HIPAA applies to covered entities and their business associates (e.g. However, HIPAA and the FTC Rule apply to different entities. At first glance, the FTC’s Health Breach Notification Rule and the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations appear to operate in similar spaces, both regulating access to health information. On September 15, 2021, the Federal Trade Commission (“FTC”) released a policy statement addressing the scope of the FTC’s Health Breach Notification Rule with respect to applications and connected devices that collect health information. At times, these legal protections and enforcement mechanisms intersect, bringing the enforcement powers of multiple federal regulations and agencies to bear to protect the privacy and security of consumers’ health information. Because of the sensitivity of health information, the United States has developed a variety of legal protections and enforcement mechanisms regarding the privacy and security of health information, including state and federal law, regulations, and federal agency guidance.
Applications and connected devices collect a bevy of personal information from consumers, including sensitive information about consumers’ health. In an increasingly digital and interconnected world, the privacy and security of personal information is a significant concern.