Through proposed amendments to its Health Breach Notification Rule (16 CFR Part 318), the FTC is currently seeking to formalize the extension of notification requirements as to covered security breaches of consumers’ electronic health information to developers of health applications and similar technologies.

As can be seen in statements found in the proposed amendments, the entities most affected by the potential changes envisioned would continue to be “vendors of personal health records, PHR related entities and third party service providers,” as currently provided for by the Rule, but clarification would be added that such entities would be inclusive of “developers and purveyors of health apps, connected health devices, and similar technologies.”

The changes would also clarify that unauthorized disclosures of health information covered by the Rule would be impermissible as can be seen from recent enforcement actions by the FTC against Good Rx Holding Inc. (“GoodRx”) and Easy Healthcare Corporation (“Easy Healthcare”), after these entities disclosed unsecured personal health record (PHR) identifiable information to third party advertising platforms such as Facebook and Google. 

Concerning the purpose of seeking to change the Rule, the FTC explains that the use of direct-to-consumer health technologies, which includes fitness trackers and wearable blood pressure monitors, has increased subsequent to the initial Rule’s issuance to the point of becoming ‘commonplace,’ especially in light of the COVID-19 Pandemic, and that the agency wishes to ensure that “entities covered by the Rule understand their obligations.” 

However, it can be noted that the path the agency provides to accomplish this involves multiple steps and potentially confusing new definitions.

ENTITIES AFFECTED BY THE PROPOSED AMENDMENTS

Developers of Health Apps and Similar Technologies as “Health Care Providers”

First, rather than state directly that such entities fall under the Rule, under the proposed amendments a new definition of “health care provider” is created, under which developers of health apps and similar technologies would be included. 

While such developers might not naturally seem to fit under this term, within the definition of “health care provider” would be included, any “entity furnishing health care services or supplies,” with the definition of “health care services or supplies,” being very broad and including, “any online service, such as a website, mobile application, or internet-connected device that provides mechanisms,” that are capable of tracking a wide variety of areas. It would also include “other health-related tools.”

The areas of tracking would include the following:

• Disease
• Health conditions
• Diagnoses or diagnostic testing
• Treatment
• Medications
• Vital signs
• Symptoms
• Bodily functions
• Fitness
• Fertility
• Sexual health
• Sleep
• Mental health
• Genetic information, and
• Diet.

PHR Related Entities

The proposed amendments would also expand the definition of a PHR related entity to go beyond websites as is currently the scope, to include any online service, including mobile applications. 

The initial definition of a PHR related entity is of an entity that offers products or services through the websites of a vendor of personal health records or those of HIPAA-covered entities that offer individuals personal health records. They themselves are not HIPAA-covered entities or business associates of HIPAA-covered entities. Entities that access information in a personal health record or that send information to a personal health record are also PHR related entities.  

A second change under the proposed amendments would make the distinction between unsecured PHR identifiable health information and ‘any’ information. Entities that access or send the former to a personal health record would be considered PHR related entities, but those that access or send the latter would not. 

The FTC provides the examples of remote blood pressure cuffs, connected blood glucose monitors and fitness trackers when synced with personal health records via mobile apps as “devices that could qualify as PHR related entities,” under the changes. It provides the example of a grocery delivery service integrated with a diet and fitness app that sends information about food purchases as something that would not, although it should be noted that it could “arguably be considered a PHR related entity” under the current version of the Rule.

Third Party Service Providers

Under the proposed amendments, the FTC is seeking to keep third party service providers to vendors of personal health records or PHR related entities from inadvertently becoming PHR related entities upon accessing unsecured PHR identifiable health information during the course of providing services.

It states that the purpose of this concerns the potentially conflicting notice requirements involved and if finalized, the changes would call for third party service providers to provide applicable notices to health app developers for whom they provide services, who would in turn notify affected individuals.

Business guidance material provided by the FTC attributes services involving the use, maintenance, disclosure, or disposal of health information as falling under the scope of the activities of third party service providers.

PHR IDENTIFIABLE HEALTH INFORMATION & PERSONAL HEALTH RECORDS

In addition to the new definitions above, the FTC says it is seeking to revise the definition of “PHR identifiable information” to go beyond traditional health information to include health information derived from consumers’ interactions with apps and other online services, as well as ‘emergent health data.’

As examples of traditional health information, which it still includes, the FTC provides “diagnosis or medications.” As examples of health information derived from consumers’ interactions with apps and other online services, it provides, “tracking technologies employed on websites or mobile applications or from customized records of websites or mobile application interactions.” Finally, as an example of ‘emergent health data,’ it provides “health information inferred from non-health-related data points,” such as location and recent purchases. 

 The actual definition would state that PHR identifiable information is information:

1. That is provided by or on behalf of the individual;
2. That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual;
3. That relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and
4. That is created or received by a health care provider, health plan (as defined in 42 U.S.C. 1320(d)(5)), employer, or health care clearinghouse (as defined in 42 U.S.C. 1320(d)(2)).

The definition of “personal health record,” would also be revised to require that there be the “technical capacity to draw information from multiple sources.” Both versions of the Rule define the term as “an electronic record of PHR identifiable health information … that is managed, shared, and controlled by or primarily for the individual.” The difference is that in the current version, the PHR identifiable health information “can be drawn from multiple sources,” whereas the revised version would ensure that the underlying technical capacity is present.

BREACHES OF SECURITY AND UNAUTHORIZED DISCLOSURES

The FTC is also seeking to broaden the definition of a “breach of security” under the revisions by adding that a breach would include “an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.”

It has also stated that it intends such instances of data breaches and unauthorized disclosures to include voluntary disclosures “made by the PHR vendor or PHR related entities where such disclosure was not authorized by the consumer.” Its intentions here can be further seen from the enforcement actions taken against GoodRx and Easy Healthcare, as will be addressed further below. 

Initial Rule

The above would build upon the initial definition of a breach as being, “the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual.”

The Rule is said to have a rebuttable presumption for unauthorized access to an individual’s data, with the FTC stating that an unauthorized acquisition will be presumed unless the entity that experienced the breach has “reliable evidence showing that there has not been or could not have reasonably been, unauthorized acquisition of such information.”

Policy Statement Clarifications

In the FTC’s Statement of the Commission on Breaches by Health Apps and Other Connected Devices, dated September 15, 2021, the Commission said that breaches were not “limited to cybersecurity intrusions or nefarious behavior.” Going further, it stated that incidents of unauthorized access included the “sharing of covered information without an individual’s authorization,” moving closer to the language now being proposed of “unauthorized disclosure.” (The word ‘disclosure’ does not appear in the Statement).

Enforcement Actions

The FTC brought its first enforcement action under the Health Breach Notification Rule in 2023 against GoodRx, a digital health company that sells products and services directly to consumers through the internet and its mobile applications. It alleged that as a vendor of personal health records, GoodRx disclosed unsecured PHR identifiable information to third party advertising platforms such as Facebook, without the authorization of its consumers, thereby violating the Rule. 

The FTC states in its ‘Analysis’ of the proposed amendments, that this action, along with that directed against Easy Healthcare makes clear that the Rule “covers unauthorized disclosures of consumers’ PHR identifiable information to third party companies.” The proposed changes to the Rule would further strengthen this position. 

PROPOSED NOTICE REQUIREMENT REVISIONS

As is the case for many of the proposed amendments, the notice requirements would see a shift in emphasis to digital mediums. 

While currently, vendors of personal health records and PHR related entities must provide written notice by first-class mail upon the discovery of a breach of security (and only may provide notice via email in “limited circumstances”), the revisions would require notice at the “last known contact information of the individual and such written notice may be sent by electronic mail, if an individual has specified electronic mail as the primary contact method.”

Such email communications would be required to be “clear and conspicuous,” or in other words, according to the FTC’s Analysis, be “reasonably understandable and designed to call attention to the nature and significance of the information in the notice.”  

The proposed changes in their entirety can be viewed via the Federal Register with the breach notification requirement covered in section 318.3, timeliness of notifications covered in section 318.4, methods of notice covered in 318.5 and the content of the notices covered in section 318.6. The FTC also provides proposed “exemplar notices,” or samples, that may be used, assuming the final version of the Rule does not make any changes. 

The public comment period for the rule ended yesterday and as currently proposed, the amendments to the Rule would apply to breaches of security discovered on or after September 24, 2009.

Categories: DATA PROTECTION & PRIVACY, TELEHEALTH