Public comments are due by August 8th to the Federal Trade Commission (FTC)’s Notice of Proposed Rulemaking (NPRM) to amend the Health Breach Notification Rule (HBNR), which imposes breach notification obligations on certain non-HIPAA-covered entities. The proposed changes are intended to clarify the scope of the HBNR’s applicability and further solidify the FTC’s 2021 HBNR Policy Statement and recent enforcement actions indicating the expansive reach of the HBNR to most health and wellness apps and incidents involving unauthorized disclosures of covered information in addition to data security incidents as a “breach of security.” The NPRM further highlights the FTC’s proactive commitment to protecting consumers’ sensitive information, particularly health information.
History and Scope of the HBNR
The HBNR was promulgated in 2009 but went unenforced until earlier this year, when the FTC announced its first HBNR enforcement action against telehealth and prescription drug discount provider GoodRx. In May 2023, the FTC announced its second HBNR enforcement in an action against Easy Healthcare Corporation’s fertility-tracking app Premom for its violation of the HBNR.
As a refresher, the HBNR applies to (i) vendors of personal health records (PHRs),[1] (ii) PHR‑related entities that interact with vendors of PHRs or HIPAA-covered entities by offering products or services through their sites or that access information in or send information to a PHR, and (iii) third-party service providers for vendors of PHRs or PHR-related entities that process unsecured PHR identifiable health information[2] as part of providing their services. The HBNR does not apply to HIPAA-covered entities or any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity. Under the HBNR, vendors of PHRs and PHR-related entities are required to report a “breach of security” involving PHRs to the FTC, consumers, and the media (in some cases). Service providers to such entities that process information contained in PHRs (i.e., for billing or data storage purposes) also have notice obligations to report such breaches to their business customers. The HBNR defines a “breach of security” as the acquisition of unsecured, PHR identifiable health information that is in a PHR, without the authorization of the individual. Notice is required no later than 60 days after discovering the breach, unless more than 500 people are impacted (in which case, the FTC must be notified within 10 business days). If covered entities fail to comply, violations of the HBNR are subject to civil penalties of $50,120[3] per violation per day.
Summary of Proposed Changes
The NPRM proposes seven changes, which follow from the Commission’s review of public comments to its 2021 Policy Statement, which offered guidance on the HBNR.
- Clarification of Scope, Entities Covered: The FTC proposes modifying the definition of “PHR identifiable health information” to further clarify its position that this definition includes traditional health information (such as diagnoses or medications), health information derived from consumers’ interactions with apps and other online services (such as health information generated from tracking technologies employed on websites or mobile applications or from customized records of website or mobile application interactions), as well as emergent health data (such as health information inferred from non-health-related data points, such as location and recent purchases). The NPRM proposes adding new definitions for the terms “health care provider” and “health care services or supplies.” The latter term is particularly expansive and would include “any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health‑related services or tools.”
- Clarification Regarding Types of Breaches Covered Under the HBNR: The FTC proposes revising the definition of “breach of security” to clarify that a breach “is not limited to cybersecurity intrusions or nefarious behavior.” Under the HBNR, a breach encompasses “[i]ncidents of unauthorized access, including sharing of covered information without an individual’s authorization[.]” For example, in GoodRx, the “unauthorized disclosure of individually identifiable health information” through pixel tracking.
- Revised Scope of PHR-Related Entity: The FTC proposes revising the definition of “PHR-related entity” to clarify that the definition includes entities “offering products and services not only through the websites of vendors of personal health records, but also through any online service, including mobile applications.” This change highlights the rise of novel technologies and online platforms since the HBNR’s initial publication in 2009. Additionally, the FTC proposes revising which parties qualify as PHR-related entities. The proposed changes to the HBNR would change the third prong of the definition and narrow the scope from covering entities that “accesse[d] information in a personal health record or sen[t] information to a personal health record” to covering entities that “access or send unsecured PHR identifiable information to a personal health record.” The FTC provided the example of remote blood pressure cuffs, connected blood glucose monitors, and fitness trackers as devices that could qualify as a PHR-related entity when individuals sync them with a personal health record (i.e., mobile health application) and that the HBNR is not intended to apply to, for example, a grocery delivery service that integrates with a diet and fitness when the grocery delivery service sends information about food purchases to the diet and fitness app.
- Clarification of What It Means for a PHR to Draw Information from Multiple Sources: The FTC proposes adding the phrase “technical capacity to draw information” to the definition of “personal health record.” This updated definition would define “personal health record” as “an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” This shift indicates that a product is a PHR if it is capable of drawing data from multiple sources, even if the user only authorizes drawing data from a single source. For example, a fitness and nutrition app that allows a user to sync the app with a third-party wearable fitness tracker has the technical capacity to draw identifiable health information both from the user (name, weight, height, etc.) and from the fitness tracker (name, miles run, heart rate, etc.), even if the user does not elect to connect the fitness tracker. The FTC provides examples of two non-HIPAA-covered diet and fitness apps that constitute a personal health record:
- Diet and Fitness App X allows users to sync their app with third-party wearable fitness trackers with the app. Diet and Fitness App X has the technical capacity to draw identifiable health information both from the user (name, weight, height, age) and from the fitness tracker (user’s name, miles run, heart rate), even if some users elect not to connect the fitness tracker.
- Diet and Fitness App Y has the ability to pull information from the user’s phone calendar via the calendar API to suggest personalized healthy eating options. Diet and Fitness App Y has the technical capacity to draw identifiable health information from the user (name, weight, height, age) and non-health information (calendar entry info, location, and time zone) from the user’s calendar.
- Facilitating Greater Opportunity for Electronic Notice: The FTC proposes expanding the use of electronic communication to give consumers clear and effective notice after a breach occurs. Specifically, covered entities must “provide written notice at the last known contact information of the individual” and do so via electronic mail (if this is the primary contact method) or first-class mail. The FTC also proposes that “electronic mail” include email combined with text messaging, in-application messaging, and/or an electronic banner.
- Expanded Content of Notice: The FTC proposes expanding the information included in a notice to consumers affected by a breach, such as a description of potential harm, details about third parties that acquired unsecured PHR identifiable health information, additional examples of PHR identifiable health information that may be exposed, a description of what the impacted entity is doing to help affected consumers (i.e., identity theft protection), and two or more contact procedures to ask questions or receive more information. Procedures include a toll-free telephone number, email address, website, in‑application contact method, or postal address.
- Proposed Changes to Improve Rule’s Readability: The FTC proposes rearranging certain sections of the text, among other revisions, to facilitate better understanding of the HBNR.
Key Takeaways
Entities that are not subject to HIPAA but that interact with or handle health information should carefully review applicability under the HBNR, particularly under the clarifications proposed by the NPRM. The FTC’s proposed changes to the HBNR and recent enforcement of the HBNR signal the FTC’s increased focus on regulating evolving technologies in order to better protect health information handled by entities not regulated under HIPAA.
Katherine Wang, a summer associate in Morrison Foerster’s Boston office, contributed to this alert.
[1] A PHR is an electronic record of “PHR identifiable health information” on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. See 16 C.F.R. § 318.2(d).
[2] “PHR identifiable health information” includes “individually identifiable health information,” as defined in section 1171(6) of the Social Security Act (42 U.S.C. § 1320d(6)), and, with respect to an individual, information: (1) that is provided by or on behalf of the individual, and (2) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. See 16 C.F.R. § 318.2(e). Individually identifiable health information means any information, including demographic information collected from an individual, that: (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. See 42 U.S.C. § 1320(d)(6).
[3] Based on the FTC’s inflation-adjusted civil penalty amounts for 2023.