FTC Issues Final Rule to Expand the Health Breach Notification Rule

Online services, health apps, and similar technologies not subject to HIPAA are now explicitly covered by the Health Breach Notification Rule (HBNR), 16 C.F.R. 318. On April 26, 2024, the FTC voted 3–2 to issue a final rule to modify the HBNR to explicitly cover these technologies, among a series of other changes clarifying the scope of the HBNR.

The FTC’s updates to the HBNR are a culmination of the FTC’s increased focus on regulating evolving technologies and are underscored by recent FTC activity, including its recent enforcement actions based on the use of website analytics and advertising tools. The FTC’s recent activity, together with the updated HBNR, reflect the FTC’s focus on keeping pace with regulating evolving technologies and ensuring the privacy of sensitive information.

Lead Up to the Final Rule

The HBNR was adopted in 2009 to require vendors of personal health records (PHR) and similar entities that do not fall under the Health Insurance Portability and Accountability Act (HIPAA) to notify consumers, the FTC, and, in some cases, the media where there was a breach of unsecured personally identifiable information.

In September 2021, more than a decade after the rule came into effect, the FTC published a Policy Statement offering guidance on the scope of the HBNR. The Policy Statement highlighted the FTC’s position that the HBNR applies more broadly than previously believed. The FTC made clear that the rule covers most health apps and similar technologies that are not covered by HIPAA.

In 2023, the FTC brought its first enforcement actions under the rule against vendors of PHR. First, in February 2023, the FTC brought an enforcement action against GoodRx based on the use of certain third-party website analytic and advertising tools. The FTC then followed in May 2023 with its second enforcement action against Easy Healthcare Corporation’s fertility-tracking app Premom under a similar theory.

In June 2023, the FTC issued a Notice of Proposed Rulemaking (NPRM) proposing to revise the HBNR in several ways, including to clarify the scope of its applicability, and eliciting public comments on its changes from a variety of stakeholders.

Following the NPRM, the Commission voted 3–2 to approve publication of the final rule in the Federal Register. The dissenting statement outlines that the final rule contains definitions that are inconsistent with the statute and highlights that the final rule puts organizations at risk of perpetually violating the final rule and at risk of enforcement. The dissenting statement contains a roadmap for challenging enforcement of the final rule for organizations accused of violating the rule.

The final rule will go into effect 60 days after its publication in the Federal Register.

Key Changes with the Final Rule

The FTC’s final rule modifies the HBNR in several ways:

• Revises and adds several definitions to clarify the HBNR’s scope, including the rule’s application to developers of health apps and similar technologies. By adding definitions for “covered health care provider” and “health care services or supplies,” the final rule clarifies that the HBNR applies generally to online services that provide health care services and supplies, including developers of mobile health applications and related technologies not covered by HIPAA.
• Expands the definition of “breach of security” to include an unauthorized acquisition of PHR identifiable health information as a result of an unauthorized disclosure—not only as a result of a data security incident. Specifically, a voluntary disclosure by a PHR vendor or PHR related entity would qualify as a breach of security if that disclosure was not authorized by the consumer.
  
  Notably, the FTC stated that it declined to define “authorization” because the 2009 Rule Commentary provided guidance on the types of disclosure the FTC considers to be “unauthorized” and the FTC pointed to recent enforcement actions, such as GoodRX, that establish “important guidelines” regarding authorization and specified that “dark patterns” do not satisfy the standard of “meaningful choice.”
  
  The final rule provides additional examples of what may constitute an unauthorized disclosure, including a company’s unauthorized sharing or selling of consumers’ information to third parties that is inconsistent with the company’s representations to consumers, or a scenario in which a medication app shares PHR identifiable health information for purposes of ad targeting, where the company does not disclose the sharing and also fails to obtain affirmative express consent from users.
• Specifies that “PHR related entity” covers products and services offered through any online service, including websites and mobile apps. It also narrows the definition such that PHR related entities only include entities that access or send unsecured PHR identifiable health information to a PHR, rather than entities that access or send any information to a PHR. Third party service providers that access PHR identifiable information as part of providing services are not PHR related entities except “to the extent that that it offers its services . . . for its own purposes rather than to provide services.”
• Clarifies what a PHR drawing from multiple sources means. The final rule provides that a PHR is an electronic record of PHR identifiable health information on an individual that has the “technical capacity” to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual. This is true even if the product draws health information from only one source.
• Expands required notification to individuals when there is a breach of security. Notifying entities may now provide written notice via “electronic mail” if the individual “has specified electronic mail as the primary contact method.” Notice by “electronic mail” may occur via email in combination with one or more of the following: text message, within-application messaging, or electronic banner. Appendix A of the final rule provides illustrative examples of notifications that entities may use to notify individuals of a breach of security.
• Adds new content requirements to the required notification to individuals where there is a breach of security. The notifying entity must provide additional information in its notifications to affected individuals, including:
• (1) full name or identity (or, where providing name or identity would pose a risk to individuals or the entity providing notice, a description) of the third parties that acquired the PHR identifiable health information as a result of a breach of security;
• (2) a description of the types of unsecured PHR identifiable health information involved in the breach;
• (3) a description of what the entity is doing to protect affected individuals; and
• (4) two or more ways to contact the notifying entity, including email address, website, postal address, in-app contact, or toll-free phone number.
• Enhances the HBNR’s readability to help promote compliance by clarifying cross-references, adding statutory citations, consolidating notice and timing requirements, and describing penalties for non-compliance.

Key Takeaways

Entities that are not subject to HIPAA but that interact with or handle health information should carefully review applicability under the HBNR, particularly under the clarifications proposed by the NPRM. The FTC’s proposed changes to the HBNR and recent enforcement of the HBNR signal the FTC’s increased focus on regulating evolving technologies in order to better protect health information handled by entities not regulated under HIPAA.

Update: The final rule is scheduled for publication in the Federal Register on May 30, 2024. Accordingly, the final rule will go into effect on July 29, 2024.