Public health

This article is written by Hassan Farooque, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).


As any rational mind would ask “why”, it is evident that things that have been practised for a while have not been questioned or bought under the purview of the law as to understand what is legally permissible and what is unnecessary or illegal. Over the period of time, there has been explosive development in the field of data. Data is used in every practical aspect of the business pyramid such as health, banking, information technology, etc. 

Many times the law being a biological creature has restrictions to recognize or exercise justice due to the underdeveloped statute. At times it also happens that the authority or Court are unable to dispense the case appropriately due to the lack of evolution or the loopholes in the statute. Some countries are quick to adapt to the latest problems, a judiciary that is well equipped to deal with novel problems is basically a sign of the development of the country or state. In view thereof, today I shall provide my view on the scope of the FTC guidelines with regards to the Rule of health apps and connected devices.

On 15th September 2021, the Federal Trade Commission (“FTC”) of the United States of America, to offer guidance on the scope of the FTC’s Health Breach Notification Rule, 16 C.F.R. Part 318 issued a notification on breaches by the Health Apps and other connected devices (“Rule”), so as to bring under the ambit entities that were previously un-recognized under the Health Insurance Portability and Accountability Act (“HIPAA”). 

Considering the rapid growth of apps and devices that deal with sensitive health data, the FTC’s Health Breach Notification takes into the purview that the entities governed by HIPAA face accountability when the person’s sensitive health information is breached.  By virtue of the Rule, entities dealing with personal health records (“PHR”) and PHR-related are bound to notify U.S. consumers and the FTC, and in certain specific cases the media, considering breach of unsecured identifiable health information or invite civil penalties for violations respectively. The said Rule also brings under its ambit the service provided by such entities. Basically, concealing breaches of sensitive health information by the entities or their vendors, under the purview of this Rule are deemed illegal.

FTC’s  Guidelines

Oddly though the Rule was issued by the FTC more than a decade ago, the proliferation in health apps and connected devices pushed its requirements to make them more essential than ever. Unlike the underdeveloped countries who are still lacking legislation for the protection of such sensitive health information, the United States appears to be taking initiative in developing such laws or legislations i.e. is basically leading the way. The directive towards mobile health apps to examine their obligations under the Rule, such as the following guidelines and interactive tools to businesses or entities seeking to implement sound data security:

Minimize data

Does the entity need to collect or retain a person’s data?

At the inception, if data is not collecting it, the entity doesn’t need to spend resources towards protecting it. Whoever collects and or retains data, is bound to safeguard it. De-identify data wherever the data can be linked or associated to identify a natural person

Limit access and permissions

What permissions does the entity’s app need? The entity should ensure that the natural person’s data that is collected is not unnecessary. For example, if the entity is developing an app, consider what it requires in comparison to other resources like- person’s contacts, camera, location, etc.

Keep authentication in mind

How does the entity generate credentials? The entity should invest resources towards the design, implementation and testing of authentication of the data.

Consider the mobile ecosystem

Is the entity relying upon mobile platforms or other connected devils to protect sensitive data?

With the development in technology, there are various devices such as mobile, iPad, Fitbit’s, etc, wherein various kinds of data are collected from. It’s not necessary that these devices use the same API’s, but it should ensure the security of the data and grant permissions to third parties by following safety protocols.

Implement security by design

How can the entity develop a culture of security? The entity should employ staff that are responsible for data security. Depending upon the size of the entity and the complex processes involved, the entity may appoint a team of persons, as well as a senior executive to oversee the implementation of security by design.

Don’t reinvent the wheel

Is the entity taking advantage of the precedents displayed about security? Sometimes entities delve into using free or low-cost tools to protect the security of the data and help protect their privacy.

Innovate how you communicate with users

How will the entity inform the users about their app’s security and privacy features? The entities should endeavour to be simple, clear and direct. The entities should avoid complicated terms or language which could be understood by the layman. Since the entity’s health app is likely to collect personal data; like blood pressure, eating habits, sugar levels, express consent should be obtained by the entity.

Don’t forget about other applicable laws

If the entity is developing a health app, they should first determine which laws apply to them. One may be under the scope of the FTC Act, HIPAA or the FDA’s Federal Food, Drug & Cosmetic Act.

There may also be laws of the state that the entities must comply with. Keeping the entity abreast of the various laws would help it avoid or attract penalties therein.

The fact of trust in advertising and or privacy applies to the product of the entity. Entities should disclose to their user users the real reason behind why their data is being collected and be transparent about their practices.

Despite the above, the FTC never enforced the rule, though many appear to misunderstand its necessity. What this means is that the entities or their vendors have an everlasting obligation to notify its breaches under the Rule.

“Breach of the security of the personal health records”

The Rule brings under its ambit the personal health records that contain identifiable health information created or received or handled by the vendors of the health care providers. The Rule takes cognizance when such entities or their vendors experience a “breach of security”. By referring to the definition with the Rule, the developer of a health app or connected device is termed as a “healthcare provider” because it “furnish/es” health care services or supplies.

Take for instance that a health app is in breach of disclosing sensitive health information without the person’s authorization; it would be termed as a breach of security under the Rule.

The promulgation of the Rule through the FTC requires that the “personal record” be an electronic record or data that can be drawn from various sources. The apps are covered by the scope of the Rule if they are capable of gathering information from various sources, such as a combination of consumer inputs and application programming interfaces (“APIs”). For example, an entity is covered if it collects information directly from its user and has the technical ability to draw data through an API that synchronizes with the user’s fitness tracker. Similarly, if the entity deals with information from multiple sources is covered, despite the health information originating from only one source. For example, if a heart rate monitoring app derives information only from one source (e.g. a user’s blood pressure levels), but also take non-health information from another source (e.g. dates from the user’s phone’s calendar), it comes under the purview of the Rule.

Further, it is to be noted that the “breach” is not limited to cyber-security intrusions or vicious behaviour, as denoted by the Commission. Every incident regarding unauthorized access, along with divulging information without the user’s consent, triggers the cause of action under the Rule.

Considering the level of development, Americans are affluent users of apps and other technologies to track ailments, diagnoses, treatments, fitness levels, and medicines for pharmaceutical companies, sleep, diet, and other vital aspects, this Rule becomes more incumbent than ever. Violations of the Rule may lead to the entities being subjected to civil penalties of $43,792 per violation per day.


Taking from the above, the implementation of such laws is beneficial to the country and its citizens at large.  Any developed country would like to protect the rights of its citizens by being in touch with the change in times and traditions. Earlier paper trails would lead to scandals but in today’s new age, data is the new commodity and like in any era, the ones who understand the change are better prepared than those that aren’t.

If countries like India can take up the cause of data protection in such depth as the American’s, there would be finer improvements that could impact the overall outcome of laws such as protecting health breaches from health apps or connected devices, it’s likely that it would invite investment from international companies or brands who won’t be able to take the Indian citizens for a joy ride.



Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here