Chapter 8: Medical Privacy

Medical Technology: FTC Act, FDCA, and State Laws

For medtech outside HIPAA, Section 5 of the FTC Act is the primary federal tool against deceptive and unfair practices (e.g., the 2021 Flo Health action). The FDA regulates medical devices under the FDCA by risk level, with growing cybersecurity demands. States increasingly regulate at-home genetic testing.

Section 5 of the FTC Act is the primary federal statute for medtech not covered by HIPAA, reaching deceptive and unfair trade practices. In 2021 the fertility app Flo Health settled FTC allegations that it shared users' health information with third parties despite promising not to.

The FDA enforces the FDCA, regulating devices by risk level. Most consumer medtech is low risk with little regulation, but AI-based SaMD can be more heavily regulated. The FDA increasingly focuses on cybersecurity, even refusing device submissions that lack adequate cybersecurity plans.

At-home genetic tests and state law

At-home genetic tests (e.g., 23andMe, Ancestry.com) are generally not HIPAA-covered unless ordered by a doctor, leaving this sensitive data largely unregulated federally. States including California, Arizona, and Utah require transparency and express consent from consumer genetic testing companies.

Key terms - quick answers

What is “Section 5 of the FTC Act”?

The provision letting the FTC pursue unfair and deceptive trade practices; the primary federal statute for medtech companies not covered by HIPAA.

What is “FDCA”?

The Federal Food, Drug, and Cosmetic Act, enforced by the FDA to regulate medical devices by levels of risk.

What is “SaMD”?

Software as a medical device; certain AI-based medtech that the FDA may regulate more heavily.

← Cures Act: API Portability and Other Privacy Provisions Financial Privacy Landscape and Regulators →