On May 18, the Federal Trade Commission (FTC) proposed changes to the Health Breach Notification Rule (the HBNR or the Rule), including clarifying the rule’s applicability to health apps and other similar technologies. These proposed changes are looking to formally institutionalize the FTC’s broad interpretation of the Rule, as outlined in its 2021 policy statement.
Specifically, these proposed changes would significantly expand how the HBNR applies compared with the way many parties had previously understood the relevant legislation and the rule. These changes would both broaden the types of entities that are covered under the Rule (such as by applying to certain health apps that were not previously thought to be covered under the Rule) and expand the types of activities that trigger the Rule’s notification obligations (such as the unauthorized disclosure of certain health information to a third party without consumer consent). While these interpretations are consistent with both the FTC’s recent guidance and enforcement decisions, they are a new development that this proposed rule would now cement as a legal requirement. Companies potentially affected by this proposal should evaluate this additional breadth and coverage in the context of the original statutory authority and consider how best to respond during this comment period to these proposed changes.
These proposed changes also come on the heels of the FTC’s first two enforcement actions implicating the HBNR—first against digital health platform GoodRx
in February 2023 and later against Easy Healthcare
in May 2023 for its fertility-tracking app, Premom. Both cases involved the unauthorized disclosure of users’ personally identifiable health information for advertising purposes, which (as discussed above) the FTC now considers to be a security breach under its broadened interpretation of the Rule.
Additionally, the FTC’s proposed changes to the HBNR are part of a series of actions that the agency has taken to show that it is particularly concerned about protecting what it deems to be “sensitive” categories of data. In addition to its recent enforcement actions involving health data, the FTC has recently announced two enforcement actions against companies for processing children’s data in violation of the Children’s Online Privacy Protection Act. It also issued guidance in May about the increased risks associated with processing biometric information, indicating that the agency is paying attention to this issue as well. Companies that process these more sensitive categories of data in the ordinary course of business should be aware that the FTC is paying close attention and should ensure that their privacy practices are consistent with the agency’s recent guidance and enforcement actions.
We have summarized the key proposed changes to the Rule below and are happy to answer any questions you may have.
Broadening the Scope of the Rule
The proposed changes would add “health care provider” and “health care services or supplies” to the definition of “PHR [personal health record] identifiable information.” Under the proposed changes, “health care provider” would be defined as “a provider of medical or other health services, or any other entity furnishing health care services or supplies.”
“Health care services or supplies” would also have an updated definition to include “any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” This definition explicitly includes online services and encompasses wellness services, such as fitness, sleep and diet.
Many health apps and similar technologies are not covered by HIPAA, but this clarified scope of the Rule would cover such companies. Companies that offer wellness-related services that might not have been traditionally viewed as health or medical issues should also note that this clarified scope intends to cover them—a product branded as a “wellness” product (rather than a “health” product) might still be subject to the HBNR obligations under these proposed changes.
The proposed changes to the Rule would also broaden its scope by revising the definition of a “PHR-related entity.” While the current Rule covers websites of PHR vendors, the proposed change would also include any online service, including mobile applications. This change reflects the FTC’s understanding that consumers increasingly use mobile applications to access their health information online.
The proposed changes would also clarify that only entities that access or send unsecured PHR identifiable health information are considered PHR-related entities, in the agency’s attempt to narrow the scope of entities under this definition. To avoid conflicting obligations as a result of this new definition, the agency also seeks to clarify that a third-party service provider is not considered a PHR-related entity when it accesses unsecured PHR health information in the course of providing services.
Companies should consider deidentifying health information before sharing it with any third-party service providers, since deidentification would render the data no longer PHR identifiable health information subject to the Rule.
Expanding the Definition of a Security Breach
Under the changes, the Rule would also update the definition of security breach to cover unauthorized acquisition of PHR identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.
The current Rule defines a security breach as “the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual” and includes a rebuttable presumption for unauthorized access to an individual’s data. The new definition would include “an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure” (emphasis added). The new definition would make evident that unauthorized acquisition of identifiable health information that occurs as a result of a breach or unauthorized disclosure would be covered under the Rule.
Companies sharing information with third parties should ensure that such disclosures were authorized by the customer. Under the new definition, a voluntary disclosure made by a PHR vendor without authorization from the consumer would explicitly qualify as a security breach, consistent with recent FTC actions such as in the GoodRx and Easy Healthcare cases.
Clarify How a Company Can Draw PHR-Related Information From Multiple Sources
Under the current Rule, a PHR is defined as an electronic record of PHR identifiable information that can be drawn from multiple sources. The revised definition would define PHR as an electronic record of PHR identifiable information that has the technical capacity to draw information from multiple sources (emphasis added). This definition makes clear that a product is a PHR if it has the capacity to draw information from multiple sources, regardless of whether those features are actually used or enabled. For example, if an app allows users to input their health information manually and has the ability to sync with a wearable fitness device, it may be a PHR, even if some users choose not to sync their wearable device with the app.
In light of this proposed change, companies should look at the technical capacity of their products and services rather than at customers’ use of certain functions or features in determining whether their product or service is a PHR that is potentially subject to the Rule.
Modernizing Notice Methods
The FTC, in recognizing changing patterns in how consumers interact with online technologies, also proposes allowing for electronic notice in additional circumstances by adjusting the language about methods of notice to allow for clear and conspicuous electronic notices.
Under the new Rule, electronic would mean email in combination with at least one of the following: text messaging, within-application messaging or electronic banner. The addition of the second prong to an email notice is intended to increase the likelihood of consumers encountering the breach notification.
Expanding Notice Content
Under the proposed changes, consumers whose unsecured PHR identifiable information has been breached would receive additional information about the security breach. The proposed rule makes five changes:
First, in their notice about the breach, companies would also be required to include a brief description of the potential harm that may result from the breach to make clear for consumers what harms may flow from the breach of their information. For the FTC, demonstrating consumer harm is an element of bringing an action for unfair practices under Section 5 of the FTC Act. The agency has recently brought increased enforcement actions under the unfair practices prong of its authority. This proposed change of having companies notify customers of harm could make it easier for the FTC to set forth unfair practices claims for data breaches.
The proposed changes also include an amendment that the notice must include the full name, website and contact information of any third parties that acquired unsecured PHR identifiable health information as a result of a security breach when this information is known to the vendor of PHRs or a PHR-related entity.
Companies are currently mandated to include in their notices a description of the types of unsecured PHR identifiable health information that could have been involved in the breach. The current Rule sets forth examples of such information, such as full name, date of birth, Social Security number, account number or disability code. Under the proposed changes, this list would be expanded to include other types of PHR identifiable health information, such as health diagnosis or condition information, lab results, medications, other treatment information, the user’s use of a health-related mobile application, and device identifier. The FTC notes that the exposure of health information can lead to a variety of harms; for instance, even the disclosure of an individual’s use of a health-related mobile application could lead to injuries including embarrassment, social stigma, more expensive health insurance premiums and even loss of employment. Companies that experience a security breach should think carefully about what type of health information may have been exposed, because the agency is signaling a broad interpretation of what PHR identifiable health information entails.
The final proposed change to the Rule require companies to provide at least two contact procedures so individuals can learn more about the breach.