On September 15, 2021, the Federal Trade Commission (FTC) voted 3–2 along party lines (with Republican commissioners dissenting) to issue a policy statement announcing an expansive interpretation of the FTC’s Health Breach Notification Rule, 16 CFR Part 318 (the Rule). According to the policy statement, the Rule applies to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (HIPAA) but are capable of drawing information from multiple sources—for example, through a combination of consumer inputs and application programming interfaces (APIs).
FTC Issues Policy Statement Expanding Interpretation of Health Breach Notification Rule’s Scope
Carolyn MetnickCarolyn V. Metnick represents a range of healthcare industry clients, including hospitals and health systems, physician organizations and digital health companies. She advises on healthcare regulatory and transactional matters with a focus on health information privacy and security. Carolyn advises clients on a range of privacy and security laws, including HIPAA and the California Consumer Privacy Act (CCPA). She also counsels businesses in data breach investigations and compliance with federal and state breach notification laws. Carolyn is a Certified Information Privacy Professional/United States (CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E). Read Carolyn V. Metnick's full bio.
Edward G. ZachariasEdward G. Zacharias is the managing partner of McDermott’s Boston office. Clients across the healthcare industry and beyond turn to him for practical, business-oriented counsel on their most significant privacy and cybersecurity compliance, healthcare regulatory and transactional matters. Ed’s clients include “Big Tech” companies, health information technology and digital health companies, healthcare providers, insurers, electronic health record platforms, pharmacies, drug and device manufacturers, life sciences companies and health services vendors. Read Edward Zacharias' full bio.
Sam SiegfriedSam Siegfried’s practice focuses on the intersection of healthcare data privacy, healthcare operations and healthcare transactions, with an emphasis on developing and executing data licensing arrangements, research collaboration agreements and other data-driven deals in the healthcare space. Sam’s in-house experience with an academic medical center and a healthcare technology and precision medicine company provides him with unique perspectives on the key issues healthcare clients consider when exploring these complex arrangements. Sam’s thorough due diligence in healthcare data collaborations, mergers and acquisitions, and venture-backed investments enables him to proactively address potential privacy or data exchange pitfalls early in the transaction process, clearing the path for successful deals and innovative collaborations in the healthcare space. Read Sam Siegfried's full bio.
Related Posts
- FTC Proposes Health Breach Notification Rule Amendments
- Protecting the Telehealth Consumer: FTC and State-Based Considerations
- FTC Amends Health Breach Notification Rule to Regulate Health Apps and Expand Breach Notification Requirements
- Washington State Legislature Passes My Health My Data Act
- Federal Court Invalidates Key Part of HHS OCR Bulletin Regarding Application of HIPAA to Online Tracking Technologies
BLOG EDITORS
STAY CONNECTED
TOPICS
ARCHIVES
RECENT POSTS
- Virtual Care Policy Update: What to Expect in Lame Duck
- Unpacking the Over-the-Counter Contraception Proposed Rule
- IRS Releases Regulatory Notices Related to Health Plan Coverage of Contraceptives
- IRS Issues New Long-Term, Part-Time Employee Guidance Under the SECURE 2.0 Act for 403(b) Plans
- Government Announces 2025 Employee Benefit Plan Limits
