Flo Health, Inc., which marketed an app used by more than 100 million women interested in tracking their personal menstruation and fertility information, seems to be getting off easily as compared with HIPAA-covered entities who misuse individual health information.  The FTC’s January 13, 2021 press release announcing its proposed settlement with Flo Health sidesteps mention (let alone enforcement) of a federal law (and the FTC’s own rule).  This puzzling sidestep deserves attention, not only in light of the proliferation of the use of personal health apps, but given the particularly sensitive nature of the health information collected by the Flo Health app.

The Health Information Technology for Clinical and Economic Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), not only amended HIPAA, but added HIPAA-like breach notification requirements that apply to vendors of “personal health records” (PHRs) that are not covered entities, business associates, or subcontractors subject to HIPAA.  As described by the FTC in a “request for comment” published last May:

The Recovery Act recognized that vendors of personal health records and PHR related entities (i.e., companies that offer products and services through PHR websites or access information in or send information to PHRs) were collecting consumers’ health information but were not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (‘‘HIPAA’’).  The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information. Accordingly, the HBN [Health Breach Notification] Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission…

The [HBN] Rule requires notice ‘‘without unreasonable delay and in no case later than 60 calendar days’’ after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided ‘‘as soon as possible and in no case later than ten business days’’ after discovery of the breach.”

Yet, surprisingly, the FTC’s Flo Health press release and proposed settlement is completely silent with respect to Flo Health’s failure to abide by the Recovery Act and the FTC’s own breach notification rule.  Although its impermissible practices seem to have been “discovered” back in February of 2019 (see here for original WSJ revealing Flo Health’s data practices), Flo Health failed to notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

While the proposed settlement requires website notice and individual email/mobile app notice within 14 days after the filing of the Consent Order, such notice would come well beyond the “60-day following discovery” deadline.   In addition, as drafted by the FTC, the notice is focused on what was not improperly disclosed (name, address, or birthday), rather than what was.  When a covered entity notifies individuals, regulators, and the media of a HIPAA breach, it must include a description of the types of information involved in the breach.

Two FTC commissioners, Rohit Chopra and Rebecca Kelly Slaughter, picked up on the FTC’s failure to enforce the Recovery Act and FTC breach notification rule. Their Joint Statement points out that the “explosion in connected health apps” make the breach notification rule “more important than ever”:

[S]ervices like Flo need to come clean when they experience privacy or security breaches.”

Unless they do, health app users will have no idea when their trust is misplaced.