FTC Publishes Final Rule amending Health Breach Notification Rule

Newsletter

The Federal Trade Commission (“FTC”) recently published its Final Rule amending the Health Breach Notification Rule (“HBNR”). The updated HBNR, which regulates entities that handle certain personal health information, other than covered entities or to the extent acting as business associates under the Health Insurance Portability and Accountability Act (“HIPAA”), becomes effective July 29, 2024. Read on for a refresher about the HBNR, and a summary of key changes and their potential impacts.

Health Breach Notification Rule Background

The HBNR was originally published in 2009, to address an emerging personal health record industry. Earlier in that decade, the National Committee on Vital and Health Statistics recognized that personal health record (PHR) evolving features included “the ability to view personal health data, exchange secure messages with providers, schedule appointments, renew prescriptions, and enter personal health data; decision support (such as medication interaction alerts or reminders about needed preventive services); the ability to transfer data to or from an electronic health record; and the ability to track and manage health plan benefits and services.”1 Against this backdrop, Congress (in the American Recovery and Reinvestment Act) and then the FTC adopted a definition as an electronic record of individually identifiable health information, as defined by HIPAA, “that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” In its original form, the HBNR required vendors of personal health records and PHR related entities (that offer products or services through the website of a vendor or HIPAA covered entity offering a PHR, or that accesses information from or sends information to a PHR) to notify consumers of a breach of security of unsecured identifiable health information.

Having not enforced the HBNR for over a decade, in 2020, the FTC requested public comment to assess the need for any changes to the HBNR as new technology and business models had entered the marketplace. In September 2021, following a debate among FTC commissioners about the applicability of the HBNR in the case of an app developer that allegedly had shared consumers’ menstruation and fertility data with third party analytics vendors and a letter from Congress urging the use of the HBNR to protect consumers from mobile apps that exploit personal data, the FTC issued a policy statement, clarifying that the HBNR covers health app and connected device developers as “health care providers” for purposes of the rule, stated that the term “personal health records” includes an app “capable of drawing information from multiple sources” offering the example of an app “that collects information directly from consumers and has the technical capacity to draw information through an [application programming interface]” or an app that draws information from multiple sources “even if the health information comes from only one source.” The FTC also clarified that a “’breach is not limited to cybersecurity intrusions or nefarious behavior.”

In February and May of 2023, the FTC announced its first and second HBNR enforcement actions against digital health companies for allegedly sharing personally identifiable health information with advertising platforms without consumer authorization. The matters were settled without admissions. Immediately after the second settlement, the FTC proposed amendments “to strengthen and modernize” the HBNR, including to clarify that it applies to health apps and other direct-to-consumer health technologies. With the comment period for the proposed rule still open, the FTC affirmed its earlier statement about the original HBNR when joining the Health and Human Services Office of Civil Rights to issue a letter to hospital systems and telehealth providers, cautioning them about the risks of online tracking technologies.

The FTC finalized its changes to the HBNR on April 26, 2024, and published the Final Rule on May 30, 2024. When the Rule becomes effective on July 29, 2024, it will be an event 15 years in the making.

HBNR Updates in the 2024 Final Rule

In the 2024 HBNR Final Rule, the FTC strengthens protections for personal health data collected by health apps and other technologies. The new Rule revises definitions of “PHR identifiable health information,” “PHR-related entity,” and “breach of security,” and adds new definitions for “covered health care provider” and “health care services and supplies.” These changes and additions to definitions widen the scope of the rule. In commentary, the FTC notes that unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information, constitute “PHR identifiable health information,” if these identifiers can be used to identify or re-identify an individual. The Final Rule also confirms that (i) “PHR-related entities” include entities offering products and services not only through websites, but also through any online service, including mobile applications, of PHR vendors or covered entities offering PHRs, (ii) PHR related entities encompass only entities that access or send unsecured PHR identifiable health information to a PHR, and (iii) a third-party service provider that accesses PHR identifiable health information in the course of providing services is not automatically rendered a PHR related entity.

In addition, the Final Rule revises the content and timing of breach reporting. Per the Rule, “breaches of security” include intentional but unauthorized disclosures of PHR identifiable health information to third-party companies, as well as more traditional cybersecurity intrusions. The notice is to include the name or identity (or in some cases a description) of the third parties to whom the information was disclosed. It also is to include a description of the types of unsecured PHR identifiable health Information involved and what the entity is doing to protect affected individuals. The notice is not required to include a description of the potential harm that may result from the breach, however the FTC notes that it would be a best practice to describe a harm that is “concrete and known.” The Final Rule includes an appendix of exemplar notices that may be used to notify individuals. Notice may be by electronic mail (defined as email in combination with text message, in-app message or banner) if an individual has specified that as the primary contact method. The timing of notification to the FTC for breaches of security involving 500 or more individuals is extended to be “without unreasonable delay and in no case later than 60 calendar days” following discovery, which is the same timing as notification to such individuals.

Key Considerations for Vendors of PHR

If you are an entity who is (or thinks they may be) subject to the HBNR, there are a few key things to consider as we approach the July 2024 effective date for the new Rule. Namely:

  • The FTC has clearly indicated its intent to enforce the HBNR. We anticipate continued coordination among regulators that operate in this space, including the FTC and OCR. Because of this, entities should expect enforcement actions to follow.
  • Entities should assess the re‐defined HBNR; if you are not a HIPAA covered entity, are you making health tech available in a manner that may make you a vendor of a PHR, a PHR related entity, or a service provider, and thus subject to the new Rule?
  • Entities that are within the scope of the HBNR should review their operations, data maps, workflows, encryption practices, internal policies, and vendor contracts to ensure that they meet the updated standards addressed in the rule. In addition, entities should review their incident response protocol, and determine if they are prepared to investigate, remediate and provide notices as required. If not, changes should be made to address these important activities.

Do you have questions about this update, or your entity’s data privacy and security compliance efforts? Contact your Quarles attorney or:

END NOTES


1 https://ncvhs.hhs.gov/wp-content/uploads/2014/05/0602nhiirpt.pdf

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.