FTC’s Third Open Meeting Brings New Changes to Agencies’ Approach for Health App Privacy, Petitions for Rulemaking, and Vertical Mergers | WilmerHaleOctober 13, 2021
On September 16, 2021, the Federal Trade Commission (“FTC” or “Commission”) held its third Open Commission Meeting in as many months. The Commission addressed four items: (1) whether to issue a policy statement affirming that health apps and connected devices must comply with the Health Breach Notification Rule (“HBNR”) in the event of a privacy breach; (2) an FTC report regarding almost a decade of unreported acquisitions by five major technology companies; (3) proposed revisions to FTC procedural rules concerning petitions for rulemakings; and (4) the proposed withdrawal of the FTC’s Vertical Merger Guidelines that were adopted in June 2020.
Key takeaways from the meeting include:
- The Democratic Commissioner are moving quickly to remove what they view as roadblocks to their progressive antitrust agenda, withdrawing recent guidelines on how to evaluate vertical mergers without providing any replacement guidance for businesses.
- The FTC continues to signal its interest in entities that collect health information. At the meeting, the Commissioners voted (3-2) to approve a Policy Statement that broadly interprets the HBNR to apply to many applications that might not otherwise think of themselves as offering personal health records.
- The FTC continues to look for ways to pursue civil penalties against perceived wrongdoers. One of the reasons the FTC appears willing to broaden the application of the HBNR is so that it can obtain penalties for first time rule violators.
- The Commission will continue to make use of its Section 6(b) authority to gather information that it can use either in future enforcement actions or to guide future policy decisions and/or rule changes.
- The Commission continues to focus on the rulemaking process and is steadily making changes that are intended to make the process more streamlined and transparent.
Read our coverage of the first Open Commission Meeting held on July 1, 2021, and the second Open Commission Meeting held on July 21, 2021.
Proposed Policy Statement on Privacy Breaches by Health Apps and Connected Devices
The Commission voted along party lines (3-2) to approve a Policy Statement that “serves to clarify” the types of apps and connected devices that are required to comply with the HBNR and under what circumstance they must notify consumers and others when those individuals’ health data is breached. The HBNR resulted from the American Recovery and Reinvestment Act of 2009, in which Congress directed the FTC to adopt a rule implementing breach notification requirements applicable to vendors of personal health records, PHR related entities, and third-party service providers that are non-HIPAA-covered entities.
In practice, however, the Policy Statement broadly interprets the HBNR in two ways. First, it interprets the rule to cover a larger segment of health-related apps and devices than was previously understood under the Rule. The Policy Statement explains that apps and…