On April 26, 2024, the Federal Trade Commission (FTC) announced that it had finalized changes to the Health Breach Notification Rule (HBNR). These changes, which go into effect on June 25, 2024, are intended to modernize aspects of the HBNR such that the HBNR applies to entities not covered under the Health Insurance Portability and Accountability Act (HIPAA). The updated HBNR follows the FTC’s previously stated intention in a 2021 policy statement to broaden the interpretation of the HBNR to address the growing number of digital health applications, websites, and consumer-facing technology that were not subject to HIPAA. The scope of the finalized rule therefore aims to apply the HBNR to health care technology and digital health companies that obtain personal health records (PHR) and PHR identifiable health information.

Overview of HBNR Changes

In broadening the reach of the HBNR, the FTC incorporated new definitions for “covered health care provider” and “heath care services or supplies.” These new definitions apply the updated HBNR to any entity furnishing “any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” The FTC also updated the existing HBNR definitions for “breach of security” and “PHR related entity” to specify that a breach of security encompasses any unauthorized disclosures and acquisitions of PHR identifiable health information. Additionally, a PHR related entity is specifically defined as an entity accessing or sending unsecured PHR identifiable health information.

In addition to the new and amended definitions, the updated HBNR requires vendors of PHR and PHR related entities to notify the FTC, individuals, and the media in certain instances in which there has been a breach of security involving PHR identifiable health information. This notification requirement extends to third-party service providers, which may not be considered PHR related entities but are still required to notify PHR vendors and PHR related entities if they experience a breach of PHR identifiable health information. To ensure that the notice requirements are implemented appropriately, the updated HBNR also includes a requirement that vendors of PHR and PHR related entities notify third-party service providers of their status as entities subject to the updated HBNR.

Notices to individuals affected by a breach of security, must include the name, identity, or description of any third parties that acquired unsecure PHR as a result of the breach of security. The method of notice can be sent via first-class mail or “clear and conspicuous” electronic mail if specified by an affected individual, with electronic mail defined as electronic mail in combination with another delivery method (e.g., text message, within-application messaging or an electronic banner). Covered health care providers must also notify the FTC at the same time notices are sent to affected individuals if the breach of security involves five hundred (500) or more individuals, and no later than sixty (60) calendar days after the discovery of the breach of security.

Key Takeaways

The definition and notice changes in the updated HBNR evidence the FTC’s intent to have the final rule cover internal and external breaches (intentional or otherwise) by non-HIPAA covered entities collecting, tracking, or recording PHR identifiable health information in any manner that goes beyond a purely informational function. Because of the broad scope of the changes involved, health care technology and digital health companies should assess whether they are subject to the updated HBNR. This determination should be based on a comprehensive review of their product offerings and functionality in addition to a detailed review of existing practices and standard operating procedures related to health information processing and handling, data privacy and security, and any associated breach response measures.

While there will not be active enforcement of the updated HBNR until it goes into effect, the FTC has become increasingly active in pursuing actions against health care technology and digital health companies. Specifically, the FTC has previously exercised enforcement under the HBNR against companies that have had unauthorized disclosures of collected PHR identifiable health information through their website functions and digital applications. In addition, because the scope of notification requirements have also been extended under the updated HBNR, health care technology and digital health companies should ensure that they work with third-party service providers and PHR related entities that are able to timely and comprehensively meet the updated notice requirements.

If you have any questions regarding the content of this post, please contact the Privacy, Cybersecurity & Media and Health Care & Life Sciences attorneys at Vedder Price.