The U.S. Federal Trade Commission has issued a policy brief confirming that apps including health care apps, finders, trackers, and connected devices, are all required to comply with HIPAA,  and the HIPAA Breach Notification Rules will apply if they connect any two or more databases containing personal health data. 

HIPAA Breach Notification Rules require entities, even those not normally considered to be covered by HIPAA, to notify individuals as well as certain business associates if private health information is shared or compromised.

The FTC further said that developers of any apps utilizing individually identifiable personal health information, and their connected devices, are considered healthcare providers, held responsible for breach if they cause or allow the disclosure of patient information without patient authorization. 

The first notice responsibility in the event of a breach is to notify every entity from whom that information came, which may include notifying business associates, plus every person whose data was compromised, and notifying the federal HIPAA enforcement office. 

The FTC noted that many app providers are under the misconception that breach notification only applies in the case of a malicious external attack. In fact, HIPAA applies in the case of any health data share, and breach also includes unsecured health data caused by incidental, accidental, or unintentional data vulnerability.

After a breach occurs, the process of determining who needs to be given notice, and through which methods, as well as disseminating the individual breach notices themselves, are very costly, in both money and reputation.