FTC’s Updated Health Breach Notification Rule Establishes New Provisions to Protect Users of Health Apps and Devices

It was Shakespeare who said: Once more in the breach. The FTC’s target is never more for breach, but until companies keep health data secure and private, they will continue to update and enforce the Health Breach Notification Rule to protect consumers and stay keep up with the digital revolution of health information. Benefiting from input from researchers, industry members, lawmakers, and consumers who responded to our call for public comment, the FTC has just completed a head-to-toe HBNR review. The just-announced final rule clarifies that health apps and similar technologies are covered and expands what covered entities must tell consumers if their data has been breached. How will the new rule affect your business?

HIPAA HHS Health Insurance Portability and Accountability Act addresses privacy and security for most physician offices, hospitals, and insurance companies. But with advances in oversight and technology, much health-related information falls outside of HIPAA. That’s where the FTC’s health breach notification rule comes in. Since the FTC announced the rule in 2009, sellers of personal health records (PHRs) define a phrase that the rule and related entities not covered by HIPAA must notify individuals, the FTC and, in certain cases , the media if there has been a breach of unsecured personally identifiable health data. The rule also requires third-party service providers to PHR providers and related entities to notify those providers and related entities upon discovery of a violation.

You’ll want to read the Federal Register Notice for specifics on what’s new, but here are some highlights from the final rule.

1. The rule applies to health applications and similar technologies not covered by HIPAA. The FTC emphasized this point by amending the PHR’s definition of identifiable health information and adding definitions for covered health care providers and covered health care services or supplies. This should come as no surprise to companies familiar with the Commission’s 2021 Statement on Breach by Health Apps and Other Connected Devices, the FTC’s recent actions enforcing the rule, and the notice of proposed regulation of 2023.
2. The definition of security breach includes both data security breaches i unauthorized disclosures. Here’s what the final rule says: A security breach includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or unauthorized disclosure . The FTC’s recent settlements with GoodRx and Easy Healthcare for failing to report that they shared consumer health data with ad platforms in violation of their privacy promises also illustrate this point.
3. The revised definition of PHR-related entity states that the rule applies to entities that offer products and services through online services of personal health record providers, including mobile applications. For clarity, the final rule updates the phrase websites to read websites, including any online service. Two reasons support this change: 1) adding online services is a more realistic reflection of the current market; and 2) The websites are so 2009. The PHR-related entity definition also updates the access information to read non-secure PHR identification information.
4. In defining a personal health record, the technical ability to extract information from multiple sources is important. The definition of personal health record originally referred to identifiable health information about an individual that can be obtained from multiple sources. The new rule replaces the phrase has the technical ability to extract information from multiple sources.
5. The final rule expands the use of electronic notice to consumers. The rule maintains the longstanding requirement that a personal health record provider or PHR-related entity that discovers a security breach must promptly notify the individual. While notice by first class mail is still fine in some cases, the new approach focuses on email in combination with other forms of electronic notice, such as text or app messages.
6. Notices to consumers must include more information and must be clear and conspicuous and reasonably understandable. Under the final rule, in most cases, the notice must tell people the identity of any third party that acquired nonsecure PHR identifiable health information as a result of the breach. In addition, the notice must describe the types of health information involved in the breach (for example, a diagnosis or health condition, laboratory results, medications, other treatment information, and your use of a health-related application). In addition, the final rule not only requires that the notice be clear and conspicuous and reasonably understandable. It provides detailed guidance on what entities must do to achieve this outcome. For example, consider using short explanatory sentences or bulleted lists, plain language headings, easy-to-read typography, wide margins and ample spacing. Things to avoid: Legal or highly technical terminology, multiple negatives and imprecise explanations. See the appendices for examples of text messages, in-app messages, web banners, and email notices. (By the way, even if the HBNR doesn’t apply to your business, the hands-on approach of the Clear and Visible Standard Rules provides information for all businesses.)
7. Covered entities must move quickly to notify consumers and the FTC of breaches involving 500 or more people. For violations involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals. This must be done without undue delay and in no event later than 60 calendar days after discovery of a security breach. For violations involving fewer than 500 individuals, covered entities must notify the FTC annually and no later than 60 calendar days after the end of the year. However, notice to affected individuals must occur without undue delay and in no event later than 60 calendar days after discovery of a security breach.
8. The final rule adds cross-references, citations, and more information about penalties for noncompliance. A violation of the HBNR will be treated as a violation of a rule of Section 18 of the FTC Act regarding unfair or deceptive acts or practices. This means that violations are subject to civil penalties.

The updated health violation notification rule takes effect 60 days after it appears in the Federal Register. Follow the business blog for the effective date. Until then, the 2009 Rule continues to apply. Do you have a breach to report to the FTC under the 2009 Rule or after publication of the amendments to the Final Rule? Use this form.