On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Mikie Sherrill (D-New Jersey) and Bonnie Watson Coleman (D-New Jersey)wrote a letter advocating the Federal Trade Commission (FTC) to begin imposing the Health Breach Notification Rule.
The Federal Trade Commission (FTC) is mandated to safeguard US citizens from bad people that betray consumer trust and improperly use consumers’ healthcare data and has the power to take enforcement action but is not implementing observance of the Health Breach Notification Rule.
The Health Breach Notification Rule was launched in association with the American Recovery and Reinvestment Act of 2009 and calls for vendors of personal health information, PHR associated entities, and third-party service providers to notify consumers regarding unauthorized disclosures of personal health information.
The Health Breach Notification Rule covers all entities not protected by the Health Insurance Portability and Accountability Act (HIPAA) and has identical conditions as the HIPAA Breach Notification Rule. The HHS’ Office for Civil Rights already imposes HIPAA Breach Notification Rule compliance, however, the FTC has not taken any enforcement actions towards entities that violated the Health Breach Notification Rule.
In the letter sent to FTC’s Acting Chair Honorable Rebecca Kelly Slaughter, the lawmakers told the FTC to conduct enforcement actions against organizations that do not inform consumers concerning unauthorized uses and disclosures of personal health records, particularly disclosures of consumers’ personal health data to third parties without permission by menstruation tracking mobile app developers.
Over the past few years, a number of menstruation and fertility tracking apps were discovered to be sharing app user information with third parties with no authorization. In 2019, a Wall Street Journal investigation exposed the period tracking application Flo was disclosing users’ personal health data to third parties without acquiring permission. Though Flo Health stated in its privacy policy that the personal health data of users would be secured and not shared with third parties, user details were in fact being disclosed to tech companies like Google and Facebook.
The FTC issued a complaint against Flo for personal data privacy violations and reached a settlement with Flo Health and that required the software developer to modify its privacy practices and get authorization from application users before sharing their health data, nevertheless, the complaint did not address the lack of issuing notifications to consumers.
Flo is just one of the period tracking apps that disclose consumers’ personal health details without getting permission. The International Digital Accountability Council established that the privacy policy of the fertility tracking application Premom differed from its actual data-sharing practices, and the app was disclosing user information without authorization. In 2019, Privacy International investigated the privacy violations of a different period tracking app and discovered that user data was given to Facebook before users are able to view changes to its privacy policy and provide their authorization.
The lawmakers advocate having stricter [Health Breach Notification Rule] enforcement especially in the case of period-tracking applications vendors, which manage significantly personal and very valuable information to advertisers. All tools, including the Health Breach Notification Rule, must be used to protect women and all menstruating people from mobile apps that exploit their personal data.