What is the Health Breach Notification Rule, Who Does It Apply To?

June 27, 2023 - When faced with a data breach that compromises protected health information (PHI), HIPAA-covered entities must comply with the HIPAA Breach Notification Rule, which sets strict guidelines on when and how to notify patients of a breach.

But as the lines continue to blur between healthcare providers and tech companies that provide healthcare services, the Federal Trade Commission’s (FTC) Health Breach Notification Rule (HBNR) steps in to ensure that health data breaches do not fall through the cracks.

Issued more than a decade ago, the HBNR ensures that non-HIPAA-covered entities that maintain personal health records (PHRs) are held responsible for notifying consumers of a data breach. As virtual care and health apps continue to advance, the rule may undergo additional changes to ensure that consumers are promptly notified when their health data is at risk.  

Below, HealthITSecurity will explore the HBNR as it stands now, and what organizations can do to ensure compliance as the FTC continues to focus its attention on HBNR enforcement actions and proposed amendments.  

What Entity Types Does the HBNR Apply To?

The HBNR applies to three entity types: vendors of PHRs, PHR-related entities, and third-party service providers for vendors of PHRs or PHR-related entities. These entity types are not otherwise covered by HIPAA.

“Personal health record means an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual,” the rule text states.

The FTC’s example of a vendor of PHR is a health app that collects information from consumers and has the ability to sync with a consumer’s fitness tracker.

A PHR-related entity is considered as such if it interacts with a vendor of PHRs by offering products or services through the vendor’s website (even if that site is covered by HIPAA), or by sending information to a PHR, such as a company that operates a fitness tracker and sends information to health apps.

Lastly, a business is considered a third-party service provider if it “provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity,” and if it “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information as a result of such services.”

For example, companies that provide billing or data storage services related to health information to a vendor of PHRs would be considered a third-party service provider.

The FTC’s definitions are fairly straightforward, but the steady rise in health apps and digital health companies necessitated clarification from the FTC on what it considers to be a covered entity under the HBNR.

In October 2021, the FTC issued a policy statement affirming that health apps and connected device companies that collect health information must comply with the HBNR, signaling to those companies that it would not shy away from issuing enforcement actions under the HBNR.

Compliance Obligations Under the HBNR

The HBNR requires that entities provide a data breach notice when “there has been an unauthorized acquisition of unsecured PHR identifiable health information.”

Like HIPAA, the FTC defines a data breach under the HBNR as not only a cybersecurity intrusion resulting from nefarious behavior but also incidents of unauthorized access and sharing information without an individual’s authorization.

It is important to note that a PHR only encompasses electronic records. If a breach occurs that only involves paper records, entities are not required to provide a notification to the FTC (although organizations should pay close attention to state laws).

Entities must notify the following groups of a breach involving unsecured personal health information according to the following timelines:

• Impacted Individuals: Entities must notify impacted individuals of a breach within 60 days of discovery and “without unreasonable delay.”
• The FTC: Entities must notify the FTC of a breach impacting more than 500 people within 10 business days, or as soon as possible. If the breach impacted less than 500 people, entities have 60 calendar days following the end of the calendar year in which the breach was discovered.
• The Media: When 500 or more residents of a particular state or US territory are impacted by a breach, entities must provide prominent media outlets in the area with a breach notice within 60 days of discovery.  

In addition, third-party service providers must notify contracted entities within 60 calendar days of discovering the breach and provide the client with a list of impacted individuals.

The FTC maintains numerous resources on how to notify impacted individuals, what information to include in the breach notice, and what to do in instances where a company may be subject to both the HHS and FTC Breach Notification Rules.

How the FTC Enforces the HBNR

“The FTC will treat each violation of the Rule as an unfair or deceptive act or practice in violation of a Federal Trade Commission regulation,” FTC states. “Businesses that violate the Rule may be subject to a civil penalty of up to $50,120 per violation.”

That is the official stance on FTC enforcement of the HBNR and this been in effect since 2009. But the FTC only issued its first enforcement action under it in February 2023, when it imposed a $1.5 million civil penalty on telehealth company GoodRx .

The company allegedly leveraged third-party tracking pixels and “plug and play” software development kits from companies like Facebook and Google that supposedly gathered sensitive data and used it for advertising purposes, the FTC stated. The company also allegedly failed to notify consumers, the FTC, and the media of this unauthorized disclosure.

In May, the FTC also alleged that Easy Healthcare Corporation, the company that operates the Premom Ovulation Tracker app, violated the HBNR by failing to notify users that it had shared sensitive personal information with third parties.

Premom allegedly shared highly sensitive user data about users’ sexual and reproductive health and parental and pregnancy status with AppsFlyer and Google via the implementation of each company’s software development kit.

In both cases, the FTC prohibited the companies from sharing personal data with third parties without authorization and engaging in deceptive practices such as sharing health data for advertising purposes.

The nature of the FTC’s recent enforcement actions may provide clarity to organizations that are considering their compliance obligations or questioning what is considered a breach under the HBNR.

Future of the HBNR

In late May 2023, the FTC invited public comment on proposed changes to the HBNR that would clarify the rule’s coverage of health apps and other emerging technologies.

Specifically, the FTC proposed introducing a modified definition for “PHR identifiable information” and new definitions for “healthcare provider” and “healthcare services or supplies.”

The changes also included improving the rule’s readability and authorizing the expanded use of email for providing breach notices to consumers.

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. 

“The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.”

If these changes are approved, health tech companies will ideally have more clarity on their compliance obligations under the HBNR. In the meantime, the FTC is expected to continue enforcing the rule and looking out for consumers whose data may be at risk. The FTC invites public comment on the rule until August 8, 2023.