logo
Coming Soon to a Federal Register Near You: Changes to the FTC’s Health Breach Notification Rule

Practice Management

Coming Soon to a Federal Register Near You: Changes to the FTC’s Health Breach Notification Rule

On April 26, 2024, the Federal Trade Commission (FTC) announced changes to its Health Breach Notification Rule, 16 CFR Part 318 (HBNR). The effective date is 60 days after its publication in the Federal Register (https://www.ftc.gov/system/files/ftc_gov/pdf/hbnr_final_rule_04_25.pdf for the pre-publication version).

 

Initially promulgated as a result of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5 (2009), Section 13407 “created certain protections for ‘personal health records' or ‘PHRs,' electronic records of PHR identifiable health information on an individual that can be drawn from multiple sources and that are managed, shared, and controlled by or primarily for the individual.” Notably, the HBNR applies to persons not under the umbrella of the Health Information Portability and Accountability Act of 1996, Pub. L. 104-191 (1996) (HIPAA) and is broader in scope because it affects consumers' PHR while HIPAA impacts patients protected health information. The initial HBNR (“2009 Final Rule”) was published in the Federal Register on August 25, 2009, and became effective February 22, 2010. 74 Fed. Reg. 42962 (Aug. 25, 2009) applied only to breaches of unsecured health information and does not apply to covered entities or business associates as defined by HIPAA.

 

Although the HBNR has been in effect since February 2010, the FTC's initial enforcement actions did not occur until 2023. The first enforcement action involved digital health company, GoodRx Holdings, Inc. ( United States v. Good Rx Holdings, Inc. , No. 23-cv-460 [N.D. Cal. Feb. 17, 2023]). The second involved “Premom,” an ovulation tracking app developed by Easy Healthcare, Inc. ( United States v. Easy Healthcare Corp. , No. 1:23-cv-3107 [N.D. Ill. June 22, 2023]).

 

The purpose of this article is to highlight some of the key aspects of the changes to the HBNR, as consumer privacy and security, especially in relation to health records, will remain a top enforcement priority.

 

Highlights

 

In the FTC's April 26, 2024, press release, “FTC Finalizes Changes to the Health Breach Notification Rule – Final Rule Underscores Its Application to Health Apps and Similar Technologies Not Covered by HIPAA” (https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule), the FTC specifically highlighted the following items:

•  Revising Definitions:  The Commission revised several definitions to underscore the final rule's application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered healthcare provider” and “healthcare services or supplies.”

•  Clarifying Breach of Security:  It clarifies that a “breach of security” under the final rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.

•  Revising Definition of PHR Related Entity:  The definition of “PHR related entity” has been revised in two ways that pertain to the rule's scope. The revised definition makes clear that the final rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. It also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.

•  Clarifying Multiple Sources of PHR Identifiable Health Information:  The final rule clarifies what it means for a personal health record to draw PHR identifiable health information from multiple sources.

•  Expanding Use of Electronic Notification:  The final rule authorizes the expanded use of email and other electronic means of providing clear and effective notice to consumers of a breach.

•  Expanding Consumer Notice Content:  The final rule expands the required content that must be provided in the notice to consumers. For example, the notice would be required to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security.

•  Changing Timing Requirement:  The final rule modifies when the FTC must be notified under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.

•  Improving Readability:  The final rule also includes changes to improve the rule's readability and promote compliance.

 

Table 1 provides specifics of the FTC's aforementioned highlights.

 

Table 1

 

FTC Highlighted Changes to Health Breach Notification Rule

Item

New Language or Modifications

PHR Identifiable Health Information

16 CFR 318.2(i) – Means information that (1) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual; and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual; and (2) Is created or received by a: (i) covered healthcare provider; (ii) health plan (as defined in 42 U.S.C. 1320d(5)); (iii) employer; or (iv) healthcare clearinghouse (as defined in 42 U.S.C. 1320d(2)); and (3) With respect to an individual, includes information that is provided by or on behalf of the individual.

 

Covered Healthcare Provider

16 CFR 318.2(f) - Means a provider of services (as defined in 42 U.S.C. 1395x(u), a provider of medical or other health services (as defined in 42 U.S.C. 1395x(s)), or any other entity furnishing healthcare services or supplies (p. 98 of unpublished Final Rule).

 

As stated in the Final Rule, “The Commission is modifying the proposed definition of ‘healthcare provider' to ‘covered healthcare provider' to distinguish that term from interpretations of the term ‘healthcare provider' in other contexts, which may be more limited in scope. As commentators requested, the Commission affirms that its definition of ‘covered healthcare provider' is unique to the Rule; it does not bear on the meaning of ‘healthcare provider' as used in other regulations enforced by other government agencies” (p. 26 of unpublished Final Rule).

Healthcare Services or Supplies

16 CFR 318.2(e) - Means any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools (p. 98 of the unpublished Final Rule).

Third Party Service Provider

16 CFR 318.2(l) – Means an entity that: (1) Provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and (2) Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable information as a result of such services.

Breach of Security

16 CFR 318.2(a) – Means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information. A breach of security includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.

PHR Related Entity

16 CFR 318.2(j) – Means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business of a HIPAA-covered entity, that: (1) Offers products or services through the website, including any online service, of a vendor of personal health records; (2) Offers products or services through the websites, including any online service, of HIPAA-covered entities that offer individuals personal health records; or (3) Accesses unsecured PHR identifiable health information in a personal health record or sends unsecured PHR identifiable health information to a personal health record (p. 100 of unpublished Final Rule).

Drawing PHR Identifiable Information From Multiple Sources

 

Vendor of Personal Health Records

16 CFR 318.2(j) – Means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record.

Expanding the Use of Electronic Notification of a Consumer Breach

16 CFR 318(5) – This section is lengthy and needs to be parsed out.

Expanding Breach Notice Content

16 CFR 318.3. This section is lengthy and relates to §318.4 (Timeliness of notification), §318.5 (Methods of notice), and §318.6 (Content of notice).

Reporting Requirement Change

16 CFR § 318.4(a) In general . Except as provided in paragraph (d) of this section (Law enforcement exception), all notifications required under §318.3(a)(1) (required notice to individuals), § 318.3(b) (required notice by third party service providers), and § 318.3(a)(3) (required notice to media) shall be sent without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.

NOTE: For breaches of less than 500 individuals, “All logged notifications required under §318.5(c) (Notice to FTC) involving the unsecured PHR identifiable health information of fewer than 500 individuals may be sent annually to the Federal Trade Commission no later than 60 calendar days following the end of the calendar year.”

 

In order to make the verbiage digestible for consumers, 16 CFR 318(2)(c), “Clear and conspicuous means that notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice” (p. 96 of unpublished Final Rule). Section 318(2)(c) further elucidates in subsequent subsections what “reasonably understandable,” “designed to call attention,” and “notice” means.

Finally, for the purposes of this article, 16 CFR 318(2)(m), “unsecured” means PHR identifiable information that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued section 13402(h)(2) of the American Reinvestment and Recovery Act of 2009, 42 U.S.C. 17932(h)(2).

In light of these changes, any person who falls under the scope of the definitions mentioning supra should take immediate steps to assess its current compliance program, including training and policies and procedures, as well as outward facing language to consumers, consent language, and contractual language. Failing to do so may lead to increased fines and penalties by the FTC and other government agencies, who may become involved.

 

Conclusion

 

It has never been riskier to take a lackadaisical approach to privacy and security, especially in relation to individuals and their health information, as defined in either the HBNR or HIPAA. Appreciating the enhanced requirements now can save potential financial, legal, and reputational harm in the long run.

 

Rachel V. Rose, JD, MBA

 

Rachel V. Rose, JD, MBA, has a unique background, having worked in many different facets of healthcare throughout her career including: work in acute care hospitals including the operating room and dietary department; consultative work as a top performing representative for the pharmaceutical and medical device industry; work for the Chairman of the Reform and Oversight Committee on Capitol Hill; intern at the Department of Health and Human Services; and compiling policy papers at the Royal College of Nursing in London. She has worked on Wall Street and at one of the Big Four Consulting Firm.

 

 

 

Considerations for Whistleblowers and Companies

Practice Management

Considerations for Whistleblowers and Companies:In June 2022, I wrote an article, “The False Claims Act and the Seal: What Whistleblowers Need to Know,” which I encourage everyone reading this article to also read. The United States Supreme Court’s decision in United States ex rel. Polansky v. Executive Health Resources (599 U.S. 419; 2023) confirmed that the United States government has nearly unfettered discretion “to dismiss a [federal False Claims Act] suit over a relator’s objection” (Id. at 423; see also State ex rel. Fox v. Thornley, 2023 IL App [4th]; citing Polansky as instructive when interpreting the Illinois False Claims Act).
Zero Trust and the ONC-SAMHSA Initiative

Security

Zero Trust and the ONC-SAMHSA Initiative:"Cybersecurity is patient safety" is a phrase that should be indoctrinated into everyone's brain in the healthcare and public health sector. The notion is highlighted by a late-January/early-February series of announcements by Lurie Children's Hospital of Chicago that the hospital went "old school," reverting to paper records and establishing a call center as part of its business continuity process in order to "protect the information of our patients, workforce, and organization at large." Subsequently, they announced that the "network was accessed by a known criminal threat actor."
The Uniform Commercial Code and Its Relation to Hardware, Software, and Related Services Used by Healthcare Sector Participants

Practice Management

The Uniform Commercial Code and Its Relation to Hardware, Software, and Related Services Used by Healthcare Sector Participants:As set forth in 45 CFR § 164.502(a)(3), a business associate may not utilize protected health information (PHI) in any way that would violate the Health Information Portability and Accountability Act of 1996 (HIPAA) and the related Privacy Rule.
Data Use Agreements: Utilization and Distinguishing from Business Associate Agreements

Practice Management

Data Use Agreements: Utilization and Distinguishing from Business Associate Agreements:Any person in the healthcare industry knows or should learn that if they are considered a covered entity or business associate (including subcontractor), that creates, receives, maintains, and/or transmits protected health information (PHI), then a business associate agreement (BAA) is required. See 45 CFR §160.103, 45 CFR § 164.504. This is not a new phenomenon; in fact, it has been required for over 20 years.
Whistleblowers and Company Data: To Collect or Not to Collect

Practice Management

Whistleblowers and Company Data: To Collect or Not to Collect:Before the thought, "Oh, I have access to all this information - ‘Come on Barbie, let's go party' 1" crosses a potential whistleblower's mind, there is one question to ask. "Should I collect documents from my employer or a person that I contract with to perform services?" This is critical to avoiding potential liability at both the employment and post-employment stages. What are the potential ramifications? It depends. 
Two HIPAA Enforcement Actions Underscore the Importance of the Confidentiality, Integrity, and Availability of Patient Information and the Consequences

Security

Two HIPAA Enforcement Actions Underscore the Importance of the Confidentiality, Integrity, and Availability of Patient Information and the Consequences:In March 2023, the current Presidential Administration announced its national cybersecurity strategy. Prior to its release, the President issued two Executive Orders, which underscored the importance of privacy of individuals' health information, tracking data without the knowledge or consent of a consumer/patient, and coordination among federal government agencies to implement initiatives or strengthen existing initiatives.
If Conduct Appears to Buck the Legal Norm, Chances Are That It Does

Auditing

If Conduct Appears to Buck the Legal Norm, Chances Are That It Does:It's akin to wearing Doc Martens to a professional cocktail party reception or Uggs to court. In other words, the wardrobe choice jumps out as not being appropriate for the situation. Likewise, certain conduct that violates the Anti-Kickback Statute (AKS) and the False Claims Act (FCA) unequivocally jumps out as being unlawful under the facts and circumstances, yet persons engage in the inappropriate behavior. 
The Significance of Not Obtaining Patient/Consumer Consent Before Poaching Data

Practice Management

The Significance of Not Obtaining Patient/Consumer Consent Before Poaching Data:Now, in 2023, the FTC announced two consent orders related to the prohibited poaching and use of PHI by known third parties and the DOJ announced another settlement under its Civil Cyber-Fraud Initiative. 
Administration for Strategic Preparation and Response Releases Updated Cybersecurity Framework Implementation Guide

Compliance

Administration for Strategic Preparation and Response Releases Updated Cybersecurity Framework Implementation Guide:Whenever I present, which is often, I often receive follow-up questions from participants regarding resources to utilize when creating, reviewing, and/or supplementing a compliance program, including relevant policies and procedures. 
Recent False Claims Act Cases Shed Light Upon Compliance Scrutiny

Practice Management

Recent False Claims Act Cases Shed Light Upon Compliance Scrutiny:As touted by the U.S. Department of Justice (DOJ) and Members of Congress alike, including Senator Chuck Grassley (R-IA), the False Claims Act, 31 U.S.C. §§ 3729, et seq. (FCA) is the federal government's primary tool to root out fraud and put money back into the federal fisc.
HIPAA Considerations When Business Associates and Data Are International

Compliance

HIPAA Considerations When Business Associates and Data Are International:Although it is said that "business is global," there are some nuances to this blanket statement to consider when creating, receiving, maintaining, or transmitting electronic protected health information or electronic health information (PHI) internationally. Before delving into items to consider when business associates (including subcontractors) and PHI are international, it's important to appreciate that both the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) and the U.S. Department of Justice (DOJ) have the ability to enforce violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as the related Privacy Rule, Security Rule, and Breach Notification Rule.
The U.S. Government and Cooperation Credit in Relation to the False Claims Act and the Federal Anti-Kickback Statute

Practice Management

The U.S. Government and Cooperation Credit in Relation to the False Claims Act and the Federal Anti-Kickback Statute:Those familiar with the healthcare industry have no doubt learned that the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) and the U.S. Department of Justice (DOJ) have identified both the False Claims Act (FCA) and the Anti-Kickback Statute (AKS) as laws critical to thwarting fraud, waste, and abuse. Often, these two laws come together in a FCA case. 
No Surprises Act and Good Faith Estimate Considerations for Behavioral Health Providers

Practice Management

No Surprises Act and Good Faith Estimate Considerations for Behavioral Health Providers:Overview: Enacted as part of the Consolidated Appropriations Act of 2021, Pub. L. 116-260 (Dec. 27, 2020), the No Surprises Act (NSA) and the related regulations, which became effective January 1, 2022, should have a positive impact for patients.
Two Hot Ransomware Items to Watch

Compliance

Two Hot Ransomware Items to Watch:The healthcare sector continues to be a target of cybercriminals. An area that continues to emerge is ransomware as a service (RaaS)-basically the adoption of a Software as a Service model, which is subscription-based and "enables affiliates to use already-developed ransomware tools to execute ransomware attacks." 
Waiving Copays Associated with Medicare - Just as Illegal Now as it Was in 1994

Practice Management

Waiving Copays Associated with Medicare - Just as Illegal Now as it Was in 1994:On December 19, 1994, the U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG) published a Special Fraud Alert in the Federal Register related to the waiver of copays, with the intention of alerting the public about "its concern about possible widespread and abusive health care industry practices, and seeking wider dissemination of information to the general public." 
The Oft-Overlooked Federal Trade Commission's Health Breach Notification Rule Gets a Nudge

Compliance

The Oft-Overlooked Federal Trade Commission's Health Breach Notification Rule Gets a Nudge:For many, when an individual's Protected Health Information (PHI) is unlawfully accessed, the first law that comes to mind is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 
The Biggest Threat to Healthcare Cybersecurity: Telehealth

Practice Management

The Biggest Threat to Healthcare Cybersecurity: Telehealth:According to a recent study by SecurityScorecard and Dark Owl, "Telehealth systems have experienced an enormous increase in targeted attacks."
COVID-19 or Not: The Anti-Kickback Statute Remains a Tool of Choice for False Claims Act Violations

Practice Management

COVID-19 or Not: The Anti-Kickback Statute Remains a Tool of Choice for False Claims Act Violations:The COVID-19 pandemic has not diminished the focus of the U.S. Department of Justice ("DOJ") and whistleblowers, who are known as "Relators," from bringing and enforcing claims that violate both the federal Anti-Kickback Statute (AKS)   and the False Claims Act (FCA). 
Sharing of PHI with Large Tech Companies, Confidential Agreements, and HIPAA's Prohibition on the Marketing and Sale of PHI

Compliance

Sharing of PHI with Large Tech Companies, Confidential Agreements, and HIPAA's Prohibition on the Marketing and Sale of PHI:
As stated on Forbes, "The chief worry isn't about thieves getting their hands on lost or stolen devices, but the ease with which companies can gain access to the personal information."

2019 HIPAA Settlements and Take-Aways

Compliance

2019 HIPAA Settlements and Take-Aways:
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA")  and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act")  are two of the pillars that form the foundation of a patient's privacy rights in relation to his/her protected health information ("PHI"), as well as the obligations of covered entities, business associates, and subcontractors to ensure the confidentiality, integrity, and availability of the data.
This is also a good time to remind providers that a deceased individual's PHI is subject to HIPAA for 50 years. 
HIPAA and Health Apps and APIs   Oh My

Compliance

HIPAA and Health Apps and APIs Oh My :All this to say that technology is complex
The Importance of Being Earnest   Why HIPAA and HITECH Compliance Matters

Auditing

The Importance of Being Earnest Why HIPAA and HITECH Compliance Matters:What's significant is the underlying violations of the Security Rule
Recent HHS Guidance Underscores the Importance of HIPAA Compliance

Practice Management

Recent HHS Guidance Underscores the Importance of HIPAA Compliance:Everyone who participates in the United States healthcare system either as a patient
The False Claims Act, Knowledge  and the 60 Day Rule

Coding

The False Claims Act, Knowledge and the 60 Day Rule:Three important terms of the FCA
A Prescription for Start Ups Relationships with Physicians

Practice Management

A Prescription for Start Ups Relationships with Physicians:The purpose of the note is to provide an overview that educates readers
What is a Legal Hold and e Discovery Anyway

Practice Management

What is a Legal Hold and e Discovery Anyway:The transition from paper to electronic records
Update Medicare Quality Reporting Programs

Practice Management

Update Medicare Quality Reporting Programs:By now, the healthcare industry should be aware of the fundamental shift in reimbursement
Learning from Vanderbilt: Dealing with HIPAA Breaches

Compliance

Learning from Vanderbilt: Dealing with HIPAA Breaches:What did Vanderbilt announce?
HIPAA, Legal Holds, and PHI: Rachel Rose, J.D., M.B.A. With Sean McKenna, J.D., B.A.

Compliance

HIPAA, Legal Holds, and PHI: Rachel Rose, J.D., M.B.A. With Sean McKenna, J.D., B.A.:I spent almost 16 years with the federal government handling healthcare fraud matters
CMS Emergency Preparedness Rule Released - Do You Have a Plan?

Compliance

CMS Emergency Preparedness Rule Released - Do You Have a Plan?:a breach or a ransomware attack, which potentially impacts the confidentiality, integrity, or availability of the protected health information
Working From Home - Make a Security Checklist

Compliance

Working From Home - Make a Security Checklist:Regardless of the industry, the number of individuals who telecommute, at least once a week, is increasing.
What Healthcare Entities and Business Associates Can Learn From Other Government Agencies and Related Laws About Handling and Disposing of PII and PHI.

Practice Management

What Healthcare Entities and Business Associates Can Learn From Other Government Agencies and Related Laws About Handling and Disposing of PII and PHI.:One just needs to turn on the television, listen to Bloomberg, or read the U.S. Department of Health and Human Services' (HHS) Wall of Shame to hear about data breaches involving personally identifiable information (PII) and protected health information (PHI). 
Relative Value Units Important Now More Than Ever

Coding

Relative Value Units Important Now More Than Ever:In light of The Patient Protection and Affordable Care Act, the of physician groups and practices, and reimbursement issues, physicians need to appreciate what Relative Value Units (RVUs) are and how they can impact compensation.

Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA


Principal at Rachel V. Rose - Attorney at Law, PLLC

Email me

Houston, TX

 

Total articles published on BC Advantage 34

Editorial Ad

Ad pdf ad here