A recent FTC deal with the popular Flo Fertility Tracking app came with a warning from the agency to other healthcare apps engaging in questionable data-sharing practices.
Downloaded by more than 100 million people, Flo tracks various stages of the reproductive cycle from menstruation to pregnancy and menopause. Flo Health Inc. conflicted with the Federal Trade Commission (FTC) by promising not to share this user data with other parties, but to make it available to a variety of third-party analytics services (such as those managed by Facebook and Google). .
Health app notices when Flo is instructed to review data sharing practices
Given the range of features it offers, the company’s ideal Flo user would appear to be a teenager who uses the app when they come of age and continues to use it until menopause. The app encourages women to record a wide variety of personal health information along with various items of personally identifiable information: full names, email addresses, date of birth, and physical address.
News coverage on the subject in February 2019 sparked a barrage of user complaints, and Flo was ultimately hit with seven counts of data sharing misrepresentation. The company would not be fined under the proposed settlement, but will be required to stop misrepresenting its use of personal information and to review its data-sharing practices to ensure that medical information is not shared with third parties. It would also be necessary to notify app users of any prior disclosures of health information and follow up with analytics partners to ensure that shared information of that nature is destroyed. The proposed deal is currently in a required 30-day public comment period and will then go back to the FTC commissioners for a final vote.
Sharing health data under increased scrutiny?
The Flo case is the first time that a US regulator has ordered a notice of a privacy action. The fact that the Commission passed it 5-0, along with some statements from high-ranking members of the FTC, would indicate that the healthcare app market should carefully review its data-sharing practices to avoid being the next target.
Andrew Smith, director of the FTC’s Office of Consumer Protection, said of healthcare apps: “Apps that collect, use, and share sensitive medical information can provide valuable services, but consumers need to be able to trust these apps. if health app developers keep their promises and handle sensitive health information responsibly. Commissioners Rohit Chopra and Rebecca Kelly Slaughter also issued the following joint statement: “This proposed settlement is a change for the FTC, which has never before mandated a notice of a privacy action … While we are pleased to see this change, we are disappointed that the Commission is not using all its tools to hold accountable those who abuse and misuse personal data. We believe that Flo’s conduct violated the Health Violation Reporting Rule, however the Commission’s proposed complaint does not include this allegation. The agency also released a consumer health app guidance infographic along with the decision.
The FTC cautions that they are closely scrutinizing whether #healthapps developers are keeping their promises and handling #health sensitive information responsibly. #privacy #respectdata
The Health Breach Notification Rule, passed in 2009, applies to all entities that handle electronic health records. It requires notification to both the FTC and consumers in the event of any violation involving these records, and if there are more than 500 records involved, the entity must also notify the media. Health and fitness tracking apps exist in a kind of legal gray area with respect to this regulation. In general, if the publisher of the app is not subject to HIPAA (which generally only applies to patient care facilities), regulators have also not seen it as subject to this FTC rule. These apps handle a lot of health information that would normally be covered by HIPAA record requirements, but the key distinction appears to be that the end user is held responsible for whatever information they choose to enter into the app.