DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FTC Finalizes Changes to the Health Breach Notification Rule

Posted on April 26, 2024 by Dissent

The Federal Trade Commission today announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.

The HBNR requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third party service providers to vendors of PHRs and PHR related entities to notify such vendors and PHR related entities following the discovery of a breach.

“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

In May 2023, the FTC sought comment on proposed changes to the HBNR. After receiving approximately 120 comments from a broad range of individuals and stakeholders, the Commission has finalized changes to the rule, including:

  • Revising definitions: The Commission revised several definitions to underscore the final rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies”;
  • Clarifying breach of security: It clarifies that a “breach of security” under the final rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
  • Revising definition of PHR related entity: The definition of “PHR related entity” has been revised in two ways that pertain to the rule’s scope. The revised definition makes clear that the final rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. It also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
  • Clarifying multiple sources of PHR identifiable health information: The final rule clarifies what it means for a personal health record to draw PHR identifiable health information from multiple sources;
  • Expanding use of electronic notification: The final rule authorizes the expanded use of email and other electronic means of providing clear and effective notice to consumers of a breach;
  • Expanding consumer notice content: The final rule expands the required content that must be provided in the notice to consumers. For example, the notice would be required to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security;
  • Changing timing requirement: The final rule modifies when the FTC must be notified under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security; and
  • Improving readability: The final rule also includes changes to improve the rule’s readability and promote compliance.

The final rule will go into effect 60 days after its publication in the Federal Register.

In addition to amending the HBNR, the FTC has recently taken action against companies for violating the HBNR, including GoodRx and Easy Healthcare (publisher of the Premom app).

The Commission voted 3-2 to approve the publication of the final rule in the Federal Register with Commissioners Melissa Holyoak and Andrew N. Ferguson voting no. Chair Lina M. Khan along with Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a separate statement, while Commissioner Holyoak, joined by Commissioner Ferguson, issued a dissenting statement.

The lead staffers who worked on this rule include Ryan Mehm and Ronnie Solomon with the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission works to promote competition and protect and educate consumers.  The FTC will never demand money, make threats, tell you to transfer money, or promise you a prize. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.

Source: FTC

Category: Breach LawsFederalHealth DataLegislationOf NoteU.S.

Post navigation

← Unsecured Health Genie bucket exposed almost 450,000 files with patient data — Cybernews
Zoom misrepresents its Global Select service, then won’t cancel and refund? An FTC complaint has now been filed. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.