On April 26, 2024, the Federal Trade Commission (FTC) announced changes to its Health Breach Notification Rule, 16 CFR Part 318 (HBNR). The effective date is 60 days after its publication in the Federal Register (https://www.ftc.gov/system/files/ftc_gov/pdf/hbnr_final_rule_04_25.pdf for the pre-publication version).
Initially promulgated as a result of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5 (2009), Section 13407 “created certain protections for ‘personal health records' or ‘PHRs,' electronic records of PHR identifiable health information on an individual that can be drawn from multiple sources and that are managed, shared, and controlled by or primarily for the individual.” Notably, the HBNR applies to persons not under the umbrella of the Health Information Portability and Accountability Act of 1996, Pub. L. 104-191 (1996) (HIPAA) and is broader in scope because it affects consumers' PHR while HIPAA impacts patients protected health information. The initial HBNR (“2009 Final Rule”) was published in the Federal Register on August 25, 2009, and became effective February 22, 2010. 74 Fed. Reg. 42962 (Aug. 25, 2009) applied only to breaches of unsecured health information and does not apply to covered entities or business associates as defined by HIPAA.
Although the HBNR has been in effect since February 2010, the FTC's initial enforcement actions did not occur until 2023. The first enforcement action involved digital health company, GoodRx Holdings, Inc. ( United States v. Good Rx Holdings, Inc. , No. 23-cv-460 [N.D. Cal. Feb. 17, 2023]). The second involved “Premom,” an ovulation tracking app developed by Easy Healthcare, Inc. ( United States v. Easy Healthcare Corp. , No. 1:23-cv-3107 [N.D. Ill. June 22, 2023]).
The purpose of this article is to highlight some of the key aspects of the changes to the HBNR, as consumer privacy and security, especially in relation to health records, will remain a top enforcement priority.
Highlights
In the FTC's April 26, 2024, press release, “FTC Finalizes Changes to the Health Breach Notification Rule – Final Rule Underscores Its Application to Health Apps and Similar Technologies Not Covered by HIPAA” (https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule), the FTC specifically highlighted the following items:
• Revising Definitions: The Commission revised several definitions to underscore the final rule's application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered healthcare provider” and “healthcare services or supplies.”
• Clarifying Breach of Security: It clarifies that a “breach of security” under the final rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.
• Revising Definition of PHR Related Entity: The definition of “PHR related entity” has been revised in two ways that pertain to the rule's scope. The revised definition makes clear that the final rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. It also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—qualify as PHR related entities.
• Clarifying Multiple Sources of PHR Identifiable Health Information: The final rule clarifies what it means for a personal health record to draw PHR identifiable health information from multiple sources.
• Expanding Use of Electronic Notification: The final rule authorizes the expanded use of email and other electronic means of providing clear and effective notice to consumers of a breach.
• Expanding Consumer Notice Content: The final rule expands the required content that must be provided in the notice to consumers. For example, the notice would be required to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security.
• Changing Timing Requirement: The final rule modifies when the FTC must be notified under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.
• Improving Readability: The final rule also includes changes to improve the rule's readability and promote compliance.
Table 1 provides specifics of the FTC's aforementioned highlights.
Table 1
FTC Highlighted Changes to Health Breach Notification Rule
Item |
New Language or Modifications |
PHR Identifiable Health Information |
16 CFR 318.2(i) – Means information that (1) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual; and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual; and (2) Is created or received by a: (i) covered healthcare provider; (ii) health plan (as defined in 42 U.S.C. 1320d(5)); (iii) employer; or (iv) healthcare clearinghouse (as defined in 42 U.S.C. 1320d(2)); and (3) With respect to an individual, includes information that is provided by or on behalf of the individual.
|
Covered Healthcare Provider |
16 CFR 318.2(f) - Means a provider of services (as defined in 42 U.S.C. 1395x(u), a provider of medical or other health services (as defined in 42 U.S.C. 1395x(s)), or any other entity furnishing healthcare services or supplies (p. 98 of unpublished Final Rule).
As stated in the Final Rule, “The Commission is modifying the proposed definition of ‘healthcare provider' to ‘covered healthcare provider' to distinguish that term from interpretations of the term ‘healthcare provider' in other contexts, which may be more limited in scope. As commentators requested, the Commission affirms that its definition of ‘covered healthcare provider' is unique to the Rule; it does not bear on the meaning of ‘healthcare provider' as used in other regulations enforced by other government agencies” (p. 26 of unpublished Final Rule). |
Healthcare Services or Supplies |
16 CFR 318.2(e) - Means any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools (p. 98 of the unpublished Final Rule). |
Third Party Service Provider |
16 CFR 318.2(l) – Means an entity that: (1) Provides services to a vendor of personal health records in connection with the offering or maintenance of a personal health record or to a PHR related entity in connection with a product or service offered by that entity; and (2) Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable information as a result of such services. |
Breach of Security |
16 CFR 318.2(a) – Means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information. A breach of security includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure. |
PHR Related Entity |
16 CFR 318.2(j) – Means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business of a HIPAA-covered entity, that: (1) Offers products or services through the website, including any online service, of a vendor of personal health records; (2) Offers products or services through the websites, including any online service, of HIPAA-covered entities that offer individuals personal health records; or (3) Accesses unsecured PHR identifiable health information in a personal health record or sends unsecured PHR identifiable health information to a personal health record (p. 100 of unpublished Final Rule). |
Drawing PHR Identifiable Information From Multiple Sources |
|
Vendor of Personal Health Records |
16 CFR 318.2(j) – Means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record. |
Expanding the Use of Electronic Notification of a Consumer Breach |
16 CFR 318(5) – This section is lengthy and needs to be parsed out. |
Expanding Breach Notice Content |
16 CFR 318.3. This section is lengthy and relates to §318.4 (Timeliness of notification), §318.5 (Methods of notice), and §318.6 (Content of notice). |
Reporting Requirement Change |
16 CFR § 318.4(a) In general . Except as provided in paragraph (d) of this section (Law enforcement exception), all notifications required under §318.3(a)(1) (required notice to individuals), § 318.3(b) (required notice by third party service providers), and § 318.3(a)(3) (required notice to media) shall be sent without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.
NOTE: For breaches of less than 500 individuals, “All logged notifications required under §318.5(c) (Notice to FTC) involving the unsecured PHR identifiable health information of fewer than 500 individuals may be sent annually to the Federal Trade Commission no later than 60 calendar days following the end of the calendar year.” |
In order to make the verbiage digestible for consumers, 16 CFR 318(2)(c), “Clear and conspicuous means that notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice” (p. 96 of unpublished Final Rule). Section 318(2)(c) further elucidates in subsequent subsections what “reasonably understandable,” “designed to call attention,” and “notice” means.
Finally, for the purposes of this article, 16 CFR 318(2)(m), “unsecured” means PHR identifiable information that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued section 13402(h)(2) of the American Reinvestment and Recovery Act of 2009, 42 U.S.C. 17932(h)(2).
In light of these changes, any person who falls under the scope of the definitions mentioning supra should take immediate steps to assess its current compliance program, including training and policies and procedures, as well as outward facing language to consumers, consent language, and contractual language. Failing to do so may lead to increased fines and penalties by the FTC and other government agencies, who may become involved.
Conclusion
It has never been riskier to take a lackadaisical approach to privacy and security, especially in relation to individuals and their health information, as defined in either the HBNR or HIPAA. Appreciating the enhanced requirements now can save potential financial, legal, and reputational harm in the long run.
Rachel V. Rose, JD, MBA
Rachel V. Rose, JD, MBA, has a unique background, having worked in many different facets of healthcare throughout her career including: work in acute care hospitals including the operating room and dietary department; consultative work as a top performing representative for the pharmaceutical and medical device industry; work for the Chairman of the Reform and Oversight Committee on Capitol Hill; intern at the Department of Health and Human Services; and compiling policy papers at the Royal College of Nursing in London. She has worked on Wall Street and at one of the Big Four Consulting Firm.