This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

A Fresh Take

Insights on M&A, litigation, and corporate governance in the US.

| 4 minutes read

FTC Finalizes Revisions to Health Breach Notification Rule

On April 26, 2024, the Federal Trade Commission codified revisions to the Health Breach Notification Rule (“HBNR” or “Rule”).  In recent years, the Commission has made clear through enforcement actions and policy statements that it takes an expansive view of the Rule’s scope.  The revisions cement these policy positions by significantly broadening both the entities covered by the Rule and the activities that trigger the Rule’s notification obligations. Companies that offer websites, apps, or connected devices to assist users with health or wellness may need to revise their cybersecurity and privacy policies and procedures in light of these revisions.

The changes did not alter the Rule’s basic obligations – the HBNR ensures that entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) provide notice when consumers’ sensitive health information is compromised. The HBNR requires notification to individuals, the FTC, and in some cases, the media, of breaches of “personal health records” (“PHRs”) experienced by PHR “vendors,” “PHR related entities,” and “third party service providers.” The FTC can assess civil penalties of up to $51,744 per violation.

The Revised Rule Requires More Companies to Provide Breach Notifications

The Commission expanded definitions of “covered health care provider,” “health care services and supplies,” “PHR related entities” and “PHRs,” broadening the universe of covered entities.  

Vendors of PHR

First, the Rule expanded definitions to make clear that websites, mobile applications, and internet-connected devices that provide mechanisms to track diseases and health conditions; offer diagnoses or diagnostic testing; or track treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or other health-related services or tools must provide notice if they experience a breach. 

One potential limit: The HBNR notes that an app or related service must sell, market, provide, or promote an offering “that relates more than tangentially to health,” but offers little guidance on how to assess whether an offering is merely tangential. 

PHR Related Entities

Second, the revisions expand the definition of “PHR related entity” to capture companies offering products or services not just through websites, but also through health and wellness apps and devices. Remote blood pressure cuffs, connected blood glucose monitors, and fitness trackers are devices that may be PHR-related entities if users sync them with PHRs (e.g., health apps).

One potential limit: Companies must access or send unsecured PHR identifiable health-related information to trigger HBNR coverage. The Rule observes that a grocery delivery service that sends information about food purchases to a diet and fitness app would not constitute a “PHR related entity.”

Third Party Service Providers

Third, the Rule limits breach notification obligations for firms dealing with health information if solely performing data security, cloud computing, advertising, and analytics services for covered entities. But third party service providers are still obligated to notify vendors if they experience a breach so that the vendors can provide appropriate notice to their users. 

PHR

Finally, the Rule expands the definition of “PHR.” The authorizing statute for the HBNR specified that a “PHR” is an electronic record of PHR identifiable health information that can be drawn from multiple sources.[1] The Rule now states that if an app has the technical capacity to draw information from a source, it need not actually draw information from that source to count as one of “multiple sources.” The revised Rule also asserts that drawing health information from one source is sufficient.[2] Thus, a period tracking app that collects inputs from users about their menstrual cycles would be covered by the Rule if the app is technically capable of pulling in location information or calendar data, even if individual users have never activated that feature.

The Rule Adopts a Broader Definition of “Breach”

The revisions codify the FTC’s longstanding position that a breach is not limited to cybersecurity intrusions and includes unauthorized disclosure. Events that could trigger notification requirements beyond data theft include: 

  • Sharing or selling of consumers’ information to third parties inconsistent with privacy policies or other representations to consumers;
  • Burying how your company will use or share data with third parties in lengthy privacy policies;
  • Failing to disclose how your company accesses, uses, processes, discloses, or retains data;
  • Collecting data for one purpose and using it for another purpose not authorized by consumers; and
  • Inadvertent but “good faith” access by a company employee.

Tips For Complying with The Rule 

  • Health and wellness app companies should carefully review their activities to determine if they are now subject to the new Rules. Health and wellness apps or services with unused or unpublicized APIs or integrations, or products not yet in their final form, are still covered by the Rule if they have the technical capacity to draw information from multiple sources, including calendars – regardless of whether consumers can or do use functions or features. 
  • Health and wellness companies sharing information with third parties should confirm that privacy notices clearly and conspicuously disclose how and why the company shares personal health information with third parties, including service providers. 
  • Companies working with service providers should select and retain partners capable of handling data responsibly. 
  • Apps and online services should consider de-identifying health information before sharing it, as partners avoid Rule coverage if they work with de-identified data. 

The final rule will go into effect 60 days after its publication in the Federal Register. The two new Republican Commissioners issued a dissenting statement. Chair Khan and Commissioners Slaughter and Bedoya also issued a separate statement

For more information on how the HBNR and the recent Rule changes may apply to your company, please contact any authors of this article for additional information. 

[1] 42 U.S.C. 17921(11).

[2] Statement of Basis and Purpose (“SBP”) accompanying the Final Rule at 36. 

Tags

cybersecurity, data protection