FTC's Final Health Breach Notification Rule: Expanded Scope, New Obligations, and Modified Reporting Requirements
The Federal Trade Commission ("FTC") intends to "strengthen and modernize" the Health Breach Notification Rule with revamped and increased scrutiny on entities holding health information, including health apps, websites, and other direct-to-consumer services.
The FTC recently announced a final rule amending its Health Breach Notification Rule ("HBNR") to explicitly extend to health apps, websites, and other direct-to-consumer services holding certain health information. The HBNR requires regulated entities to notify consumers, the FTC, and, in some cases, the media of a "breach" of unsecured personally identifiable health information ("IHI") that is in a personal health record ("PHR"). The original HBNR became effective in 2009 and was enforced for the first time in 2023. With the new final rule, the FTC intends to "strengthen and modernize" the HBNR with revamped and increased scrutiny on entities holding health information. The final rule will take effect on July 29, 2024.
Key updates include:
Regulated Entities, Technology, and Breaches
Regulated Entities. The FTC clarified the HBNR's application to certain "online service[s] such as a website, mobile application, or internet-connected device[.]" As a result, health apps, fitness trackers, and similar direct-to-consumer services may fall squarely within the HBNR's scope. The HBNR still does not apply to entities covered under the Health Information Portability and Accountability Act.
Technology. The FTC expanded the scope of the records and sources considered a PHR and explained that a PHR need only have the "technical capacity" to draw from multiple sources, even if it actually does not draw from them.
Breach. The FTC clarified that "breaches" are not limited to cyberattacks and intrusions but extend to a "company's intentional but unauthorized disclosure[.]" Therefore, an entity's intentional sharing of such information—for example, with advertising vendors—could constitute a breach.
Breach Notifications
Timing Flexibility. The final rule extended the notification deadline for breaches involving 500 or more individuals. Previously, entities had 10 business days to notify the FTC but may now make such notifications simultaneously with notices to affected individuals, occurring no later than 60 calendar days after discovery of the breach.
Content of Notice. The FTC expanded the information required in a breach notice to include, to the extent possible:
- The name or identity of third parties that acquired covered information as a result of a breach;
- Descriptions of the types of covered information that were impacted by the breach; and
- Descriptions of the regulated entity's efforts to protect individuals.
The new HBNR and the FTC's recent HBNR enforcement activity are yet another indication of the trend toward increasing regulation of entities holding health information, also evident in the plethora of new state privacy laws that are emerging. To reduce legal risk, health apps, websites, and direct-to-consumer services should consider:
- Conducting data inventories to confirm the type of health information they hold;
- Mapping disclosures to third parties to confirm compliance with internal policies as well as compliance with applicable laws, including the revised HBNR; and
- Updating breach response protocols to align with the revised notification requirements.
