Regulatory/FDA

FTC Revised Health Breach Notification Rule Goes into Effect

Agencies with healthcare clients in pharmaceuticals, healthcare services, digital health apps, or health-related connected devices such as wearables should take note that the Federal Trade Commission (FTC) final rule updating its Health Breach Notification Rule (HBNR) that took effect on July 29, 2024. The FTC considers a breach to include a covered entity’s unauthorized disclosure of personal health records to third party advertising networks and technology platforms like Facebook and Google for targeted advertising. The final rule contains multiple revised definitions to clarify the rule’s applicability to health connected devices and specifies new requirements with the timeframe for issuing breach notifications.

Why It Matters: The final rule comes as business practices and technological developments increase both the amount of health data collected from consumers and potential business incentives for companies to use or disclose potentially sensitive health data for marketing and other purposes. Protecting the privacy and security of personal health data is a high priority for the FTC, which has brought several cases in recent years involving the misuse of consumers personal health data, including two enforcement actions that allege HBNR violations.

Who Should Care: Agencies with healthcare clients in pharmaceuticals, healthcare services, digital health apps, or health-related connected devices such as wearables should take note.

The final rule definitions also now encompass health apps and other technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA). It also specifies what the FTC considers a breach of security, new requirements for the content of breach notifications, changes to the timeframe for issuing notifications, and an expansion of the permitted methods for notifying consumers.

The final Health Breach Notification Rule now applies to covered entities who handle personal health records (PHRs) and related entities, such as healthcare marketing agencies and communications companies – or what the healthcare marketing industry has referred to as ‘HIPAA adjacent’ entities – requiring them to notify individuals in the event of a breach of unsecured personally identifiable health data. In the event of a breach of covered data at a third party that provides services to vendors of PHRs or PHR-related entities, agencies are required to notify the PHR vendor or PHR-related entity in the event of a breach. While the Health Breach Notification Rule has been in effect since 2009, the FTC has only recently started enforcing compliance, such as were GoodRx, BetterHelp, Premom and Flo Health.  See FTC’s enforcement summary in 4A’s-CHC Navigating the Health Data Privacy Landscape: A Guide for Agencies (Section 1B, pp. 20-23).

The key changes implemented by the final HBNR are:

  • Modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies.” These changes make the Health Breach Notification Rule applicable to health apps and similar technologies not covered by HIPAA.
  • Clarifying “breach of security,” means “an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.”
  • Revising the definition of “PHR-related entity” to include “entities that offer products and services through the online services, including mobile applications, of vendors of personal health records,” and that “only entities that access or send unsecured PHR identifiable health information to a personal health record – rather than entities that access or send any information to a personal health record – qualify as PHR related entities.”
  • Updating the required content of consumer notifications to require third parties that acquired unsecured PHR identifiable health information as a result of a breach of security to be named and expanding the means of providing clear and effective consumer notifications to include email and other electronic means of communication.
  • Modifying requirements for notifying the FTC about a breach of security. In the event of a breach of 500 or more records, the FTC must be notified at the same time as issuing consumer notifications. Those notifications, like those required by the HIPAA Breach Notification Rule, must be issued without undue delay and no later than 60 days from the discovery of a breach of security.

For questions about the FTC’s Health Breach Notification Rule and how it impacts healthcare marketing agencies, please contact Jim Potter, CHC Executive Director, at jpotter@cohealthcom.org.