Recently, the United States Federal Trade Commission (FTC) announced proposed amendments to modernize and strengthen the Health Breach Notification Rule. According to the FTC, the proposed changes would reinforce the rule’s applicability to health applications and other evolving technologies.
The Health Breach Notification Rule requires vendors of personal health records and related entities not covered by HIPAA to notify the FTC, the individuals, and in some cases even the media, of a breach of unsecured personally identifiable health information data.
Included in the proposed changes are revised definitions of several words to clarify the application of the rule to health applications and similar technologies that are not covered by HIPAA. This includes amending the definition of “PHR identifiable health information” and adding two new definitions: “health care provider” and “health care services or supplies.” The proposed rules also clarify that a “breach of security” includes an unauthorized acquisition of identifiable health information that course as a result of a data security breach or unauthorized disclosure. The proposed changes also clarify that a breach of security under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.
The changes would also authorize the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers and expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who may have acquired any unsecured personally identifiable health information.
These proposed changes follow several years of discussion by the FTC, including a request for comments in 2020 on whether changes to the Rule should be considered. Additionally, in 2021 following an open meeting, the FTC issued a statement confirming that companies that hold sleep, fertility, heart health, glucose levels, and other health data must notify the consumers in the event of a breach – including any unauthorized sharing of data.
“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.”
The FTC will accept comments on the proposed changes submitted through August 8, 2023.