Summary

The Federal Trade Commission (FTC) continues to enforce and update its Health Breach Notification Rule (HBNR) amidst a fast-changing regulatory environment. A new rule, which took effect this week, expands the scope of the HBNR, as the FTC ramps up enforcement activity related to disclosures of identifiable health data, and other agencies implement changes to the Health Insurance Portability and Accountability Act (HIPAA), Part 2, and Information Blocking rules regulating similar data.

The Upshot

• Via final rule, effective July 29, the FTC expanded the scope of the HBNR in efforts to “strengthen and modernize” the applicable regulations. The updated HBNR expands the methods by which regulated entities may make required notifications and updates timing requirements for making such notifications.
• The updated HBNR requires entities that possess personal health records (PHR), but are not covered by the HIPAA, to provide notice following a breach of unsecured data.
• The FTC clarified that the HBNR is intended to apply to health care apps and similar technologies not covered by HIPAA. The FTC implemented these clarifications via expansions to existing definitions and other changes intended to improve overall readability of the HBNR. The FTC recently began enforcing the HBNR, while other HHS agencies continue to publish guidance related to HIPAA and Information Blocking.

The Bottom Line

Companies that are not regulated by HIPAA but maintain health information must ensure HBNR compliance. Other entities—including “Part 2” (federally assisted substance use disorder treatment) programs, HIPAA-covered entities and their business associates, health care providers, information technology developers and information exchanges, and lawful holders of health information—should note recent shifts in the regulatory environment for maintaining identifiable health data.

Health Breach Notification Rule

Effective July 29, 2024, Federal Trade Commission (FTC) updates to its Health Breach Notification Rule (HBNR) will (1) clarify the scope of the HBNR in order to make clear its applicability to developers of electronic health apps; (2) revise key definitions for breaches and regulated entities; and (3) revise the method, timing, and content of required notices. The HBNR applies to “foreign and domestic vendors of personal health records, PHR-related entities, and third-party service providers” not covered by the Health Insurance Portability and Accountability Act (HIPAA).

As clarified, a “vendor of personal health records” is an entity, not covered by HIPAA, that “offers or maintains a personal health record,” and may include developers of mobile health applications. A “personal health record” will now be “an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual,” and may include a mobile health application. PHR-related entities are, essentially, those not covered by HIPAA that offer products and services through vendors of personal health records, including their mobile health applications. Finally, a “third-party service provider” is one that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in furtherance of services provided to such entities.

Taken as a whole, this means that the revised HBNR will apply to virtually any entity not covered by HIPAA that handles identifiable information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Under the revised HBNR, a “breach of security” will include any unauthorized releases of PHR identifiable health information, even if intentional. The HBNR requires vendors and PHR-related entities to notify affected individuals of any breaches of security, and further requires notice to the FTC and media for breaches affecting more than 500 individuals. The updated HBNR provides for certain electronic notifications and expands the required content of relevant notifications.

Other Updates Affecting Health Information

Various federal agencies continue to issue notable guidance and expand enforcement efforts specific to health information.

The updates to the HBNR, specifically, follow 2023’s first instance of FTC enforcement. In that instance, the FTC took issue with, among other things, the third-party collection and sharing, in alleged violation of the HBNR, of users’ medications and demographic data with advertisers in order to create medication-specific advertisements. Earlier this year, the FTC continued similar enforcement efforts against a Part 2 (substance use disorder diagnosis, treatment, or referral for treatment) program for alleged violations of the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018. (Part 2 Programs should also note recent Office for Civil Rights (OCR) and Substance Abuse and Mental Health Services Administration regulatory alignment of substance use disorder confidentiality requirements and penalties with HIPAA).

Notably, the alleged violations were based, in part, on the improper disclosure of identifiable information via “tracking technologies” and violations of HIPAA stemming from OCR’s subregulatory guidance related to such tracking technologies. That same tracking technology guidance has been subject to recent OCR revisions, as well as judicial challenges. For example, in June, the District Court for the Northern District of Texas vacated a portion of OCR’s guidance. Specifically, the court took issue with what it described at length as OCR’s attempts, via the tracking technology guidance, to “shoehorn additional information,” into the definition of “individually identifiable health information” provided by statute.

Though promulgated by formal rulemaking (rather than subregulatory guidance), the revised HBNR similarly relies on new or expanded definitions of key terms, including “PHR identifiable health information” and “covered health care provider.”

In addition, OCR recently released subregulatory guidance related to security via a concept paper outlining a number of currently voluntary cybersecurity recommendations (including reference to FDA guidance for cybersecurity recommendations applicable to medical devices) and cybersecurity performance goals. OCR indicated that formal updates to the HIPAA Security Rule will follow in 2024, potentially along with proposed changes to the Privacy Rule. Additionally, CMS recently published disincentives complementing applicable OIG penalties based on regulatory definitions set forth by the Office of the National Coordinator for Health Information Technology (ONC) in “Information Blocking” regulations promulgated in accordance with the Public Health Service and 21st Century Cures acts. Via these rules, various HHS agencies continue to interpret and clarify the applicability of statutory and regulatory definitions governing a wide array of health information.

Health care entities and other lawful holders of health information should review these rules and maintain robust compliance measures for health information, prior to incurring any breach. Ballard Spahr’s Health Care and Privacy and Data Security attorneys are available to assist with any questions related to the HBNR, or other aspects of data privacy, security and breach reporting.