FTC Proposes Amendments to its Health Breach Notification Rule

The American Recovery and Reinvestment Act of 2009 (ARRA) was enacted to help provide security and privacy protections for web-based businesses such as websites that allow people to provide medical information online. For example, a website may allow users to upload readings of their blood pressure into a personal health record. The ARRA required that the Federal Trade Commission issues a rule “requiring companies to contact customers in the event of a security breach.” The rule the FTC enacted was the Health Breach Notification Rule.

The Health Breach Notification Rule (HBNR) requires that companies that have a breach need to notify every person whose information was breached about the breach. In many cases, the media has to be notified. The FTC also needs to be contacted.

The FTC has a specific form that companies should use to notify the FTC of the breach. The list of breaches is regularly posted.  Businesses can obtain more information about complying with the FTC’s Health Breach Notification Rule. The online brochure “explains who’s covered by the Rule and offers guidance on what to do in case of a breach. FTC enforcement began on February 22, 2010.”

The FTC health breach notification rule compared to the DHHS’ HIPAA health breach notification rule

The FTC’s Health Breach Notification Rule does not apply to technologies specified by the Department of Health and Human Services. The Rule also does not apply to “businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA).” HIPAA has its own DHHS breach notification rule.

HIPAA’s breach notification rule defines a breach as basically any disclosure or use that violates HIPAA’s Privacy Rule if the disclosure or use “compromises the security or privacy of the protected health information.” Specifically, HIPAA’s breach notification rules provide:

“An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

• • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
  • The unauthorized person who used the protected health information or to whom the disclosure was made
  • Whether the protected health information was actually acquired or viewed
  • The extent to which the risk to the protected health information has been mitigated.”

The FTC’s proposed new health breach notification rule for non-HIPAA health technologies focuses on new health apps and evolving technologies. As of September 2023, the FTC is seeking comments on the proposed changes to the Health Breach Notification Rule (HBNR).

What apps are covered by HIPAA?

According to the Department of Health and Human Services, whether an app is covered by DHHS and HIPAA “depends on the relationship between the covered entity and the app.”

“Once health information is received from a covered entity, at the individual’s discretion, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules.”

“If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.”

“If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer.”

“For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.”

Covered entities (and their apps) generally include healthcare providers (only if the apps transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard), insurance plans, government programs like Medicare that pay for health benefits and services, HMOs, and healthcare clearinghouses.

Why is the FTC seeking to update/amend its health breach notification rule?

The FTC is seeking comments to update its breach notification rule in light of many new health apps and health technologies, such as fitness trackers, that are now common in the marketplace. These new apps and technologies are increasing the amount of consumer health data that is being accessed and transmitted and increasing the incentive of businesses to disclose or use that health data for marketing and other purposes.

The FTC’s Director of the Bureau of Consumer Protection said,

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened.”

What does the proposed new FTC Breach of Notification Rule require?

The rule requires applies to:

• Vendors of personal health records (PHR) and related entities
• Who are not covered by HIPAA

These entities must notify:

• Individuals
• The FTC
• And the media in some cases

About a breach of unsecured personally identifiable health data.

The rules also require that “Third-party service providers to vendors of PHRs and PHR-related entities provide notification to such vendors and PHR-related entities following the discovery of a breach.“

The FTC does enforce data breaches of patient health information

The FTC takes data breaches seriously. The FTC has already brought several cases involving the misuse of any consumer’s personal health data. Two of these enforcement actions allege violations of the current Health Breach Notification Rule (HBNR). These two enforcement actions resulted in:

• An announced proposed order settling allegations that fertility app Premom violated the HBNR
• Another HBNR enforcement action was announced in February 2023, against telehealth and prescription drug discount provider GoodRx Holdings Inc.

The FTC said that these companies violated the HBNR by failing to inform users about the companies’ unauthorized disclosure of users’ personally identifiable health information to third parties.

How the FTC proposal reached the current proposed amendment stage

In 2021, the FTC sought public comments about the need to change the HBNR. “In September 2021, the FTC issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule.” Based on those comments, the FTC has proposed the following changes to the HBNR:

• Clarifying that the proposed new HBR applies to health apps and similar technologies not covered by HIPAA. This part of the proposal includes updating various definitions such as “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies.”
• Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.”
• The proposed HBRN, for example, makes “clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities.”
• “Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources.”
• Authorizing the expanded use of email and other electronic tools to provide consumers with clear and effective notice of a breach.
• Expanding the content that should be in the notice. For example, the notice would be required to include information about the potential dangers to the breach and the identities of any third parties that might have acquired any personally identifiable health information that is unsecured.
• Adding changes to make the rule more readable and to promote compliance.

The FTC announced that the agency is looking to amend its current health notification breach rule (HNBR) to include healthcare apps and technologies that are not currently covered by its current rule or by HIPAA’s breach notification rule. The FTC’s HNBR modification applies to the large number of new healthcare apps that send, receive, or allow access to a patient’s electronic healthcare information. The FTC will file enforcement actions against any healthcare provider or entity that violates the agency HBNR.

Any medical practice that uses apps and technology that isn’t already covered by HIPAA should contact Cohen Healthcare Law Group to discuss their legal and healthcare compliance requirements. Our experienced healthcare attorneys advise doctors, medical practices, and medical businesses about healthcare compliance laws and regulations.