RETURN TO NEWS & INSIGHTS

Legal Update

May 6, 2024

Keeping with the Times - FTC Expands Scope of Health Breach Notification Rule, Even as HHS Announces Its Own HIPAA Update

Click for PDF

On April 26, 2024, the Federal Trade Commission (“FTC”) announced it had finalized changes to modernize the Health Breach Notification Rule (the “HBNR”) by clarifying its applicability to health and wellness apps and other similar technologies—effectively expanding the information Covered Entities must provide to consumers when notifying them of a breach. Key changes include:

  • Revising the definition of “PHR identifiable health information” to underscore the HBNR’s applicability to health and wellness websites, apps, and other similar technologies as well as information inferred from non-health-related data;
  • Revising the definition of “Breach of Security” to include disclosures unauthorized by the consumer—such as a voluntary disclosure made by the PHR vendor if a consumer did not provide affirmative express consent to such disclosure;
  • Clarifying the scope of the term “PHR Related Entity” which provides only entities who access or send unsecured PHR identifiable health information to a personal health record —rather than entities that access or send any information to a personal health record —qualify as PHR Related Entities.
  • Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;
  • Expanding the use of email and other electronic means as methods of providing clear and effective notice to consumers of a breach;
  • Expanding the content requirements of notice to consumers to include, among other things, the identity—or a description where providing the full name or identity would pose a risk to individuals or the entity providing notice—of any third parties who acquired unsecured PHR identifiable health information as a result of a breach;
  • Modifying the timing requirements for the FTC to be notified for breaches involving 500 or more individuals to the same time Covered Entities send notices to affected individuals—which must occur no later than 60 calendar days after the discovery of a breach;

Although most digital health and wellness companies offer privacy protections in the terms and conditions for use of their product or services, many are not subject to the strict privacy and security regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). This is because they are not “Covered Entities” under HIPAA since they do not submit electronic claims for insurance billing purposes like most traditional health care providers. Thus, the FTC’s announcement signifies its remained focus on protecting consumers’ sensitive health data with the increasing use of health and wellness apps and connected devices.

Indeed, this is not the first time the FTC has cracked down on health and wellness apps for sharing consumer’s personal information and data. Specifically, the FTC has recently taken action against digital health and wellness companies for violating the HBNR by imposing hefty civil penalties ranging from $100,000 to $1.5 million for their alleged unauthorized disclosure of consumers’ personal health information to companies such as Facebook and Google for advertising purposes.

The FTC’s announcement is also timely considering the U.S. Department of Health and Human Services (“HHS”) April 22, 2024 announcement of its final rule, HIPAA Privacy Rule to Support Reproductive Health Care Privacy, which aims to protect patient confidentiality and prevent medical records from being used against people for providing or obtaining “lawful reproductive health care.”

Based on the foregoing, and assuming the Final Rule survives any legal challenge, the new modernized version of HBNR—which will go into effect 60 days after its publication in the Federal Register—means digital health and wellness companies will face even greater scrutiny from the FTC for sharing consumer’s personal information and data than they have experienced in the past. As such, digital health and wellness companies should work closely with health care and data privacy counsel to ensure compliance and avoid hefty civil penalties which would hurt their financials and goodwill.