On April 26, the Federal Trade Commission (FTC) announced its final rule (Final Rule) making changes to the Health Breach Notification Rule (HBNR).

The Final Rule was approved along party lines by a vote of 3-2. Chair Lina M. Khan along with Commissioners Rebecca Slaughter and Alvaro Bedoya issued a separate statement, while Commissioner Melissa Holyoak, joined by Commissioner Andrew Ferguson, issued a strong dissent. The Final Rule becomes effective 60 days after publication in the Federal Register.

The Final Rule makes significant substantive changes that we will address in two parts. In this Part 1, we summarize the key changes to the HBNR. In our forthcoming Part 2, we will dive deeper into the commentary accompanying the Final Rule, provide our assessment of the Final Rule’s likely impact and share some practical takeaways.

Key Changes at a Glance

1. Websites and applications (that are not subject to HIPAA) that maintain consumer health information for consumers are now likely covered by this rule. With changes to several key definitions, the scope of entities likely covered by the Final Rule has expanded significantly. For example, the new definition of “covered health care provider” includes websites and apps themselves, and the revised language around having “the technical capacity to draw information from multiple sources” means that even if websites and apps aren’t currently collecting consumer information from multiple sources, they are still covered by the Final Rule if they could.
2. Unauthorized disclosures of consumer health data – even those intended by the company – are breaches. The types of breaches triggering notification have also expanded beyond unauthorized access or acquisition. Notably, there are no safe harbors, exceptions or risk of harm analyses available to get out of notification.
3. Companies have more time and more options for providing breach notification. Breach notices can be provided via electronic means in certain circumstances, have updated content requirements, and can be sent contemporaneously with other types of notices for breaches impacting 500 or more individuals; i.e., without unreasonable delay but no longer than 60 days following discovery of the breach.
4. The FTC is likely not done. While the HBNR is about breach notification and not “omnibus privacy protections,” it highlights another area where we are likely to see increased FTC enforcement, particularly when the agency looks to leverage more rule violations and given the agency’s increased activity in the area of health data.

Introduction

As a refresher, the HBNR is applicable to entities that are not subject to HIPAA that maintain personal health records (PHRs). The prior version of the HBNR was written in a way that, unintentionally, provided entities with significant wiggle room when determining if they were subject to this rule. Our Part 2 analysis will dive deeper into the comparison between the new and old HBNR.

Today, however, we will provide the 101 version focusing on just the new HBNR – appropriately so. Entities that are potentially subject to this rule should look at it with fresh eyes and determine if it is one of the (FTC-estimated) 193,000 entities that will now be required to comply.

The HBNR primarily applies to two types of entities – “vendors of personal health records” and “PHR related entities.” As the definitions of each entity is key to understanding the scope of the Final Rule, we will first start with those (quite technical) definitions, noting key changes under the Final Rule. The Final Rule also covers some service providers to these entities if certain conditions exist, and we’ll briefly summarize those conditions and the impact to service providers as well. Next, we’ll explain how the Final Rule expands the definition of “breach of security” that triggers notice obligations. Finally, we’ll provide an overview of key changes to the breach notification requirements in terms of the means of communication, content of the notice, and timing.

Key Scoping Definitions

The Final Rule revises the definition of “personal health record” and “vendor of personal health record,” including through the introduction of some new terms.

What Information Is Regulated: Personal Health Record Identifiable Health Information Contained in PHRs

The HBNR only applies to PHRs containing personal health record identifiable health information (PHRIHI). Information is PHRIHI if it:

1. Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and
   • identifies the individual; or
   • with respect to which there is a reasonable basis to believe that the information can be used to identify the individual; and
2. Is created or received by a:
   • Covered health care provider [including any non-HIPAA regulated online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools];
   • health plan (as defined in 42 U.S.C. 1320d(5));
   • employer; or
   • health care clearinghouse (as defined in 42 U.S.C. 1320d(2)); and
3. with respect to an individual, includes information that is provided by or on behalf of the individual.

Notably, the health-related website or app itself is considered a qualifying source of PHRIHI.

For that information to be considered contained in a PHR, the definition sets the bar low:

Personal health record means an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

Notably, the FTC’s commentary to the Final Rule provided more context on this definition that entities may not understand from the plain reading of the definition. First, if an app or website draws consumer information from multiple sources, only one of the multiple sources must provide health information to come within the scope of the definition. By way of example, the FTC stated that if an app obtains health information from the consumer and non-health information from a data broker or through an application programming interface (API) that obtains geolocation information from the consumer’s phone, the app “draws information from multiple sources.”

Second, the FTC’s commentary states that an application or website doesn’t actually have to pull information from multiple sources to be covered under the definition – it only has to have the technical capacity to do so, even if from unused or uncommon APIs or features that remain in beta testing.

Who Is Regulated: PHR Vendors and PHR Related Entities but Not Third Party Service Providers

With the above changes, websites and apps that provide individuals a mechanism to track health in any way (including bodily functions, fitness, sleep, nutrition, etc.) are themselves considered covered healthcare providers. And if those websites or apps have the technical capacity to pull information from multiple sources, they will now be covered as vendors of PHRs under the Final Rule. But the HBNR goes beyond the primary PHR vendor and also covers certain service providers to PHR vendors when they meet the definition of a PHR related entity.

Under the Final Rule, PHR related entity means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that:

1. Offers products or services through the website, including any online service, of a vendor of personal health records;
2. Offers products or services through the websites, including any online service, of HIPAA covered entities that offer individuals personal health records; or
3. Accesses unsecured PHR identifiable health information in a personal health record or sends unsecured PHR identifiable health information to a personal health record.

There are two notable definition changes that vendors to PHR vendors should consider. First, the definition clarifies that it covers entities that offer products and services through “any online service” (i.e., not limited to websites and to include mobile applications) of vendors of PHRs, given that websites are no longer the only means through which consumers access health information online.

Second, the revised definition applies to entities that access or send unsecured PHR identifiable health information to a PHR – rather than entities that access or send any information to a PHR. This second revision helps limit HBNR exposure when the third party is only sending either de-identified data or data that is encrypted.

The definition of third party service provider – a vendor that is not subject to the HBNR – remains unchanged. However, the Final Rule commentary clarifies that even where the third party service provider accesses unsecured PHRIHI in the course of providing services, this does not render the third party service provider a PHR related entity so long as the third party service provider does not use the unsecured PHRIHI for its own purposes. We will have more to say on this topic in Part 2.

So You’re a PHR Vendor or PHR Related Entity – Now What?

Entities newly subject to the HBNR need to understand their obligations. Entities that previously considered themselves subject to the HBNR need to understand not only that there are changes to the HBNR that will lower the bar for what is considered a “breach” but also the new breach notification content requirements.

When is an instance of data sharing considered a breach requiring notification?

The Final Rule expands the definition of “breach of security” to include disclosures not authorized by the consumer, in addition to the previous triggers of unauthorized acquisition and access. In the commentary, the FTC took a broad view of what would be considered an unauthorized disclosure, including disclosures for advertising or marketing purposes if, based on the PHR vendor’s terms of use or privacy policy, such disclosure would be “inconsistent with consumer expectations.” Unlike HIPAA and most state laws, there is no threshold risk of harm or any exceptions for situations like good faith inadvertent access by an employee.

If a PHR vendor or PHR related entity experiences a breach, what is required?

In the event of a breach, the PHR vendor or PHR related entity must provide notice to consumers and the FTC (and in some cases, the media) as follows:

• Notice to Consumers:
  • Provide notice without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.
  • Written notice may be provided by electronic mail (defined to be via email plus one or more of the following: text message, within-app messaging, or electronic banner) and only where the individual has selected email as their primary means of communication.
  • Notice delivered by electronic mail must satisfy the new “clear and conspicuous” definition added by the Final Rule.
  • If electronic mail is not available, notice must be provided by first-class mail at the individual’s last known address, and if contact information for ten or more individuals is insufficient or out of date, substitute notice is permissible, to consist of either posting the notice on the entity’s website for 90 days or in major print or broadcast media.
  • The notice must contain:
    • A brief description of what happened, the date of the breach, and the date of discovery, as well as, where known, the name or identity of any third party that acquired PHRIHI as a result of the breach. In the event that providing the name or identity of a third party would pose a risk either to individuals or to the entity providing notice, a description of the third party is sufficient;
    • The types of unsecured PHRIHI that were involved in the breach such as name, Social Security number, home address, account number, health diagnosis or condition, lab results, medications, other treatment information, the individual’s use of a health-related mobile application, or device identifier (in combination with another data element);
    • Steps individuals should take to protect themselves from potential harm resulting from the breach;
    • A brief description of what the entity that experienced the breach is doing to investigate the breach, to protect against future breaches, and to protect affected individuals such as by offering credit monitoring; and
    • At least two forms of contact information if individuals have questions about the breach.

• Notice to FTC:
  • For breaches involving 500 or more individuals, notify the FTC at the same time as notices to affected individuals, without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.
  • For breaches involving fewer than 500 people, maintain a log of all such breaches over the course of the year and submit the log annually to the FTC no later than 60 days following the end of the calendar year.

• Notice to Media:
  • If the breach affects 500 or more residents of a particular state or jurisdiction, provide notice to prominent media outlets serving that state or jurisdiction without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.

Notice by Third Party Service Providers:

• If a third party service provider experiences a breach, it must provide notice to the PHR vendor or PHR related entity for which it performs services and obtain an acknowledgment that such notice was received.
• Such notice must be made without unreasonable delay and no later than 60 days after discovery of the breach.
• To enable implementation of this requirement, PHR vendors and PHR related entities are required to notify their third party service providers of their status as entities covered by the HBNR.

A Reminder About Civil Penalties

The FTC adopted its proposal to add a statement in the Final Rule’s enforcement provision to specifically indicate that violations of the HBNR are subject to civil penalties. We view this as a clear signal to companies dealing with health (and now wellness) information that the HBNR is an area in which the FTC can and will continue to seek penalties.

* * *

We will be sharing additional commentary and practical guidance in our forthcoming Part 2. But for now, we would encourage any entities touching health and wellness data to carefully review the Final Rule and commentary.

[View source.]