The Federal Trade Commission (FTC) commissioners, in a split-vote (3-2), issued a policy statement on September 15, requiring both health applications and connected devices to comply with the “Health Breach Notification Rule (August 2009).” The commissioners recognized how the applications and devices did not fall within the scope of the Health Insurance Portability and Accountability Act (HIPAA), but the entities should “face accountability when consumers sensitive health information is compromised.”

What this means, according to the statement is, “Entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information.”