On April 26, 2024, the Federal Trade Commission (“FTC”) announced that it had finalized amendments to its Health Breach Notification Rule (“HBNR” or “Rule”). The Rule requires vendors of personal health records (“PHRs”) and related entities not subject to HIPAA to notify individuals, the FTC and in some cases the media of breaches of unsecured personally identifiable health data.  

The amendments are said to perform the following functions: 

1. Clarify the Rule’s scope, including its coverage of developers of many health applications (“apps”); 
2. Clarify what it means for a vendor of personal health records to draw PHR identifiable information from multiple sources;
3. Revise the definition of breach of security to clarify that a breach of security includes data security breaches and unauthorized disclosures;
4. Revise the definition of PHR related entity;
5. Modernize the method of notice; 
6. Expand the content of the notice;
7. Alter the Rule’s timing requirement for notifying the FTC of a breach of security; and 
8. Improve the Rule’s readability by clarifying cross-references and adding statutory citations, consolidating notice and timing requirements, articulating the penalties for non-compliance, and incorporating a small number of non-substantive changes. 

REASONS FOR THE AMENDMENTS 

The FTC notes that since the Rule’s initial issuance, consumer use of health-related technologies has “increased significantly.” Providing some examples, the agency states that “apps and other direct-to-consumer technologies, such as fitness trackers and wearable blood pressure monitors have become commonplace.” 

While the FTC asserts as indicated in its’ 2021 Policy Statement, that the Rule “covers most health apps and similar technologies that are not covered by HIPAA,” it had nevertheless issued a Notice of Proposed Rulemaking (“NPRM”) in June of 2023 to clarify the entities covered, as well what types of breaches are subject to the Rule. It also sought to accomplish such things as modernizing the notice requirements.  

REVISED AND NEW DEFINITIONS 

Some noteworthy revised definitions are as follows:

PHR Identifiable Health Information

“PHR identifiable health information,” now refers to information that:   

“(1) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual; and, 

(2) Is created or received by a: (i) covered health care provider; (ii) health plan (as defined in 42 U.S.C. 1320d(5)); (iii) employer; or (iv) health care clearinghouse (as defined in 42 U.S.C. 1320d(2)); and 

(3) with respect to an individual, includes information that is provided by or on behalf of the individual.” 

PHR Related Entity

A “PHR related entity” now refers to an entity, “other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that: 

1. Offers products or services through the website, including any online service, of a vendor of personal health records; 
2. Offers products or services through the websites, including any online service, of HIPAA-covered entities that offer individuals personal health records; or 
3. Accesses unsecured PHR identifiable health information in a personal health record or sends unsecured PHR identifiable health information to a personal health record.”

Breach of Security

A “breach of security” now means, “with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information. A breach of security includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.”

Health care services or supplies 

The term “health care services or supplies” means, “any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” 

REVISED NOTICE REQUIREMENTS 

The methods of notice section of the amended Rule now allow for the use of email. Section 318.4 states that “Written notice may be sent by electronic mail if the individual has specified electronic mail as the primary method of communication,” also saying that such notice must be “Clear and Conspicuous.” 

REVISED TIMING REQUIREMENTS 

The FTC has adopted changes to the timing of notice for breaches of security involving 500 or more individuals. The change “requires entities to notify the FTC consistent with the notice required by § 318.4(a) – i.e., without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.  This change also requires that the notice to the FTC be sent at the same time as the notice to the individuals.” 

Categories: DATA PROTECTION & PRIVACY, Uncategorized

Tags: FTC Health Breach Notification, health data, health data privacy