​

The Federal Trade Commission (FTC) issued a final rule to amend its Health Breach Notification Rule (HBN Rule). The HBN Rule requires certain entities that handle unsecured personally identifiable health data to notify individuals, the FTC, and sometimes, the media of a breach of security. The final rule aims to clarify and update the HBN Rule in light of technological and market changes, as well as public comments received by the FTC.

The final rule is based on the legislative background of the American Recovery and Reinvestment Act of 2009 (Recovery Act) and the Health Insurance Portability and Accountability Act (HIPAA), which authorized the FTC to issue and enforce the HBN Rule. The FTC began enforcing the HBN Rule on February 22, 2010, and has brought enforcement actions against two digital health companies, GoodRx, and Easy Healthcare, for violating the rule. The FTC also issued a policy statement in 2021 that clarified that the HBN Rule covers most health apps and similar technologies not covered by HIPAA.

The final rule makes seven main changes to the HBN Rule, which are effective 60 days after the date of publication in the Federal Register which was on May 30, 2024. The seven main changes are:

1. Clarifying the HBN Rule's scope, including coverage of health applications (Apps).
2. Clarifying the definition of a vendor of personal health records (PHRs) drawing PHR identifiable health information from multiple sources.
3. Revising the definition of breach of security to include data security breaches and unauthorized disclosures.
4. Revising the definition of a PHR-related entity.
5. Modernizing the method of notice.
6. Expanding the content of the notice.
7. Altering the HBN Rule's timing requirement for notifying the FTC of a breach of security.

1. Scope of rule

The final rule covers vendors of PHRs and related entities that offer products and services through the online services of vendors of PHRs or that access or send unsecured PHR identifiable health information to a PHR. The rule also explicitly covers the Apps and similar technologies that are electronic records of PHR identifiable health information and have the technical capacity to draw information from multiple sources.

Access alone to unsecured PHR identifiable health information does not automatically render an entity service a PHR-related entity. The FTC noted that PHR-related entities are required to notify third-party service providers of their status as vendors of PHR or PHR-related entities. The FTC also responded to comments clarifying that entities can contractually stipulate whether data transmissions will contain unsecured PHR identifiable health information and that companies should monitor for those provisions through the use of automated tools, internal auditing, or other mechanisms.

2. Definition of a vendor of personal health records (PHRs)

The final rule clarifies that a vendor of PHRs drawing PHR identifiable health information from multiple sources is an entity, excluding HIPAA-covered entities or entities acting as business associates of HIPAA-covered entities, that offers or maintains an electronic record of identifiable health information on an individual that has the technical capacity to draw information from more than one source, even if it only draws health information from one source, in addition to non-health information from another source. A source is defined as any entity or system that provides information to the PHR, such as a health care provider, a health plan, an employer, a health care clearinghouse, a wearable device, or a phone calendar. The final rule clarifies that the PHR must have the technical capacity to draw information from multiple sources, regardless of whether the individual chooses to utilize all available sources or features for integrating information. The final rule also provides examples to illustrate the meaning of drawing information from multiple sources, such as a depression management app that can sync with a sleep monitor or a diet and fitness app that can pull information from the user's phone calendar.

3. Definition of breach of security which includes data security breaches and unauthorized disclosures

The final rule clarifies the definition of breach of security as the acquisition of unsecured personally identifiable health information in a PHR without the authorization of the individual concerned. The final rule also states that unauthorized acquisition includes unauthorized access to unsecured PHR identifiable health information unless the entity experiencing the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information. Furthermore, the final rule explains that the definition of breach of security covers unauthorized acquisitions that occur as a result of a data breach or an unauthorized disclosure, regardless of whether they involve cybersecurity intrusions or voluntary disclosures by the PHR vendor or PHR-related entity. The final rule does not define the term authorization but indicates that it is a fact-specific inquiry that depends on various factors, including the company's privacy promises and other applicable laws. The final rule also refers to the FTC's Policy Statement and enforcement actions, which clarify that incidents of unauthorized access or sharing of covered information without an individual's authorization trigger notification obligations.

4. Definition of PHR-related entity

The final rule clarifies that the definition of a PHR-related entity is an entity that is not a HIPAA-covered entity or a business associate of a HIPAA-covered entity, and that meets one of three conditions related to PHRs. The first condition is that the entity offers products or services through the website or any online service of a vendor of PHRs. The second condition is that the entity offers products or services through the websites or any online services of HIPAA-covered entities that provide individuals with PHRs. The third condition is that the entity accesses or sends unsecured PHR identifiable health information to a PHR. The definition of a PHR-related entity has been revised to focus on entities that access or send unsecured PHR identifiable health information to a PHR, rather than entities that access or send any information to a PHR.

5. Method of notice

The final rule revises the HBN Rule to require entities to notify individuals and the FTC of a breach of security involving unsecured PHR identifiable health information as outlined in 16 CFR § 318.5, which details how notice should be provided to each of these parties in a timely, clear, and conspicuous manner.

Individual notice must be provided promptly and under the timeliness requirements specified in 16 CFR § 318.4. Written notice can be sent by electronic mail if the individual has specified electronic mail as the primary method of communication, or by first-class mail in the alternative. If the individual is deceased, notice must be provided to the next of kin if authorized. Substitute notice is required if contact information for ten or more individuals is insufficient or out-of-date, and it can be done through a conspicuous posting on the entity's website or in major print or broadcast media. Urgent cases may warrant additional notice by telephone or other means, as appropriate.

The method of notice section also includes definitions for terms such as "clear and conspicuous" and "electronic mail," which encompass email, text messages, within-application messaging, or electronic banners.

6. Expanded content of notice

The content of a proper, compliant notice now must contain the following according to the final rule:

• A brief description of the breach, including the date of the breach and the date of discovery, if known.
• The full name or identity of any third parties that acquired unsecured PHR identifiable health information due to the breach, or a description of the type of third party if providing the full name or identity poses a risk.
• The types of unsecured PHR identifiable health information involved in the breach, such as full name, Social Security number, date of birth, home address, account number, health diagnosis or condition, lab results, medications, other treatment information, the individual's use of a health-related mobile application, or device identifier (in combination with another data element).
• Steps individuals should take to protect themselves from potential harm resulting from the breach.
• A brief description of what the entity that experienced the breach is doing to investigate the breach, mitigate harm, protect against further breaches, and protect affected individuals, such as offering credit monitoring or other services.
• Contact procedures for individuals to ask questions or learn additional information must include two or more of the following: toll-free telephone number, email address, website, within-application, or postal address.
• The notice should be in plain language and designed to call attention to the nature and significance of the information it contains, ensuring it is reasonably understandable and stands out from any accompanying text or other visual elements.
• If the notice is provided on a web page or using within-application messaging, text or visual cues should encourage scrolling down the page if necessary to view the entire notice, and other elements should not distract from the notice.
• The notice should be provided without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.
• For breaches involving 500 or more individuals, the notice to the FTC must be provided contemporaneously with the notice required by § 318.4(a), without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.
• For breaches involving fewer than 500 individuals, the notice to the FTC may be sent annually no later than 60 calendar days following the end of the calendar year.
• The entity responsible for the breach has the burden of demonstrating that all notifications were made as required, including evidence demonstrating the necessity of any delay.
• If a law enforcement official determines that notification would impede a criminal investigation or cause damage to national security, such notification may be delayed.

7. Revise timing requirements of breach

The timing requirements for a breach depend on the number of individuals affected, the involvement of law enforcement, and the date of discovery. Generally, the HBN Rule requires entities to notify individuals and the FTC without unreasonable delay and no later than 60 calendar days after discovering a breach of security. However, there are some exceptions and variations to this rule, as explained below.

• For breaches involving 500 or more individuals, entities must notify both the individuals and the FTC at the same time, without unreasonable delay, and no later than 60 calendar days after the breach is discovered.
• For breaches involving fewer than 500 individuals, entities must notify the individuals without unreasonable delay and no later than 60 calendar days after the breach is discovered, and they must also maintain a log of such breaches and submit it to the FTC annually, no later than 60 calendar days following the end of the calendar year.
• If a law enforcement official determines that notification would impede a criminal investigation or cause damage to national security, the notification can be delayed until the official notifies the entity that the notification will no longer have such an effect. This exception applies to both individual and FTC notifications and is implemented in the same manner as provided under 45 CFR § 164.528(a)(2).
• Entities must show evidence that they complied with the timing requirements, including evidence demonstrating the necessity of any delay.
• The HBN Rule applies to breaches of security that are discovered on or after September 24, 2009. The HBN Rule will not apply to breaches discovered after the effective date of regulations implementing new legislation that establishes requirements for breach notification that apply to entities covered by this HBN Rule.

Recommendation to comply with revised HBN rule
This article contains some of the essential parts of the changes to the HBN Rule, but entities should review the rule in its entirety and reach out to counsel to understand the nuance of implementing changes in a compliant manner. To get started with implementations, entities should review and update their policies and procedures to comply by:

• Ensuring Apps and technologies are capable of drawing information from multiple sources and are managed, shared, and controlled by or primarily for the individual.
• Implementing measures to secure PHR identifiable health information to prevent unauthorized access or disclosures.
• Establishing protocols for timely breach detection and notification processes.
• Preparing to provide clear and conspicuous electronic notices to individuals affected by a breach, including information on potential harms and protective measures.
• Updating their incident response plans to include the new timing requirements for notifying the FTC, the affected individuals, and potentially the media.
• Reviewing and revising privacy policies and terms of service to ensure they align with the HBN Rule's requirements for authorized use and sharing of consumer health information.
• Training staff on the new requirements and ensuring that third-party service providers are also informed and compliant with the HBN Rule.