FTC Updates Health Breach Notification Rule to Cover Health Apps and Other Technologies

The Federal Trade Commission (FTC) has published a final rule that implements changes to its Health Breach Notification Rule. The final rule expands coverage to health apps and devices not covered by the HIPAA Rules to ensure that consumers are notified in the event of a breach of their health data.

The FTC’s Health Breach Notification Rule was introduced in 2009 to ensure that vendors of personal health records (PHR) notify consumers when there is a breach of unsecured personally identifiable health data, and for third-party service providers to vendors of PHRs and related entities to notify those vendors in the event of a data breach. While the rule has been effective for more than a decade, the FTC has only recently started enforcing the rule. Companies subject to enforcement actions for Health Breach Notification Rule compliance failures include GoodRx and Easy Healthcare (Premom). Any company that is required to comply with the rule that fails to issue notifications in the event of a breach is highly likely to be fined, and the penalties the FTC can impose for non-compliance are considerable.

Health apps and health and wellness trackers collect the personal and health data of consumers. If those apps and devices were provided by a HIPAA-covered entity, the information they collect would be classed as protected health information and breaches would be subject to the requirements of the HIPAA Breach Notification Rule; however, most health apps and health and wellness trackers are not subject to the HIPAA Rules, hence the need to issue an updated rule.

The FTC published a Notice of Proposed Rulemaking in May 2023 and has considered the comments it received when penning the final rule. The final rule did not receive total support, with the Commission voting 3-2 in favor of implementing the final rule. Commissioners Melissa Holyoak and Andrew N. Ferguson voted against the final rule.

The changes made to the Health Breach Notification Rule include:

  • Revised and new definitions – “PHR identifiable health information” has been revised, and new definitions have been added for “covered health care provider” and “health care services or supplies”. The definition of PHR-related entity has been revised to cover entities that offer products and services through the online services and mobile applications of vendors of personal health records
  • Clarifications – “Breach of security” is clarified to confirm that it covers data security breaches and unauthorized disclosures. The final rule makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR-related entities. There is a clarification of what it means for a personal health record to draw PHR identifiable health information from multiple sources.
  • Changes to notifications – The FTC must now be notified of a breach at the same time as sending consumer notifications, which is without undue delay and within 60 days of the discovery of a breach. Notifications may be made via email and other electronic means. Consumers must be notified about the name of the entity, or a description of that entity in some circumstances, as well as any third parties that have received the data.

The final rule will take effect 60 days from publication in the Federal Register. The full text of the final rule can be found on the FTC website.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/