trade Commission (FTC) is mandated to safeguard US citizens from bad people that betray consumer trust and improperly use consumers’ healthcare data and has the power to take enforcement action but is not implementing observance of the Health Breach Notification Rule.
The Health Breach Notification Rule was launched in association with the American Recovery and Reinvestment Act of 2009 and calls for vendors of personal health information, PHR associated entities, and third-party service providers to notify consumers regarding unauthorized disclosures of personal health information.
The Health Breach Notification Rule covers all entities not protected by the Health Insurance Portability and Accountability Act (HIPAA) and has identical conditions as the HIPAA Breach Notification Rule. The HHS’ Office for Civil Rights already imposes HIPAA Breach Notification Rule compliance, however, the FTC has not taken any enforcement actions towards entities that violated the Health Breach Notification Rule.
In the letter sent to FTC’s Acting Chair Honorable Rebecca Kelly Slaughter, the lawmakers told the FTC to conduct enforcement actions against organizations that do not inform consumers concerning unauthorized uses and disclosures of personal health records, particularly disclosures of consumers’ personal health data to third parties without permission by menstruation tracking mobile app developers.
The FTC issued a complaint against Flo for personal data privacy violations and reached a settlement with Flo Health and that required the software developer to modify its privacy practices and get authorization from application users before sharing their health data, nevertheless, the complaint did not address the lack of issuing notifications to consumers.
The lawmakers advocate having stricter [Health Breach Notification Rule] enforcement especially in the case of period-tracking applications vendors, which manage significantly personal and very valuable information to advertisers. All tools, including the Health Breach Notification Rule, must be used to protect women and all menstruating people from mobile apps that exploit their personal data.