FTC Finalizes Amendments to Health Breach Notification Rule Aimed at Clarifying its Application to Health Applications and Similar Technologies

Jason de Jesus
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On April 26, 2024, the Federal Trade Commission (FTC) released a pre-publication version of its final changes to the Health Breach Notification Rule (HBNR) designed to clarify the scope of the HBNR, including its coverage of health applications and other similar technologies, authorize the expanded use of email and other electronic means of providing notice to consumers of a breach, and expand the required content of the consumer notice. The final HBNR will go into effect sixty days after its publication in the Federal Register.

Clarifying the Covered Entities
The FTC modified the definition of “PHR identifiable health information” and added definitions for “covered health care provider” and “health care services or supplies” to clarify that the HBNR applies to developers of mobile health applications and similar technologies not covered by HIPAA.

Clarifying the Covered Breaches
The FTC amended the definition of “breach of security” to clarify that the HBNR covers unauthorized acquisitions of identifiable health information that occur as a result of a data security breach or an unauthorized disclosure. The FTC noted that the HBNR covers unauthorized uses where an entity exceeds authorized access to use PHR identifiable health information, such as where the entity obtains the data for one legitimate purpose, but later uses that data for another purpose that was not authorized by the individual.

Clarifying What It Means for a Personal Health Record to Draw Information from Multiple Sources
The FTC amended the definition of “personal health record” (PHR) to mean an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual. The FTC clarified that a product is a personal health record if it can draw information from multiple sources, even if the consumer elects to limit information to a single source only, in a particular instance.

Revising What Constitutes a “PHR Related Entity”
The FTC revised the definition of “PHR related entity” to clarify that the HBNR covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. The FTC also specified that only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.

Expanding the Method of Electronic Notice
The HBNR will authorize the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers. The HBNR will require notice effectuated via “electronic mail” to occur via email in combination with one or more of the following: text message, within-application messaging, or electronic banner messages.

Revising the Required Content of the Notice
The HBNR will require that the notice to individuals include: (1) full name or identity (or where providing name or identity would pose a risk to individuals or the entity providing notice, a description) of the third parties that acquired the PHR identifiable health information as a result of a breach of security; (2) a description of the types of unsecured PHR identifiable health information that were involved in the breach; (3) a description of what the entity that experienced the breach is doing to protect affected individuals; and (4) two or more contact procedures, which may include a toll-free telephone number, email address, website, within-application, or postal address.

Revising the Required Timing of the Notice
The HBNR will require that for breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than sixty calendar days after the discovery of a breach of security.

The unpublished Final Rule is available here. The FTC press release is available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide