Regulatory/FDA

FTC Proposes Changes to Health Breach Notification Rule to Strengthen Health App Applicability

On May 18, 2023, the Federal Trade Commission (FTC) announced its intention to issue proposed amendments to the federal Health Breach Notification Rule (HBNR), with the goal of trying to improve patient privacy protections for Americans utilizing digital health apps.

Published on May 22, 2023 in the Federal Register, the public has a 60-day window to comment on the proposed rule changes with the comment period concluding on August 22, 2023.

The proposed changes to the rule come as business practices and technological developments increase both the amount of health data collected from consumers, and potential business incentives for companies to use or disclose potentially sensitive health data for marketing and other purposes.

As it stands, the HBNR requires vendors of personal health records and other entities that are not already covered by HIPAA to notify individuals, the FTC, and in some cases the media of a breach of unsecured personally identifiable health information. HNBR requires covered entities to provide consumer notifications within 60 days after the discovery of a breach. But if more than 500 individuals are affected, covered entities must notify the FTC within 10 business days.  Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day

The proposed amendments to HBNR would include but are not limited to:

  • Revise several definitions to ensure the rule is applicable to non-HIPAA-covered health technologies that collect an individual’s health information.
  • Add two new definitions for healthcare providers and healthcare services or supplies.
  • Clarify what it means for a PHR to draw personal health data from multiple sources.
  • Establish PHR-related entities only as those “that access or send unsecured PHR identifiable health information to a personal health record.”
  • Clarify that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.
  • Authorize the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers; and
  • Expand the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information.

In September 2021, the FTC issued a policy statement affirming that health apps and connected device companies are in fact subject to the HNBR. The policy statement raised considerations about what the FTC considers a data breach to be, what entities can be defined as healthcare providers under the HBNR, and how federal lawmakers can keep pace with the fast-moving tech industry which has disrupted how consumers manage their health.

As part of that policy statement rollout, the FCC publicized that it was concerned about the “commodification of sensitive health information” for advertising and analytics. “Given the growing prevalence of surveillance-based advertising, the commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” said FTC Chair Lina M. Khan at the time.”Business models that are based on monetizing people’s data can lead to situations where companies Americans are trusting with their sensitive data are then exposing that information for the sake of targeted advertising, analytics and engagement.”

Earlier this month, the FTC announced a proposed order settling allegations that fertility app Premom violated the HBNR. In February 2023, the FTC announced its first enforcement action under the HBNR against telehealth and prescription drug discount provider GoodRx Holdings Inc. The FTC says GoodRx and Premom each violated the rule by failing to notify users about the companies’ unauthorized disclosure of users’ personally identifiable health information to third parties for advertising purposes.