United States lawmakers urged the Federal Trade Commission (FTC) to exercise its authority and take action against menstruation-tracking mobile apps, which presumably violate the Health Breach Notification Rule by sharing the privately collected health data. The Health Insurance Portability and Accountability Act (HIPPA) protects patients’ health information, but not all such information comes from the health industry.
For example, people share private data with mobile apps, but HIPPA doesn’t cover that data. The Health Breach Notification Rule covers this situation, but there’s a problem:
While the Department of Health and Human Services’ Office for Civil Rights enforces HIPPA, the FTC enforced the Health Breach Notification Rule. Or at least it should be enforced by the FTC, but it doesn’t seem to be the case for at least a couple of menstruation-tracking mobile apps. Congress took notice and asked the FTC to enforce that rule.
“The rule requires personal health record vendors to promptly notify users if an entity has acquired their identifiable health information without their authorization,” said Senator Bob Menendez, Congresswoman Bonnie Watson Coleman and Mikie Sherrill in a letter to the FTC. “The vendor must also notify the FTC, and, in the event of a large breach, notify local media outlets if a threshold number of consumers are impacted in a particular geographical area.”
The lawmakers say that, while The Health Breach Notification Rule has been active for more than a decade, the FTC has yet to enforce it against period-tracking apps disclosing personal health information to third parties without users’ authorization.
The letter singles out two recent cases in which the Flo and Premom apps shared customer data with Big Tech companies such as Facebook or Google without informing the users.