The
FTC’s Health Breach Notification Rule (HBNR) was
originally adopted in 2009 and applies to entities that handle personal health records (PHR), records that are not Protected Health Information (PHI) covered by the Health Insurance Portability and Accountability Act (
HIPAA).
The FTC has updated its HBNR to clarify that the rule also restricts marketing practices involving personal health information. This update to the HBNR was announced on April 26, 2024, and follows several recent enforcement actions by the FTC regarding consumer’s online health information.
As originally drafted, the HBNR required vendors of personal health records to notify individuals and the FTC when there was a breach of personally identifiable health information.
The updated rule makes it clear that the HBNR applies to personal health information in health apps, fitness trackers, and other wearable devices, as well as applying to online services that collect health care data, and any vendors that access that data. It requires these “covered health care providers” to inform affected individuals who their data was shared with. Regarding these provisions, Sam Levine, the director of the FTC’s Bureau of Consumer Protection, said “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace,” said Sam Levine.
Revised HBNR definitions “underscore the final rule’s application to health apps and similar technologies not covered by HIPAA,” the FTC said. These changes include a modified definition of “PHR identifiable health information” and two new definitions for “covered health care provider” and “health care services or supplies.” The final rule also expands the required information that companies must give in their notice to consumers, such as the name of third parties that acquired unsecured PHR identifiable health information through a breach of security. The updated rule also clarifies that “breach of security” includes an unauthorized acquisition of identifiable health information due to a data-security breach or unauthorized disclosure.
Under new HBNR timing requirements, covered entities must notify the FTC at the same time they send notices to affected individuals, if more than 500 individuals were affected. The covered health care provider must issue the notification “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security,” the FTC says.
Given these updated rules, companies using non-HIPAA consumer health information should expect close scrutiny and aggressive enforcement in the health data privacy space from the FTC in the coming months and years.
