In April 2024, the FTC (Federal Trade Commission) made important updates to a rule designed to protect people’s health information, especially when it’s managed by health apps and wearable devices that aren’t covered by traditional health privacy laws like HIPAA.
Back in 2023, The Light Collective organized to call for patient communities to respond to the FTC’s request for comment on the final rule. We also submitted a letter directly from The Light Collective.
This past week, the Final Rule was published, and we are pleased to share that multiple voices in our community were cited. Further, the Final Rule cited The Light Collective’s comments 6 times!
This update is significant for patient communities because it strengthens how their sensitive health information is protected in several key ways:
- Broader Coverage: The updated rule now clearly includes modern technologies like health apps on your phone or fitness trackers on your wrist. This means more types of companies must follow strict privacy rules, protecting more of your health data.
- Clear Definitions of Breaches: A “breach” now clearly includes any unauthorized access to your health information, whether someone stole it or accidentally shared it without permission. This broad definition helps ensure that any mishandling of your data triggers protective actions.
- Immediate Notifications: If your data is breached, the company must inform you quickly—within 60 days. This prompt notification allows you to take steps to protect yourself from potential harm, like identity theft or privacy invasions.
- Detailed Alerts: When you’re notified of a breach, the notice will give you more details, including who might have accessed your information and what specific type of health data was involved. This transparency helps you understand the potential impacts better.
- Stronger Penalties for Non-compliance: Companies now face stiffer penalties if they don’t protect your health data properly. This should motivate them to take your data security more seriously.
- Enforcement History: Interestingly, despite this rule existing since 2009, it wasn’t enforced until recently. The newest updates mark a more active approach from the FTC in using this rule to safeguard consumer data, reflecting an evolving understanding of the risks posed by digital health technologies.
These changes are all about making sure that companies are more careful with your health information and that you have the right to know quickly and clearly if something goes wrong. This can give patients more confidence in using digital health services, knowing that there are strong protections and clear rules to safeguard their personal information.