[co-author: Paul Sevigny]*
On May 18, 2023 the Federal Trade Commission (FTC) released a Notice for Proposed Rule Making (NPRM) for updates to the Health Breach Notification Rule, 16 C.F.R. Part 318 (the Rule). The Rule serves to ensure entities that are not defined as Covered Entities under the Health Insurance Portability and Accountability Act (HIPAA) are nevertheless accountable when the sensitive health information of consumers is compromised and that entities cannot conceal breaches from consumers. The Rule imposes notification requirements for a breach of unsecured identifiable health information.
To Whom does the Health Breach Notification Rule Currently Apply?
The Rule applies to three (3) types of entity:
- Vendors of Personal Health Records (PHR), both Foreign and Domestic – These are entities that offer or maintain electronic records containing individually identifiable health information as defined by the Social Security Act.[i]
- PHR Related Entities – These are entities that offer services through the website of a PHR vendor or HIPAA-Covered Entity offering individuals personal health records, as well as entities that access PHR information or send information to a PHR.[ii]
- Third Party Service Providers – These are entities that provide services to vendors of PHR or PHR related entities in connection to the products or services they offer and access or interact with unsecured PHR identifiable health information.[iii]
In September 2021, the FTC released a policy statement to clarify to whom the Health Breach Notification Rule applies. This statement explained that health and health-tracking apps fall under the Rule because they “furnish health care services” and may trigger the Rule if sensitive health information is disclosed without consumer authorization. For example, an app is covered under the Rule if it collects information directly from a consumer and is capable of drawing information from application program interfaces enabling it to sync with that consumer’s fitness tracker. A blood sugar monitoring app is also covered even if it only takes health information from the consumer’s direct input but also takes non-health information from another source, like a calendar app.[iv]
However, the Rule does not apply to HIPAA-Covered Entities or any other entity in its scope as a business associate of a HIPAA-Covered Entity.[v] Nor does the Rule apply to health information that is secured through specific technology or methodology as determined by the Department of Health and Human Services.[vi]
Current Health Breach Notification Requirements
The current Rule requires vendors of PHR and PHR-related entities to report security breaches involving PHR to the FTC, to affected consumers, and in some cases to the media. Service providers to these entities that process and handle PHR materials must report security breaches to their business customers. Under the Rule, a security breach means an acquisition of the unsecured PHR identifiable health information of an individual without the individual’s authorization.[vii]
The entity must give notice as soon as possible if more than 500 people are impacted by the breach, but in no case more than 10 days after discovering a security breach or 60 days for a smaller breach. Failure to give the required notice will result in a violation of the Rule and lead to civil penalties in excess of $50,000 per violation.[viii]
What are the Proposed New Changes?
There are seven (7) proposed changes laid out in the NPRM that build off the FTC’s 2021 policy statement:
- Scope of the Health Breach Notification Rule – The Rule covers electronically generated health information, like information generated through a health-tracking app, emergent health information generated from information like location and purchase history, and traditional health information, like a medication or a diagnosis. The FTC seeks to clarify this through the NPRM by updating the definition of “PHR identifiable health information” with language from the Social Security Act to make the Rule easier to read and follow. The NPRM also adds to the definitions of “health care provider” and “health care services or supplies” to cover all online, website and app-based services or internet-connected devices that track disease, health conditions, diagnoses, fitness, fertility, sexual health, mental health, genetic information, and more. This is not meant to substantively alter the applicability or requirements of the Rule.[ix]
- Covered Breaches under the Health Breach Notification Rule – The FTC, through the NPRM, is seeking revise the definition of breach of security to clarify that security breaches triggering the Rule need not stem from malicious cybersecurity attacks. The Rule has been and will continue to be implicated by any data security breach or unauthorized disclosure.[x]
- Definition of PHR-Related Entity – The NPRM sets forth a revision in the scope of what is considered a PHR-related entity to clarify that it includes entities offering services through mobile applications as well as websites. Since the promulgation of the Rule, new online technologies have led to new online and mobile services covered by the Rule. This revision would, however, narrow the scope of a PHR-related entity by changing the definition from an entity that “accesses any information” to an entity that “access[es] or send[s] unsecured PHR identifiable information to a personal health record.”[xi]
- Drawing Information from Multiple Sources – The FTC is proposing an addition to the definition of PHR that will clarify a product with the “technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual” is considered PHR. If an individual authorizes a product to draw data from a single source and it is capable of drawing from multiple sources, it is still PHR. Therefore, even when an individual does not connect or sync an application or tracker, but it has the ability to pull identifiable health information from a tracking or a calendar type app, it will still constitute PHR. [xii]
- Electronic Notice of a Breach – In the NPRM, the FTC is proposing increasing the use of electronic notifications of breach to affected consumers to improve the speed and efficacy of the required notice. Rule-Covered Entities would be required to provide written notice via “electronic mail” including email, text, in-app messaging, or banner notification. If “electronic mail” is not the primary contact for the affected consumer, notification must be done via first-class mail.[xiii]
- Content of Consumer Notices – The FTC is proposing an expanded information requirement in the notice given to consumers who are affected by a security breach. This includes a description of the potential harm from the breach, details about other entities that have acquired the unsecured PHR identifiable health information, and a description of what the entity is doing to help the affected consumers going forward. Further, at least two (2) methods of contacting the breaching entity must be provided to the consumer, such as an email address, toll-free number, website, in-app contact, or mailing address.[xiv]
- Health Breach Notification Rule “Accessibility” – The NPRM recommends rearrangement of provisions within the Rule and other edits to help make the Rule easier to read, interpret, and understand without making substantive changes.[xv]
Going Forward
Currently, the FTC is receiving comments to the proposed changes to the Health Breach Notification Rule. Public comments can be made here through August 8, 2023. The FTC estimates that the Proposed Rule changes will apply to roughly 170,000 entities, but the number may be larger, and that there will be more reportable breaches if the proposed changes are implemented.[xvi] Entities that are not covered under HIPAA should carefully review their status under the Rule and its proposed changes as the FTC has begun to enforce the Rule for the first time in over a decade. In February and May 2023, the FTC brought its first and second ever enforcement actions under the Rule and the NPRM signals that the FTC will continue to focus on protecting health information as the use of health apps and connected devices grow.[xvii] This is of concern to all entities utilizing online tracking technologies, including hospital systems and telehealth providers already covered by HIPAA.
*Law Clerk
[i] 16 CFR 318.2(j); 16 CFR 318.1(a); 42 U.S.C. 1320d(6).
[ii] 16 CFR 318.2(f).
[iii] 16 CFR 318.2(h).
[iv] Fed. Trade Comm’n, Statement of the Commission: On Breaches by Health Apps and Other Connected Devices (Sept 15, 2021).
[v] 16 CFR 318.1(a).
[vi] See 74 Fed. Reg. 19006 (2009); see also U.S. Dep’t of Health & Human Servs., Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (July 26, 2013).
[vii] 16 CFR 318.2(a).
[viii] Id. § 318.5; Press Release, Health Breach Notification rule: FTC wants Your Insights into Proposed Changes (May 19, 2023).
[ix] 88 Fed. Reg. 37822-24 (2023).
[x] Id. at 37824.
[xi] Id. at 37824-26.
[xii] Id. at 37826.
[xiii] Id. at 37826-28
[xiv] Id. at 37828.
[xv] Id. at 37828-29.
[xvi] Id. at 37831.
[xvii] See Press Release, FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule (May 18, 2023); 88 Fed. Reg. 37821.