July 3, 2024

FTC Announces Final Changes to Health Breach Notification Rule That Broaden the Rule’s Scope and Application

John Banghart, Rob Hartwell, Allaire Monticollo, Ari Schwartz, Michael Signorelli

Venable LLP

+ Follow Contact

Send

Embed

Venable LLP

On May 30, 2024, the Federal Trade Commission (FTC or the Commission) published finalized amendments to the Health Breach Notification Rule (HBNR) that augment the prior rule’s scope and application. The updated final rule will become effective on July 29, 2024. The HBNR applies to vendors of personal health records (PHRs) and PHR-related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA). The rule generally requires notification to individuals, the FTC, and, in certain cases, the media upon a breach of unsecured PHR identifiable health information.

The final rule follows recent FTC enforcement actions, including GoodRX, that addressed the use of digital advertising and analytics functionalities in the health space. The final rule will broaden, in part, the scope of the HBNR by modifying applicable definitions to apply the rule to health apps, connected devices, and other online services not covered by HIPAA, which the FTC states will codify a 2021 Commission Policy Statement interpreting the rule to apply to such entities.

Updated Definitions Broaden the Scope of the HBNR

The HBNR applies to a “vendor of personal health records,” an entity not covered by HIPAA that offers or maintains an electronic record of “PHR identifiable health information,” that has the “technical capacity to draw information from multiple sources,” and that is managed, shared, and controlled by or primarily for the individual. Commentary accompanying the final rule notes that “technical capacity to draw information from multiple sources” means that “a product is a personal health record if it can draw any information from multiple sources, even if it only draws health information from one source.”

The final rule would define “PHR identifiable health information” to include (1) information provided by or on behalf of an individual, (2) relating to a physical or mental health condition or the provision of healthcare to an individual, (3) that identifies the individual or could reasonably be used to identify the individual, and (4) that is created or received by a “covered health care provider” or certain other entities.

The final rule’s definition of “covered health care provider” includes any entity furnishing “health care services or supplies,” i.e., “any online services such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”

The HBNR also applies to “PHR related entities,” which are entities not covered by HIPAA that (1) offer products or services through a website or online service of a vendor of a personal health record, (2) offer products or services through a HIPAA-covered entity that offers individuals personal health records, or (3) access unsecured PHR identifiable health information in a personal health record or send unsecured PHR identifiable health information to a personal health record.

In addition, the final rule would amend the definition of “breach of security” so that notification requirements are triggered upon a data breach or an “unauthorized disclosure” of PHR identifiable health information rather than an “unauthorized acquisition” of such information. As a result, under the updated rule, notice obligations will kick in when a regulated entity shares PHR identifiable health information with a third party without an individual’s “authorization.”

The final rule does not provide information on how covered entities can or should obtain individual authorization to disclose PHR identifiable health information. The commentary explains, however, that the Commission declined to define “authorization” to mean “affirmative express consent.” The final rule states that the use of “dark patterns,” which have the effect of manipulating or deceiving consumers, would not allow for meaningful choice to achieve requisite consumer authorization, and disclosures of PHR identifiable information inconsistent with a company’s privacy promises would constitute an unauthorized disclosure.

Required Notices to the FTC

The HBNR requires covered entities that discover a breach of security to provide written notice to the last known contact information of the individual. The updates to the rule permit written notice to be sent by email in combination with a text message, within-application messaging, or electronic banner, creating a “two-part electronic notice” opportunity for covered entities.

The Commission also made changes to required content of the notice to the individual. Under the updated final rule, entities must include:

The full name or identity (or, where providing name or identity would pose a risk to individuals or the entity providing notice, a description) of the third parties that acquired the PHR identifiable health information as a result of a breach of security
A description of the types of unsecured PHR identifiable health information that were involved in the breach, such as health diagnosis or condition, lab results, medications, other treatment information, the individual’s use of a health-related mobile application, and device identifier and
A brief description of what the entity that experienced the breach is doing to protect affected individuals, such as offering credit monitoring or other services

Finally, the updated rule would change the timing requirements for notice of a breach to the FTC. Previous text under the rule required notification to the FTC “as soon as possible and in no case later than ten business days following the date of discovery of the breach.” Under the amended final rule, the HBNR requires all notifications to the FTC for breaches involving the unsecured PHR identifiable health information of 500 or more individuals to be provided contemporaneously with the notice to individuals, without unreasonable delay, and in no case later than 60 calendar days after discovery of a breach.

How an Organization Can Prepare

Before these amendments to the HBNR become effective, organizations should assess whether they are vendors of PHR or are otherwise covered by the rule. Covered entities should also determine whether existing data sharing practices, including data sharing with third parties for advertising, could be considered a “breach” under the HBNR to evaluate their incident response practices and timelines. For example, organizations can ask themselves the following questions:

Assessing applicability—Does the organization qualify as a vendor of personal health records or a PHR-related entity, particularly in light of the new “covered health care provider” and “health care services or supplies” definitions?
Assessing practices—Does the organization disclose PHR identifiable health information to third parties? If so, are those activities disclosed in the entity’s privacy policy? What avenues are available to obtain consumer authorization for such disclosures?
Assessing incident response policies and procedures—Does the organization have policies and procedures in place to adhere to new timelines and notice content requirements under the updated final rule?

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.