Mind Uncharted Explore. Discover. Learn.
The FTC Proposes Changes to Health Breach Notification Rule
The Federal Trade Commission (FTC) is seeking public input on proposed changes to the Health Breach Notification Rule (HBNR), which would clarify how the rule applies to health apps and similar technologies. The HBNR mandates that vendors of personal health records (PHR) and related entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) need to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also compels third-party service providers to PHR vendors and related entities to alert these companies upon discovering a breach.
Exploding Health App and Device Usage Spurs FTC Action
Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, explains that business practices and technological developments have led to vast amounts of health data being collected from consumers and used for marketing and other purposes. As a result, the proposed changes to the HBNR include greater clarity on how the rule applies to health apps and similar devices that fall outside of HIPAA’s coverage. Levine notes that the proliferation of these apps and devices, and their acquisition of sensitive consumer health data, make it more important than ever for companies covered by the HBNR to notify both the FTC and affected individuals in a timely manner when a breach occurs.
Recent Enforcement Actions Prompt FTC to Seek Feedback
The FTC has recently taken enforcement actions under the HBNR against two companies. In May of 2023, the FTC announced a proposed order settling allegations that the fertility app Premom violated the HBNR. In February of the same year, it also announced its first enforcement action against telehealth and prescription drug discount provider GoodRx. Both companies had failed to notify users of their unauthorized disclosure of users’ personally identifiable health information to third parties. These incidents, along with the growth of health apps and devices, have spurred the FTC to seek feedback on proposed changes to the HBNR.
Proposed Changes to the HBNR
- Revised definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA.
- Clarification on “breach of security” to include unauthorized acquisition and unauthorized disclosure of identifiable health information due to data security breach or other reasons.
- Revised “PHR related entity” definition to clarify that only entities that access or send unsecured PHR identifiable information to a personal health record qualify under the HBNR.
- Clarification on what constitutes PHR identifiable health information.
- Authorization of expanded use of email and other electronic means to provide clear and effective notice of a breach to consumers.
- Expansion of required content in breach notices to include potential harm stemming from the breach and the names of any third parties with acquired unsecured personally identifiable health information.
- Changes designed to improve the rule’s readability and promote compliance.
Public Feedback Period
The public has 60 days from the date of publication in the Federal Register, which is May 18, to provide feedback on the proposed changes to the HBNR. Once processed, the comments will be posted on Regulations.gov.
