The Federal Trade Commission (FTC) issued a final rule on April 26, 2024 that updates its Health Breach Notification Rule (HBNR). The final rule definitions now encompass health apps and other technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA). It also specifies what the FTC considers a breach of security, new requirements for the content of breach notifications, changes to the timeframe for issuing notifications, and an expansion of the permitted methods for notifying consumers.
The final Health Breach Notification Rule now applies to covered entities who handle personal health records (PHRs) and related entities, such as healthcare marketing agencies and communications companies – or what the healthcare marketing industry has referred to as ‘HIPAA adjacent’ entities – requiring them to notify individuals in the event of a breach of unsecured personally identifiable health data. In the event of a breach of covered data at a third party that provides services to vendors of PHRs or PHR-related entities, agencies are required to notify the PHR vendor or PHR-related entity in the event of a breach. While the Health Breach Notification Rule has been in effect since 2009, the FTC has only recently started enforcing compliance, such as were GoodRx, BetterHelp, Premom and Flo Health. See FTC’s enforcement summary in 4A’s-CHC Navigating the Health Data Privacy Landscape: A Guide for Agencies (Section 1B, pp. 20-23).
The key changes implemented by the final HBNR are:
- Modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies.”These changes make the Health Breach Notification Rule applicable to health apps and similar technologies not covered by HIPAA.
- Clarifying “breach of security,” means “an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.”
- Revising the definition of “PHR-related entity” to include “entities that offer products and services through the online services, including mobile applications, of vendors of personal health records,” and that “only entities that access or send unsecured PHR identifiable health information to a personal health record – rather than entities that access or send any information to a personal health record – qualify as PHR related entities.”
- Updating the required content of consumer notifications to require third parties that acquired unsecured PHR identifiable health information as a result of a breach of security to be named, and expanding the means of providing clear and effective consumer notifications to include email and other electronic means of communication.
- Modifying requirements for notifying the FTC about a breach of security. In the event of a breach of 500 or more records, the FTC must be notified at the same time as issuing consumer notifications. Those notifications, like those required by the HIPAA Breach Notification Rule, must be issued without undue delay and no later than 60 days from the discovery of a breach of security.
The final rule did not have universal support within the FTC and was only narrowly passed along party lines with a vote of 3-2 in favor. Commissioners Melissa Holyoak and Andrew Ferguson voted against the update. Commissioners Holyoak and Ferguson issued a statement about the reason why they did not vote in favor of the final rule. They explained that they felt the final rule “exceeds the Commission’s statutory authority, puts companies at risk of perpetual noncompliance, and opens the Commission to legal challenge that could undermine its institutional integrity.”
The two Commissioners explained that “PHR identifiable health information” means “individually identifiable health information,” and individually identifiable health information is “information created or received by a healthcare provider, health plan, or healthcare clearinghouse.” Commissioners Holyoak and Ferguson have an issue with the FTC’s interpretation of “covered healthcare providers” and “healthcare services and supplies,” which they believe are capricious. They said the adopted definitions are not consistent with the statute that gave rise to the Health Breach Notification Rule, and the joint effect is “to sweep a large swath of apps and app developers under the purview of the Final Rule.”
The FTC received some 120 comments on its Notice of Proposed Rulemaking (NPRM) in May 2023. The final rule takes effect 60 days after publication in the Federal Register.
For questions about the FTC’s Health Breach Notification Rule and how it impacts healthcare marketing agencies, please contact Jim Potter, CHC Executive Director, at jpotter@cohealthcom.org.