The United States Federal Trade Commission (FTC) recently finalized a rule, strengthening and modernizing the Health Breach Notification Rule (HBNR). Under the final rule, the FTC clarified the Rule’s applicability to health apps and similar technologies and expanded the information that covered entities must provide to consumers when notifying them of a breach of their health information.
Under the HBNR, vendors of personal health records – as well as related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) – are required to notify individuals, the FTC, and sometimes the media, of a breach of unsecured personally identifiable health data. It further requires third party service providers to vendors of personal health records and related entities to notify such vendors and related entities, upon discovery of the breach.
Since the initial issuance of the HBNR, health apps and other direct-to-consumer health technologies (i.e., fitness trackers) have become more common. The FTC believed that changes were needed as “business practices and technological developments increase both the amount of health data collected from consumers, and the incentive for companies to use or disclose that sensitive data for marketing and other purposes.”
Changes made by the FTC to the Rule are a result of roughly 120 comments received by the Agency, and include updating certain definitions, clarifying what it means for a personal health record to draw personal health record identifiable health information from multiple sources, authorizing the expanded use of email (and other electronic means) of providing clear and effective notice to consumers of a breach, and expanding the required content that must be provided in the notice to consumers.
“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”
To that end, in addition to updating the HBNR, the FTC has started to take action against companies for violating the HBNR, including GoodRx and Easy Healthcare. The GoodRx order was actually the first enforcement action under the HBNR. Both GoodRx and Easy Healthcare violated the HBNR by failing to notify users about the companies’ unauthorized disclosure of users’ personally identifiable health information to third parties.