FTC Finalizes Changes to the Health Breach Notification Rule

The Federal Trade Commission today announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.

The HBNR requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third party service providers to vendors of PHRs and PHR related entities to notify such vendors and PHR related entities following the discovery of a breach.

“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

In May 2023, the FTC sought comment on proposed changes to the HBNR. After receiving approximately 120 comments from a broad range of individuals and stakeholders, the Commission has finalized changes to the rule, including:

• Revising definitions: The Commission revised several definitions to underscore the final rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies”;
• Clarifying breach of security: It clarifies that a “breach of security” under the final rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
• Revising definition of PHR related entity: The definition of “PHR related entity” has been revised in two ways that pertain to the rule’s scope. The revised definition makes clear that the final rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. It also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
• Clarifying multiple sources of PHR identifiable health information: The final rule clarifies what it means for a personal health record to draw PHR identifiable health information from multiple sources;
• Expanding use of electronic notification: The final rule authorizes the expanded use of email and other electronic means of providing clear and effective notice to consumers of a breach;
• Expanding consumer notice content: The final rule expands the required content that must be provided in the notice to consumers. For example, the notice would be required to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security;
• Changing timing requirement: The final rule modifies when the FTC must be notified under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security; and
• Improving readability: The final rule also includes changes to improve the rule’s readability and promote compliance.

The final rule will go into effect 60 days after its publication in the Federal Register.

In addition to amending the HBNR, the FTC has recently taken action against companies for violating the HBNR, including GoodRx and Easy Healthcare (publisher of the Premom app).

The Commission voted 3-2 to approve the publication of the final rule in the Federal Register with Commissioners Melissa Holyoak and Andrew N. Ferguson voting no. Chair Lina M. Khan along with Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a separate statement, while Commissioner Holyoak, joined by Commissioner Ferguson, issued a dissenting statement.

The lead staffers who worked on this rule include Ryan Mehm and Ronnie Solomon with the FTC’s Bureau of Consumer Protection.