It was Shakespeare who said, “Once more unto the breach.”  The FTC’s goal is never more unto the breach, but until companies keep health data secure and private, we’ll continue to update and enforce the Health Breach Notification Rule to protect consumers and keep up with the digital revolution in health information.  Benefited by insights from researchers, industry members, legislators, and consumers who responded to our call for public comments, the FTC just finished a head-to-toe HBNR check-up.  The just-announced Final Rule makes it clear that health apps and similar technologies are covered and expands what covered entities must tell consumers if there’s been a breach of their data. How will the new rule affect your business?

HIPAA – HHS’ Health Insurance Portability and Accountability Act – addresses privacy and security for most doctors’ offices, hospitals, and insurance companies.  But with advances in monitoring and technology, a lot of health-related information doesn’t fall within HIPAA.  That’s where the FTC’s Health Breach Notification Rule comes in.  Since the FTC announced the Rule in 2009, vendors of personal health records (PHR) – a phrase the Rule defines – and related entities not covered by HIPAA must notify individuals, the FTC, and, in certain cases, the media if there’s been a breach of unsecured personally identifiable health data.  The Rule also requires third party service providers to vendors of PHRs and related entities to notify those vendors and related entities following the discovery of a breach.  You’ll want to read the Federal Register Notice for specifics about what’s new, but here are some notable takeaways from the Final Rule:

1.  The Rule applies to health apps and similar technologies not covered by HIPAA.  The FTC underscored that point by modifying the definition of “PHR identifiable health information” and adding definitions for “covered health care provider” and “health care services or supplies.”  That shouldn’t come as a surprise to businesses familiar with the FTC’s 2021 Statement of the Commission on Breaches by Health Apps and Other Connected Devices, recent FTC actions enforcing the Rule, and the 2023 Notice of Proposed Rulemaking.
2.  The definition of “breach of security” includes both data security breaches and unauthorized disclosures.  Here’s how the Final Rule puts it: “A breach of security includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.”  Recent FTC settlements with GoodRx and Easy Healthcare for failing to report that they shared consumers’ health data with advertising platforms in violation of their privacy promises illustrate that point, too.
3.  The revised definition of “PHR related entity” establishes that the Rule applies to entities that offer products and services through online services of vendors of personal health records, including mobile apps.  To make that clear, the Final Rule updates the phrase “Web sites” to read “websites, including any online service.”  Two reasons support this change: 1) adding online services is a more realistic reflection of the current marketplace; and 2) “Web sites” is so 2009.  The “PHR related entity” definition also updates “accesses information” to read “accesses unsecured PHR identifiable information.”
4.  In the definition of “personal health record,” the technical capacity to draw information from multiple sources matters.  The definition of “personal health record” originally referred to identifiable health information about a person that “can be drawn from multiple sources.”  The new Rule substitutes the phrase “has the technical capacity to draw information from multiple sources.”
5.  The Final Rule expands the use of electronic notice to consumers.  The Rule retains the long-standing requirement that a vendor of personal health records or a PHR related entity that discovers a breach of security must notify the individual promptly.  Although notice by first-class mail is still OK in certain instances, the new focus is on email in combination with other forms of electronic notice like text messages or in-app messaging.
6.  Notices to consumers must include more information and must be “clear and conspicuous” and “reasonably understandable.”  Under the Final Rule, in most cases, the notice must tell people the identity of any third parties that acquired unsecured PHR identifiable health information as a result of the breach.  In addition, the notice must describe the types of health information the breach involved (for example, a health diagnosis or condition, lab results, medications, other treatment information, and their use of a health-related app).  What’s more, the Final Rule doesn’t just require that the notice is “clear and conspicuous” and “reasonably understandable.”  It offers detailed guidance on what entities should do to achieve that result.  For example, consider using short explanatory sentences or bullet lists, plain-language headings, an easy-to-read typeface, wide margins, and ample spacing.  Things to avoid: legal or highly technical terminology, multiple negatives, and imprecise explanations.  Check out the appendices for sample text messages, in-app messages, web banners, and email notices.  (By the way, even if the HBNR doesn’t apply to your business, the Rule’s practical approach to the “clear and conspicuous” standard offers insights for all companies.)
7.  Covered entities must move quickly to notify consumers – and the FTC – about breaches involving 500 or more people.  For breaches involving 500 or more people, covered entities must notify the FTC at the same time they send notices to affected individuals.  That must be “without unreasonable delay” and in no case later than 60 calendar days after the discovery of a breach of security.  For breaches involving fewer than 500 people, covered entities must notify the FTC annually and no later than 60 calendar days following the end of the year.  However, the notice to affected individuals must still occur “without unreasonable delay” and in no case later than 60 calendar days after the discovery of a breach of security.
8.  The Final Rule adds cross-references, citations, and more information about penalties for non-compliance.  A violation of the HBNR will be treated as a violation of a rule under section 18 of the FTC Act regarding unfair or deceptive acts or practices.  That means violations are subject to civil penalties.

The updated Health Breach Notification Rule goes into effect 60 days after it appears in the Federal Register.  Follow the Business Blog for the effective date.  Until then, the 2009 Rule continues to apply.  Have a breach to report to the FTC under the 2009 Rule or after the Final Rule amendments go live?  Use this form.