Updated FTC Health Breach Notification Rule Sets New Rules to Protect Users of Health Apps and Devices

Shakespeare said, “Breaking through again.” The FTC’s goal is no longer breaches, but until companies ensure health information is safe and private, we will continue to update and enforce health breach notification rules to protect consumers and keep up with the digitization of health information revolution. Benefiting from the insights provided by researchers, industry members, legislators, and consumers in response to our call for public input, the Federal Trade Commission has just completed a head-to-toe inspection of HBNR. The just-announced final rule clarifies that health apps and similar technologies are covered and expands what covered entities must tell consumers in the event of a data breach. How will the new rules affect your business?

HIPAA (HHS’s Health Insurance Portability and Accountability Act) addresses privacy and security issues for most doctors’ offices, hospitals, and insurance companies. But with advances in surveillance and technology, much health-related information no longer falls within the scope of HIPAA. That’s where the FTC’s health breach notification rules come in. In some cases, if unsecured personally identifiable health information is compromised, it will be disclosed to the media. The rule also requires PHR vendors and covered entities’ third-party service providers to notify those vendors and covered entities upon discovery of a breach.

You’ll need to read the Federal Register Notice for specific information about what’s new, but here are some noteworthy points from the final rule.

1. The rule applies to health apps and similar technologies not covered by HIPAA. The FTC emphasized this point by amending the definition of “PHR identifiable health information” and adding the definitions of “covered health care provider” and “health care services or supplies.” This should come as no surprise to businesses familiar with the FTC’s 2021 Commission Statement on Health Apps and Other Connected Device Violations, the FTC’s recent actions to enforce the rule, and its 2023 Notice of Proposed Rulemaking.
2. The definition of “security breach” includes data security breaches and Unauthorized Disclosure. The final rule reads: “A breach of security includes unauthorized access to unsecured PHR-identifiable health information in a personal health record that occurs as a result of a data breach or unauthorized disclosure.” Recent FTC Vs. GoodRx and Easy This is also illustrated by the settlement agreement reached by Healthcare, which violated privacy pledges by failing to report sharing consumer health data with advertising platforms.
3. The revised definition of “PHR-related entity” provides that the rule applies to entities that provide products and services through a personal health record provider’s online services, including mobile applications. To clarify this point, the final rule updates the term “website” to “website, including any online service.” There are two reasons for supporting this change: 1) adding online services more truly reflects the current market; 2) the “website” is from 2009.
4. The technical ability to obtain information from multiple sources is important in the definition of “personal health record.” A “personal health record” was originally defined as identifiable health information about a person that is “available from multiple sources.” The new rule replaces the phrase “having the technical ability to obtain information from multiple sources.”
5. The final rule expands the use of electronic notices to consumers. The rule preserves the long-standing requirement that a personal health records vendor or PHR-related entity that discovers a security breach must immediately notify individuals. While notification via regular mail is still possible in some cases, the new emphasis is on combining email with other forms of electronic notification, such as SMS or in-app messages.
6. Notices to consumers must contain additional information and must be “clear, obvious” and “reasonably understandable”. Under the final rule, in most cases, notifications must tell people the identity of any third party who obtained unsecured PHR identifiable health information as a result of the breach. In addition, the notification must describe the type of health information involved in the breach (e.g., health diagnosis or condition, lab results, medications, other treatment information, and their use of health-related apps). What’s more, the final rule goes beyond requiring that notices be “clear, conspicuous,” and “reasonably understood.” It provides detailed guidance on what steps entities should take to achieve this outcome. For example, consider using short explanatory sentences or bulleted lists, simple language headings, easy-to-read fonts, wide margins, and ample spacing. Things to avoid: Legal or technical jargon, multiple negatives, and imprecise explanations. Check out the appendix for sample text messages, in-app messages, web banners and email notifications. (By the way, even if HBNR doesn’t apply to your business, the rule’s practical approach to the “clear and conspicuous” standard provides insights for all companies.)
7. Covered entities must act quickly to notify consumers and the Federal Trade Commission (FTC) about violations involving 500 or more people. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time as they send notices to affected individuals. This must be done “without unreasonable delay” and in any case no later than 60 calendar days after the security breach was discovered. For breaches involving fewer than 500 people, covered entities must notify the FTC annually and no later than 60 calendar days after the end of the year. However, notification to affected individuals must still be provided “without unreasonable delay” and in any event no later than 60 calendar days after the security breach is discovered.
8. The final rule adds cross-references, citations, and more information about penalties for violations. Violation of the HBNR will be deemed a violation of the rules regarding unfair or deceptive acts or practices in Section 18 of the FTC Act. This means violations will result in civil penalties.

The updated health violation notification rules will take effect 60 days after being published in the Federal Register. Please monitor the Business Blog for the effective date. Until then, the 2009 rules continue to apply. Are violations required to be reported to the FTC under the 2009 rule or after the final rule amendments become effective? Use this form.