News

FTC Seeks to Update Health Breach Notification Rule to Clarify Health App Coverage

The Federal Trade Commission (FTC) proposed amendments to the Health Breach Notification Rule, aiming to enhance patient privacy protection for the millions of patients utilizing digital health apps.

By Sarai Rodriguez

- The rapid growth of digital healthcare apps in the United States has brought both advantages and concerns regarding privacy and efficacy.

In response, the Federal Trade Commission (FTC) has invited public comment on proposed changes to the Health Breach Notification Rule (HBNR), clarifying the rule’s coverage of health apps and other emerging technology.

As it stands, the Health Breach Notification Rule requires vendors of personal health records and other entities that are not already covered by HIPAA to notify individuals, the FTC, and in some cases the media of a breach of unsecured personally identifiable health information.

In September 2021, the FTC issued a policy statement affirming that health apps and connected device companies are in fact subject to the HBNR. The policy statement raised considerations about what the FTC considers a data breach to be, what entities can be defined as healthcare providers under the HBNR, and how federal lawmakers can keep pace with the fast-moving tech industry which has disrupted how consumers manage their health.

After reviewing public comments stemming from the 2021 policy statement, the FTC has proposed the following changes:

  • Introducing new definitions to clarify the HBNR’s application to health apps. . This involves modifying the definition of "PHR identifiable health information" and introducing new definitions for "health care provider" and "health care services or supplies."
  • Specifying that a "breach of security" includes unauthorized acquisition of identifiable health information resulting from a data security breach or unauthorized disclosure.
  • Modifying the definition of "PHR related entity" to align with the rule's scope, emphasizing that only entities accessing or sending unsecured PHR identifiable health information to a personal health record qualify.
  • Providing clarity on how a PHR collects personal health data from multiple sources.
  • Authorizing the use of email and other mean sto provide breach notices to consumers.
  • Improving the rule’s readability to promote compliance.

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developer and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. 

“The proposed amendments to the rule will allow it to keep up with marketplace trends and respond to developments and changes in technology.”

Once the notice is published in the Federal Register, the public will have a 60-day window to comment on the proposed rule changes.

Just one day before introducing its proposed rule, the FTC issued its second enforcement action ever under the HBNR against fertility app Premom and its parent company, Easy Healthcare. With this action, the FTC has established its commitment to enforcing the HBNR and ensuring that health apps understand their compliance obligations.