FTC finalizes updates to Health Breach Notification Rule

April 30, 2024 - The Federal Trade Commission (FTC) finalized updates to its Health Breach Notification Rule (HBNR) with the goal of clarifying the rule’s applicability to health apps and other technologies that fall outside HIPAA’s purview.

The FTC issued the HBNR more than a decade ago, when health apps were not as embedded into the US healthcare landscape as they are now. The HBNR requires vendors of personal health records (PHRs), PHR-related entities, and third-party service providers that are not subject to HIPAA to notify the FTC and impacted individuals in the event of a health data breach.

In September 2021, the FTC issued a policy statement confirming that health apps and connected device companies are subject to the HBNR. The policy statement yielded questions about the FTC’s definition of a breach and how the FTC defines healthcare providers under the HBNR.

In May 2023, the FTC proposed changes to the HBNR to clarify the rule’s coverage of health apps and other emerging tech, yielding public comments from 120 stakeholders. The FTC considered these comments in its final rule, which will go into effect 60 days after it is published in the Federal Register.

The final rule contains multiple revised definitions to clarify the rule’s applicability to health apps and affirm what constitutes a breach of security. For example, the FTC revised its definition of a “PHR related entity” to clarify that the rule “covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records.”

“It also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities,” the FTC stated.

Additionally, the final rule affirmed that its definition of a “breach of security” includes the unauthorized acquisition of identifiable health information that results from a data security breach.

The final rule also included updates to improve the rule’s readability and authorize covered entities to expand their use of email and other electronic means to provide breach notifications to consumers.

While covered entities will now be permitted to leverage more electronic resources to notify consumers, they will also have to expand the content of their breach notices to provide further transparency to consumers. Under the final rule, notices are required to include the name or identity of any third parties that acquired unsecured PHRs as a result of the breach.

What’s more, entities must now notify the FTC of any breach involving 500 or more individuals at the same time they send notices to impacted individuals, no later than 60 calendar days after discovery. Prior to this final rule, entities were required to notify the FTC within 10 business days.

The FTC voted 3-2 to approve the final rule and emphasized its recent actions against companies such as GoodRx and Easy Healthcare for violating the HBNR.

 “Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release.

“With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”