FTC Issues Final Rule Updating Health Breach Notification Rule
The Federal Trade Commission (FTC) issued a final rule on April 26, 2024, that updates the FTC Health Breach Notification Rule. The update includes revised definitions that encompass health apps and other technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA), clarification of what the FTC considers a breach of security, new requirements for the content of breach notifications, changes to the timeframe for issuing notifications, and an expansion of the permitted methods for notifying consumers. “Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”
The Health Breach Notification Rule applies to vendors of personal health records (PHRs) and related entities that are not covered by HIPAA and requires them to notify individuals in the event of a breach of unsecured personally identifiable health data, and in some cases, also notify the media. In the event of a breach of covered data at a third party that provides services to vendors of PHRs or PHR-related entities, they are required to notify the PHR vendor or PHR-related entity in the event of a breach. While the Health Breach Notification Rule has been in effect for more than a decade, the FTC has only recently started enforcing compliance. The first organizations to face action over alleged violations were GoodRx and Easy Healthcare (Premom).
After issuing a Notice of Proposed Rulemaking (NPRM) in May 2023, the FTC received around 120 comments on the proposed rule and considered those comments when finalizing changes to the Health Breach Notification Rule. The Final Rule takes effect 60 days after publication in the Federal Register.
The key changes implemented by the Final Rule are:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- Modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies.” These changes make the Health Breach Notification Rule applicable to health apps and similar technologies not covered by HIPAA.
- Clarifying “breach of security,” which means “an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.”
- Revising the definition of “PHR-related entity” to make it clear that the rule applies to “entities that offer products and services through the online services, including mobile applications, of vendors of personal health records,” and that “only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities.”
- Updating the required content of consumer notifications to require third parties that acquired unsecured PHR identifiable health information as a result of a breach of security to be named, and expanding the means of providing clear and effective consumer notifications to include email and other electronic means of communication.
- Modifying requirements for notifying the FTC about a breach of security. In the event of a breach of 500 or more records, the FTC must be notified at the same time as issuing consumer notifications. Those notifications, like those required by the HIPAA Breach Notification Rule, must be issued without undue delay and no later than 60 days from the discovery of a breach of security.
The final rule did not have universal support within the FTC and was only narrowly passed with a vote of 3-2 in favor. Commissioners Melissa Holyoak and Andrew N. Ferguson voted against the update. Commissioners Holyoak and Ferguson issued a statement about the reason why they did not vote in favor of the final rule. They explained that they felt the final rule “exceeds the Commission’s statutory authority, puts companies at risk of perpetual noncompliance, and opens the Commission to legal challenge that could undermine its institutional integrity.”
The two Commissioners explained that “PHR identifiable health information” means “individually identifiable health information,” and individually identifiable health information is “information created or received by a healthcare provider, health plan, or healthcare clearinghouse.” Commissioners Holyoak and Ferguson have an issue with the FTC’s interpretation of “covered healthcare providers” and “healthcare services and supplies,” which they believe are capricious. They said the adopted definitions are not consistent with the statute that gave rise to the Health Breach Notification Rule, and the joint effect is “to sweep a large swath of apps and app developers under the purview of the Final Rule.”
