The Federal Trade Commission seeks to clarify how the Health Breach Notification Rule applies to health records collected by health apps and similar consumer health technologies.
On May 18, 2023, the Federal Trade Commission ("FTC") announced a Notice of Proposed Rulemaking ("Proposed Update") to amend the Health Breach Notification Rule ("HBNR"). The FTC seeks to amend the HBNR to clarify its application to health apps, fitness trackers, and other similar direct-to-consumer health technologies. The HBNR requires certain companies not covered by the Health Insurance Portability and Accountability Act ("HIPAA") that access personal health records to notify consumers and the FTC when there is a breach of that data.
According to the FTC, these amendments are needed due to the increased amount of health data collected from consumers and new technological developments and business practices (e.g., use of marketing third party tracking technologies). Health apps, fitness watches, and other direct-to-consumer health technologies have become more common since the rule's issuance. In its Open Committee Meeting on May 18, 2023, the FTC underscored the importance of the HBNR to safeguard the collection of sensitive personal information collected by these consumer health technologies. Companies are likely to see that amendments to the HBNR result in stepped-up enforcement.
The FTC is seeking comment on a number of specific proposed changes within the Proposed Update, including:
- Revising definitions to clarify the rule's application to health apps and other direct-to-consumer health technologies not covered by HIPAA.
- Clarifying that a security breach includes "an unauthorized acquisition" of identifiable health information that results from a disclosure without consumer consent.
- Proposing the use of email and other electronic means to provide notice of a breach to consumers.
- Expanding what information companies need to include in notices to consumers.
The deadline for submitting comments will be 60 days after the notice is published in the Federal Register.