Beyond HIPAA: Courts, Regulators Use Enforcement Toolkit Against Health Apps

Section 5 of the FTC Act, for example, can be used to target unfair or deceptive practices, they said. "This is particularly common where a party makes representations in a privacy policy posted on its website which does not align with the party’s actual privacy and data usage practices." In one case, "the FTC defined a company’s undisclosed sharing of sensitive health-related data via tracking tools as an unfair and deceptive act, applying pressure through fines and mandated privacy programs."

Regulators also are turning to the Health Information Technology for Economic and Clinical Health Act (HITECH Act), where vendors and service providers have 60 days to notify individuals who have suffered a breach of their personal health records.

At the state level, there are health-specific privacy statutes, some even with private rights of action, the lawyers blogged. States' general deceptive trade practices laws are also utilized for enforcement purposes.

And wiretapping laws -- state and federal -- are being broadened so that Software Development Kits (SDKs) and tracking scripts that capture sensitive information, like reproductive health data, are considered interceptors of private communications, the blog added.

As such, it's clear that promises contained in an organization's privacy policy "must be accurate" and that "clear, informed consent" is needed for data sharing. "Consumer protection laws, wiretapping statutes, and class actions are filling the gap" left by HIPAA.

"For any company operating in digital health, wellness, or even adjacent spaces, now is the time to audit how data flows through your products, what third parties receive it, and whether your disclosures match reality," the blog added. "Regulators and plaintiffs’ lawyers are watching closely, and the precedent has been set."