From the FTC:
The Health Breach Notification Rule has been in place since 2009. Given the pace of innovation, that seems like a century in tech years. Since then, we’ve seen an explosion in the popularity of health apps, fitness trackers, and other health-related monitors. To keep up with technological developments and evolving business practices, the FTC is proposing changes to the Rule and welcomes your comments.
The Health Breach Notification Rule applies to certain businesses that aren’t covered by HIPAA – specifically, vendors of personal health records (PHR), PHR related entities, and third party service providers. When there’s been an unauthorized acquisition of a person’s unsecured, personally identifiable health information, PHR vendors and PHR related entities must (among other things) notify the FTC, consumers and, in some cases, the media. If your company is a third party service provider to a PHR vendor or a PHR related entity, you have notice requirements under the Rule, too. (Read Complying with FTC’s Health Breach Notification Rule for details.)
It’s worth noting that companies that violate the Rule may be liable for civil penalties of up to $50,120 per violation. For example, GoodRx recently paid a $1.5 million civil penalty for violating the Rule.As part of the FTC’s periodic regulatory review process, we asked for your feedback in 2020 about how the Health Breach Notification Rule is working. Based on your comments – and major developments in the health information ecosystem – the FTC is proposing changes to the Rule. You’ll want to read the Federal Register Notice for details, but here are some of the revisions under consideration:
- Revising some definitions to make it clear the Rule applies to health apps and similar technologies not covered by HIPAA;
- Clarifying that a “breach of security” under the Rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
- Revising the definition of a “PHR related entity”;
- Clarifying what “drawn from multiple sources” means in the definition of “personal health record”;
- Authorizing the expanded use of email and other electronic means to provide consumers with clear and effective notice of a breach; and
- Expanding what needs to be in the notice to consumers – for example, requiring an explanation about the potential harm stemming from the breach and the names of any third parties that might have acquired the information.
The proposed Rule changes and recent law enforcement actions reflect the high priority the FTC places on protecting the privacy of consumers’ health information and letting consumers know what’s happening with their sensitive information. Once the Notice runs in the Federal Register, you’ll have 60 days to file a public comment. Save a step and file online through Regulations.gov.