Washington, DC - As the FTC staff discussed at a seminar about consumer generated and controlled health data, people are turning to apps, devices, and websites to manage their own health information. Yesterday we talked about the contours of the compliance landscape. Especially when it comes to the sensitive subject of health data, one key takeaway is the importance that sound privacy and security practices can play in developing consumer confidence. Here are some more considerations if you or your clients are entering this burgeoning marketplace.
Think through what you collect and how you use it. Companies in this industry have said they need to collect personal data for functionality purposes. As we discussed in the the Internet of Things report, innovation abounds. But it’s also important to put sensible policies in place regarding the collection and retention of consumer data. After all, the more you collect, the greater the risk it could be hacked or used for unintended purposes. Is there a way to collect less data – or less sensitive data – to accomplish your business goals?
Is “de-identification” an option? Another way to reduce risk is to de-identify the data you collect. Here is an example from the Internet of Things report. A university hospital offers a website and an associated app that collects information from people – including geolocation – so users can find and report flu activity in their area. But instead of maintaining a public list of who reported what, the hospital posts the data in anonymous and aggregate form. That way, the hospital can accomplish its health-related goals while also maintaining consumer privacy. To ensure accountability, companies that take this approach should also commit not to re-identify the data. Another key component is making sure third-party contractors are barred from re-identifying it, too.
Consider consent. Of course, if those options don’t meet your business goals, you can always ask consumers for their consent to collect health information. We’ve heard a lot about the practical challenges of providing notice and getting informed consent, and recognize that there is no one-size-fits-all approach. We suggest some options in the Internet of Things report, including offering consumers opt-in choices in plain language at the point of sale, within set-up wizards, or in a privacy dashboard.
Give customers the straight story. However you choose to tell consumers about what you do with their information, don’t use legalese, bury it in a multi-screen privacy policy or terms of service, or use deception to get consent. Those methods won’t inspire trust and may even run afoul of the law, as our settlement with PaymentsMD demonstrates.
Build security in from the get-go. In this arena, security vulnerabilities can jeopardize not only consumers’ data, but also their health. For example, a hacker who gains access to an insulin pump and alters the medication levels could cause physical injury. Consumers will be reluctant to embrace new technologies if security isn’t baked in. The Internet of Things report and the accompanying brochure for business, Careful Connections: Building Security in the Internet of Things, set forth a few best practices:
- Implement security by design, which includes conducting a privacy or security risk assessment, minimizing the data you collect and keep, and testing your security measures before launching your product.
- Train all employees about good security, and ensure that security issues are addressed at the appropriate level within your organization.
- Hire service providers capable of maintaining reasonable security and monitor what they’re doing on your behalf.
- Implement defense-in-depth – a belt-and-suspenders approach that puts security measures in place at multiple levels.
- Adopt reasonable access controls to keep unauthorized people from accessing sensitive data, devices, or even the consumer’s network.
- Monitor products throughout their life cycle. Patch known vulnerabilities ASAP.
What’s in store for this industry? We’ll continue to take action if companies violate the FTC Act. In appropriate circumstances, we’ll consider enforcement under other applicable laws – like the FTC’s Health Breach Notification Rule or the Fair Credit Reporting Act, which prohibits consumer reporting agencies from including medical information in consumers’ reports without their consent. And we'll continue to coordinate with HHS and FDA. Additional guidance for mobile health app developers is already in the works.
Looking for the basics for business? Read the FTC’s Careful Connections: Building Security in the Internet of Things.