Getty Images/iStockphoto

CHIME Submits Comments to FTC on Proposed Data Security, Surveillance Rulemaking

CHIME expressed its support for the FTC’s commitment to enforcing data security while noting some key health data considerations.

The College of Healthcare Information Management Executives (CHIME) submitted comments to the Federal Trade Commission (FTC) surrounding the Commission’s Advanced Notice of Proposed Rulemaking (ANPR) regarding “the prevalence of commercial surveillance and data security practices that harm consumers.”

CHIME stressed the importance of regulating sensitive health data that is held by non-HIPAA-covered entities and encouraged the FTC to use its authority to enforce stringent data privacy practices.

Overview of the FTC’s Advanced Notice of Proposed Rulemaking

Over the last two decades, the FTC explained in an August press release announcing the ANPR, the Commission has used its authority under the FTC Act to bring “hundreds of enforcement actions against companies for privacy and data security violations.”

The enforcement actions included cases involving improper sharing of health data with third parties, and the failure to implement security measures to protect Social Security numbers.

“The FTC’s past work, however, suggests that enforcement of the FTC Act alone may not be enough to protect consumers. The FTC’s ability to deter unlawful conduct is limited because the agency generally lacks authority to seek financial penalties for initial violations of the FTC Act,” the FTC explained.

“By contrast, rules that establish clear privacy and data security requirements across the board and provide the Commission the authority to seek financial penalties for first-time violations could incentivize all companies to invest more consistently in compliant practices.”

As a result, the FTC issued an ANPR and sought public comments on “whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”

Specifically, the FTC expressed concern over the commercial surveillance industry, which is in the business of “collecting, analyzing, and profiting from information about people.”

The Commission noted concerns around surveillance creep, bias and discrimination, harms to children, and lax data security measures that could prove harmful to consumer data privacy.

The ANPR symbolized the beginning of the rulemaking process, in which the FTC will collect input from the public on protecting consumers from potentially harmful commercial surveillance practices.

CHIME’s Comments

The ANPR could have implications for health data, specifically sensitive health information that is held by non-HIPAA-covered entities.

In its letter, CHIME noted its continued support of the FTC’s efforts to protect consumer health information. CHIME expressed support for the FTC’s September 2021 policy statement, in which the commission clarified that health apps and connected device companies must comply with the Health Breach Notification Rule.

“As one of only a handful of federal privacy laws protecting consumers’ health information, the Rule plays a vital role in holding companies accountable for how they disclose consumers’ sensitive health information,” CHIME wrote.

CHIME stressed the importance of the Health Breach Notification Rule in its comments surrounding the ANPR, and encouraged the FTC to use its power to enforce it.

“While CHIME is broadly supportive of new trade regulation rules to utilize the FTC’s existing authority to protect consumers – we are strongly encouraging the FTC to push further into this space by utilizing and enforcing the clear, concise and existing authority under the Health Breach Notification Rule to hold non-HIPAA covered third-parties (i.e., vendors of PHR and PHR-related entities) responsible when they illegally disclose – intentionally or not – covered information,” CHIME stated.

CHIME expressed a need for additional clarification from the FTC surrounding the intersection of the potential new rules with the FTC’s existing authority under the Health Breach Notification Rule. Essentially, if the FTC moves forward with rulemaking for commercial surveillance, CHIME suggested that organizations will need a clear roadmap of how these rules intersect.

“CHIME appreciates the FTC’s issuance of this important ANPR on ways to implement new trade regulation rules concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive,” the comments letter concluded.

“We are especially thankful to the Commission for encouraging input from a wide variety of voices – including healthcare providers – on the questions listed in the ANPR. CHIME believes that adding more healthcare data to the existing data streams available for purchase without adequate and enforced safeguards will erode consumer trust and create more privacy challenges.”

Next Steps

Dig Deeper on Health data access & privacy