In 2009, the Federal Trade Commission (FTC) implemented the Health Breach Notification Rule (HBNR), to provide security protection for consumer digital health information. The Rule was instituted to fill a regulatory void. Digital health information, to the extent that it is protected health information under HIPAA, is required to be protected by covered entities and business associates.
Prior to the implementation of the HBNR, consumers whose digital health information was stored in personal health records by vendors and third-party apps that were neither HIPAA covered entities nor business associates, were left without regulatory protection. The HBNR was implemented to regulate the use and storage of digital health information by such vendors and apps. The HBNR requires, among other things, that regulated entities notify affected consumers of breaches of their digital health information.
Since 2009, digital health platforms have grown more complex. Many of these platforms are used on smartphones, and many use technologies, such as user tracking, that did not exist in 2009. The 2009 HBNR definitions of regulated technologies do not cover these newer forms.
To fill the regulatory gap left by this innovation, the FTC revised the Health Breach Notification Rule in April of 2024. This article discusses key changes made to the HBNR. The revised Health Breach Notification Rule became effective on July 29, 2024.
What Are the Highlights of the Revised Health Breach Notification Rule?
The revised Health Breach Notification Rule contains several key changes to the initial rule. These include, per an FTC press release:
Revising Definitions
The FTC has revised several definitions, to make clear that health apps and similar technologies not covered by HIPAA are now covered by the revised Health Breach Notification Rule. These revisions include a modified definition of “PHR identifiable health information” and two new definitions for “covered health care provider” and “health care services or supplies.”
- A “personal health record (PHR)” is an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.
- “PHR identifiable health information” is the HBNR equivalent of the definition of individually identifiable health information (IIHI) under HIPAA. PHR identifiable health information relates to someone’s health – is created or received by a covered health care provider, employer, health plan, or healthcare clearinghouse.
- A “covered health care provider” is a provider of medical or other health services, or any other entity furnishing healthcare services or supplies.
- “Healthcare services or supplies” are “any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”
Clarifying “Breach of Security”
Under the revised Health Breach Notification Rule, a “breach of security” includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure. Under the original rule, a breach of security was defined simply as an unauthorized acquisition that occurs as a result of a breach. Now, breaches include unauthorized disclosures of identifiable health information in a PHR, in addition to data breaches.
This means that the new rule prohibits activities that the original rule did not – most notably, the new rule prohibits mobile app developers from intentionally sharing involving exfiltration of consumers’ data. An example of an unauthorized disclosure is a company’s unauthorized sharing or selling of consumers’ information to third parties that is inconsistent with the company’s representations to consumers. This revision will allow the HBNR to more squarely apply to mobile app developers that intentionally share data in violation of the developer’s privacy policies and other promises to its users.
Revising the Definition of “PHR Related Entity”
Now, a “PHR related entity” includes an entity that offers products and services through a PHR vendor’s online services (including mobile apps). The revised definition also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities.
The Revised Health Breach Notification Rule: Changes Beyond Changed Definitions
The revised Health Breach Notification Rule includes the following additional changes:
- The revised Health Breach Notification Rule authorizes the expanded use of email and other electronic means of providing clear and effective notice to consumers of a breach.
- The revised Health Breach Notification Rule expands the required content that must be provided in the notice of breach (by vendors of PHR and by PHR related entities) to consumers. For example, the notice is now required to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security.
- The revised Health Breach Notification Rule provides that, for breaches of security involving 500 or more people, regulated entities must notify the FTC at the same time they send notices to affected individuals. This notification must be provided without unreasonable delay, and in no case later than 60 calendar days after the discovery of a breach of security.
