In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws. However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA. Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s privacy requirements should also be on your radar.
The means by which the FTC regulates privacy is the FTC Act, a consumer protection law that gives the FTC authority to go after “unfair or deceptive acts or practices” in or affecting commerce. An unfair practice is a practice that is likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Also in February 2013, the FTC reached a settlement with HTC America, Inc. (“HTC”), a manufacturer of mobile phones. The FTC alleged that HTC engaged in unfair security practices when the modification it made to the operating systems of its devices created security vulnerabilities. Specifically, HTC’s modifications allowed certain applications already on a user’s device to download other applications without the user’s consent. HTC also failed to deactivate the “debug” code on its devices, which meant that HTC devices could record and make logs of each user’s internet activity and make those logs available to HTC, or to any application on the user’s device with permission to read the logs. Again, the FTC charged HTC with misleading representations because HTC’s user manuals and mobile device interfaces suggested that consumer data would not be disclosed to third parties without consumer permission.
Some insights on the FTC’s approach to privacy can be distilled from these two enforcement actions. First, the FTC expects companies to provide users with meaningful choices in the amount of sensitive information that is shared with the company. Default settings should maximize privacy protections. Second, the FTC appears to be taking the position that the FTC Act allows it to determine appropriate security standards for mobile devices, and that it expects companies to provide users with technically secure products. Applications or devices that are unreasonably susceptible to unauthorized third-party manipulation could be considered unfair trade practices. Finally, and perhaps, most importantly, the FTC may consider a company’s failure to comply with its stated privacy policies as misrepresentation and a deceptive trade practice.
If you are an mhealth company with access to personal information, at a minimum you should have privacy and security policies in place and be taking steps to ensure that you are not engaging in activities that violate your own policies.