Health Tech Companies Must Comply With Data Breach Laws
We love devices to tell us about our health. From fitness and heart rate monitors, to watches that give us oxygen blood levels and EKGs, the future is health information at our fingerprints.
But if you thought a data breach intercepting our bank account information was bad, what about a data breach with these kinds of devices? What are companies’ obligations when it comes to data breaches surrounding health information?
FTC Expands Data Breach Rules
The Federal Trade Commission (FTC) has recently determined that any device that collects health data, even those related to heart rates, glucose, blood pressure, or fertility, now has to comply with data breach laws that require that consumers be notified of the breach.
The law now requires the makers of these devices to tell not just consumers of a data breach, but also to inform the FTC and the media. In extending the (already existing) rule to health devices, the FTC noted the increasing use of these devices, coupled with the lack of any rules or authority as to how data breaches are handled, made the expansion necessary.
Doubt Causes FTC Concern
Because there was doubt whether these devices or companies are covered by HIPAA, there were few ramifications for the companies when data was compromised. The new law clarifies that even if devices or apps aren’t specifically required to comply with HIPAA, there are now still fines for disclosing private health information or failing to report breaches. Fines for failure to provide notification of a breach are steep—over $43,000 per day.
Unlike our doctors office down the street, these tech devices and apps do release some information for the purposes of targeted advertising. The FTC is concerned that this practice naturally compromises sensitive consumer data and health information.
Data Breach Laws and Requirements
Data breach laws in Florida can be complex, no matter what our industry. A breach is generally defined as access to consumers’ private information that is not related to the business’ purposes, and which is considered a breach of the company’s systems.
Generally, in Florida, the law requires everybody who may be affected by the data breach to be notified of the breach. There is a list of data that is considered personal, which triggers the notice obligations in the law. It includes financial information, email addresses that accompany passwords, or health data.
However, the notice will not be required if the company believes that the breach won’t result in any harm to consumers. Proof or support of that determination must be in writing, and the records must be maintained by the company for 5 years.
If more than 500 consumers are affected by the data breach, the Florida Attorney General’s office must be notified as well. If more than 1,000 consumers are expected to be affected, the company must also notify the credit or consumer credit reporting agencies.
Call the West Palm Beach commercial litigation lawyers at Pike & Lustig to discuss your company’s legal obligations and requirements.