On April 26, the Federal Trade Commission (FTC) approved its Final Rule revising the Health Breach Notification Rule (HBNR) (“Final Rule”) by a 3-2 vote. The HBNR requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify affected consumers, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. The Final Rule contains several significant changes to the HBNR that warrant stakeholder consideration.

The Final Rule’s revisions particularly impact the digital health technology sector. The Final Rule expands both who is covered and what constitutes a breach of security under the HBNR. Most significantly, the revisions make clear that the HBNR applies to health apps, connected devices, health-related websites, and similar technologies that handle consumers’ sensitive health data. To achieve this, the Commission revised several definitions to underscore HBNR’s application to health apps and similar technologies not covered by HIPAA. The Final Rule also modifies the timing, method, and content of notice that is required when a “breach of security” occurs. This rulemaking effort is consistent with FTC’s increasingly aggressive enforcement focus on digital health technology developers who have access to sensitive data collected by their consumer offerings.

CLARIFICATION OF THE COVERED ENTITIES AND INFORMATION

The HBNR requires “vendors of personal health records” and “PHR related entities” to notify affected customers, the FTC, and sometimes the media, of breaches involving “unsecured PHR identifiable health information.” The first way the Final Rule changes the HBNR is by changing, clarifying, and adding definitions for key terms and provisions. This includes modifications to the definition of “PHR identifiable health information” and “PHR related entity” and addition of two new definitions for “covered health care provider” and “health care services or supplies.” The definitions for several key terms govern who is obligated to report and when this obligation is triggered. These terms include:

Covered health care provider: The Final Rule expands the definition of “health care provider” (now “covered health care provider”) by including a category for “any other entity furnishing health care services or supplies.” Qualifying services and supplies include “any online services such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”¹ Accordingly, “covered health care provider” can include any entity providing health or wellness-related offerings through a website, app, or other online services.

PHR identifiable health information: PHR identifiable health information means information that relates to the physical or mental health or condition of an individual or the provision of or payment for health care to an individual which identifies or can be used to identify the individual and is created or received by a covered health care provider. . . and includes information that is provided by or on behalf of the individual. The FTC elaborated that this definition “covers traditional health information (such as diagnoses or medications), health information derived from consumers’ interactions with apps and other online services (such as health information generated from tracking technologies employed on websites or mobile applications or from customized records of website or mobile application interactions), as well as emergent health data (such as health information inferred from non-health-related data points, such as location and recent purchases).”²

Vendors of PHR identifiable health information: Under the Final Rule, a “vendor of PHR identifiable health information” is an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a PHR. Notably, the Commission stated that the changes “further clarified that a mobile health application can be a “personal health record” covered by the HBNR and the developers of such applications can be “vendors of personal health records” subject to the HBNR.³ The Final Rule clarified that to be a “vendor of PHRs,” an app, website, or online service must provide an offering that relates “more than tangentially” to health.⁴

PHR related entities: Vendors are not the only parties subject to the HBNR; “PHR related entities” also have obligations under the HBNR. As defined in the HBNR , a PHR related entity either (1) offers products or services through the website, including any online service, of a vendor of PHRs or of HIPAA-covered entities that offer individuals personal health records, or (2) accesses unsecured PHR identifiable health information in a PHR or sends unsecured PHR identifiable health information to a PHR. Two aspects of this definition limit the term’s scope: first, the FTC stated that mere access to PHR-identifiable health information does not render a third-party service provider a PHR-related entity; second, the Final Rule specifies that the PHR identifiable health information being accessed or sent must be unsecured.

What constitutes a qualifying PHR for vendors and related entities? The revised HBNR and FTC commentary “clarifies that a product is a personal health record if it can draw any information from multiple sources, even if it only draws health information from one source.” This means that to qualify as a PHR, only one source of data must be PHI; other sources may include non-PHI data, such as GPS or calendar app information. The revised definition is broad: the offering need only have the “technical capacity” to draw data from multiple sources¾even if consumers opt out of the feature, or the feature is unpublished, still in beta testing, or not being used for the specific offering at issue.⁵

EXPANDED DEFINITION OF “BREACH OF SECURITY”

The Final Rule reiterates previous guidance that a “breach of security” includes not only data security breaches but also unauthorized disclosures of consumer data that exceed consumers’ meaningful authorization and/or are inconsistent with the privacy representations made by the company. This includes voluntary disclosures made by a PHR vendor for marketing or other purposes the consumer did not explicitly authorize. The Final Rule states that whether a disclosure is authorized “will be a fact-specific inquiry that depends on the context of the interactions between the consumer and the company; the nature, recipients, and purposes of those disclosures; the company’s representations to consumers; and other applicable laws.”⁶ Overall, the disclosure of consumer data must be consistent with the company’s privacy disclosures and consumers’ reasonable expectations, and the consumer must have a “meaningful choice” in consenting to such disclosure of their information.⁷

CHANGES TO CONTENT, METHOD, AND TIMING FOR NOTICE REQUIREMENTS

The Final Rule also impacts the nature of notice required in response to a breach. Specifically, the Final Rule (1) authorizes the use of email and other electronic means of providing clear and effective notice to consumers of a breach; (2) changes the timing obligation for breaches involving 500 or more individuals to require notice to FTC at the same time as consumers (i.e., without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security); and (3) expands the required content for notices to consumers. The Final Rule also added several definitions that address specific expectations for compliant notices, which must be “reasonably understandable” and “designed to call attention” to the nature and significance of the information in the notice.⁸

Expanded requirements for notice content: The Final Rule requires that the notice of a security breach sent to consumers now include five enumerated components: (1) brief description of what happened, including the full name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security; (2) description of the types of unsecured PHR identifiable health information involved; (3) steps individuals should take to protect themselves from potential harm; (4) brief description of what the entity is doing to investigate the breach, mitigate harm, protect against further breaches, and protect affected individuals; and (5) two contact procedures for individuals to learn more.

In announcing the Final Rule, the FTC emphasized that the changes to the HBNR are a response to the explosion in popularity of consumer digital health technologies, which generate and transmit sensitive personal health information that can be misused or disclosed without the consumer’s awareness.

This rulemaking effort is consistent with FTC’s recent enforcement focus on digital health technology companies who misused or exploited sensitive data collected by their consumer offerings. In the past few years, the FTC has directed significant resources toward protecting consumers in the digital health data privacy and security space using a variety of regulatory tools, including targeted enforcement campaigns. The HBNR remains an effective tool for the FTC to pursue penalties when dealing with conduct that implicates the HBNR.

¹ Fed. Trade Comm’n, Health Breach Notification Rule, Final Rule at pg. 98.

² Id. at pg. 13.

³ Id. at pg. 14 (emphasis added).

⁴ Id. at pg. 29.

⁵ Id. at pg. 37.

⁶ Id. at pg. 49.

⁷ See generally Id. at pgs. 49-54. The commentary in this section points to the GoodRx and Easy Healthcare enforcement actions as valuable context and guidance for understanding how the FTC undertakes an analysis of disclosure authorization for a “breach of security” under the HBNR. The brief discussion here about “dark patterns” and how they impact the meaningfulness of consumer choice to consent suggests that the FTC may be especially interested in leveraging the HBNR against digital health technology entities that use of dark patterns to exploit or manipulate consumers. Id. at pg. 50.

⁸ Id. at pgs. 96-97.