Changes to the Health Breach Notification Rule Include Regulations for Health Apps

nsreenan Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA, , , , , , , , , , ,

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

  • Revised Definitions Clarify What Entities Are Covered. New and amended definitions clarify the HBNR’s application to health apps and similar technologies that are not covered by HIPAA. New definitions include “health care provider” and “health care services or supplies.” The latter is a broad catchall for any online service, such as a website, or internet-connected device, that tracks diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, diet, genetic information, or that provides other health-related services or tools. It also modifies the definition of “PHR identifiable health information.”
  • Clarifies “Breach of Security”. The FTC makes clear that a “breach of security” includes an unauthorized acquisition of PHR identifiable health information that occurs as a result of a data security breach or unauthorized disclosure. While the FTC declined to define “authorization” or to impose an express consent requirement, it did highlight that a voluntary disclosure by the PHR vendor or PHR related entity (such as a sharing or selling of consumer information to third parties) would be a breach of security if such disclosure was not authorized by the consumer or is inconsistent with the company’s representations to consumers.
  • Clarifies Definition of “PHR Related Entity.” The definition for “PHR Related Entity” has been amended to include entities that offer products and services online, including mobile apps. Additionally, it clarifies that only entities that access or send unsecured PHR identifiable health information to a PHR, rather than entities that access or send any information to a PHR, qualify as “PHR Related Entities”. For example, internet-connected devices like remote blood pressure cuffs, connected glucose monitors, or fitness trackers qualify as PHR Related Entities when individuals sync them to a PHR (e.g., health app). In contrast, a grocery delivery service that sends food purchase information to a diet and fitness app would not be a PHR Related Entity.
  • Clarifies What It Means for a PHR to Draw Information From Multiple Sources. The 2009 Rule defined “personal health record” as an “electronic record of PHR identifiable health information that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.” (Emphasis added.) Under the Final Rule, the FTC changed the phrase “that can be drawn from multiple sources” to “has the technical capacity to draw information from multiple sources”. The FTC said this change clarifies that a product is a PHR if it can draw information from multiple sources even if the consumer elects to limit the information input to a single source. For example, a depression management app that accepts consumer inputs of mental health states and has the technical capacity to sync with a wearable sleep monitor is a PHR even if some consumers choose not to sync the app with a sleep monitor. In sum, the HBNR still requires drawing PHR identifiable health information from at least one source to be a PHR.
  • Expanded Opportunity for Electronic Notice. Vendors of PHRs or PHR Related Entities that discover a breach of security must provide written notice at the last known contact information of the individual. Such written notice may be sent by electronic mail, if an individual has specified electronic mail as the primary contact method, or by first-class mail. This change comes after public comments that mailed notice is not consistent with how consumers interact with online technologies, plus is slower and less effective than electronic notice.
  • Content of Breach Notices Expanded. Notices to consumers will require the disclosure of more information than under the 2009 Rule. The expansion includes naming the identity of the third party that acquired unsecured information in personal health records as a result of a breach, describing the type of information involved in the breach, and what actions the breaching entity is taking to protect the consumer. In addition, the notice must include two methods to contact the notifying entity.
  • Relaxed Timeline to Notify FTC of Breach. Also, in response to public comments, the Final Rule adjusts when the FTC must be notified of a breach. For breaches of 500 people or more, the 2009 Rule required entities to notify the FTC no later than ten (10) business days following the date of discovery of the breach. Recognizing that this timeline is not feasible for large, complex breaches, the Final Rule now requires that for breaches of 500 people or more, entities must notify the FTC at the same time they send notices to affected individuals. Notification to individuals must occur without unreasonable delay and no later than 60 days after discovery of the breach. This 60-day notification to individuals and the enforcement agency is consistent with the HIPAA Breach Rule.

The Final Rule is effective July 29, 2024, which is 60 days after its publication in the Federal Register.

FTC Health Breach Notification Rule Enforcement History

Just last year, the FTC penalized two different online entities using the Health Breach Notification Rule. In 2023, using the HBNR to assess a penalty for the first time ever, the FTC penalized GoodRx, a digital health platform offering prescription drug discounts, telehealth visits, and other health services. Personal health data, such as prescriptions and medical conditions, was being disclosed by GoodRx to Facebook, Google, and other companies for marketing purposes without authorization from consumers. The FTC entered into a settlement that imposed injunctive relief and required GoodRx to pay a $1.5 million civil penalty for its alleged violation.

Late last year, the FTC charged Easy Healthcare Corporation, the maker of the fertility app Premom, for sharing personal health data with third parties and for failing to notify consumers of the unauthorized disclosures. The FTC alleged that Easy Healthcare deceived users when it shared their sensitive personal information via third-party Software Development Kits from numerous third-party marketing and analytics firms including Google, AppsFlyer, and two China-based firms. The FTC entered into a settlement that imposed injunctive relief and required Easy Healthcare to pay a $100,000 civil penalty for its alleged violation.

If you are concerned about compliance with the Health Breach Notification Rule, we regularly work with clients and their marketing and IT teams to assist in preparing or updating applicable policies and procedures. Learn more about Wyatt’s data privacy and cyber security practice by visiting the Wyatt Data Privacy & Cyber Security webpage.