AMIA Urges FTC to Expand Purview of Health Breach Notification Rule

Monday, August 24, 2020

Nation’s clinical informatics experts urge FTC to address ‘data syphoning’ phenomenon, while noting inability of consumers to report data breaches.

In comments submitted to the Federal Trade Commission (FTC), the American Medical Informatics Association (AMIA) recommended the agency subject username/password information to its Health Breach Notification (HBN) Rule and expand its purview to provide warning to health apps that provide inadequate transparency into its data use, reuse, and exchange.

In May, FTC proposed updates to the HBN Rule, which requires certain companies that provide or service personal health records (PHR) to notify consumers and the FTC of a data breach. The Rule, which first went into effect in 2009, requires PHR vendors and related entities that are not covered by HIPAA to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.

While AMIA recognized the HBN Rule’s importance as a supplement to HIPAA’s Breach Notification Rule – especially as health data generated across both clinical systems and consumer devices proliferates – AMIA expressed concern that the rule is not doing its job as intended, noting that the FTC has received only three notices of breaches involving 500 or more individuals in the last ten years. Further, AMIA pointed out that FTC’s definitions around PHRs are incongruent with the current consumer health app ecosystem. AMIA thus recommended that FTC take near-term action and develop guidance that: 1) explicitly includes usernames/passwords maintained by a HIPAA non-covered entity (NCE) as being considered PHR-identifiable health information (thus subject to the HBN Rule if breached); and 2) expand on the concept of “unauthorized access” under the definition of “Breach of security,” to be presumed when a PHR or PHR-related entity fails to adequately disclose to individuals how user data is accessed, processed, used, reused, and disclosed.

AMIA further highlighted the need for FTC to address “data syphoning,” a rising phenomenon not contemplated by the HITECH Act that created the HBN Rule, or subsequent regulation. Data syphoning occurs when apps share health data without individuals’ knowledge or consent. Recent research on how user data are shared by top rated health apps and how privacy risks are characterized to app users has found that sharing of user data is routine, yet far from transparent. At issue with this phenomenon is the lack of express consent and the pervasive use of terms of service agreements to provide blanket coverage for any and all data transfers – current and future.

Finally, AMIA noted a fundamental reporting issue, in that notices received by the FTC are designed to come from businesses who have been breached, rather than from the consumers whose data was the subject of the breach. The comments pointed to the 2018 incident involving a breach of names and other information of Facebook users belonging to cancer-related private groups. The users, however, rather than Facebook, discovered and notified others of the breach themselves. AMIA argued that incidents like these are underreported and contribute to compromising the consumer protections at the core of the HBN Rule.

“Over the past decade, health data have proliferated well beyond the four walls of our hospitals and doctors’ offices,” said, Patricia C. Dykes, PhD, RN, FAAN, FACMI, AMIA Board Chair and Program Director of Research at the Brigham and Women’s Center for Patient Safety, Research, and Practice. “It’s past time for regulators to empower consumers to know how their data is be being used, or in some cases, abused.”

AMIA’s full comments to the FTC can be found here.