A MoFo Privacy Minute Q&A: What to Expect with the FTC’s Amended Health Breach Notification Rule Going into Effect

This is “A MoFo Privacy Minute,” where we answer the questions our clients are asking us in sixty seconds or less.

Question: I heard that the amendments to the FTC’s Health Breach Notification Rule (HBNR) go into effect on July 29, 2024? Is my company subject to the HBNR?

Answer: The Federal Trade Commission (FTC)’s final rule, which expands the scope and application of the HBNR, takes effect on July 29, 2024.

The HBNR applies to vendors of personal health records (PHRs) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA). The HBNR requires vendors of PHRs and related entities not covered by HIPAA to notify individuals, the FTC, and in some cases, the media, in the event of a breach of unsecured covered data.

The amended HBNR clarifies that the HBNR’s application extends to developers of health apps and similar technologies, and generally to online services that provide healthcare services and supplies, including developers of mobile health applications and related technologies not covered by HIPAA (i.e., any website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, or diet, or that provides other health-related services or tools).

The HBNR becomes effective against the backdrop of the FTC’s emphasis on regulating evolving technologies to better protect health information handled by entities not regulated under HIPAA, including through a growing number of FTC enforcement actions.

Entities that are not subject to HIPAA but that interact with or handle health information should continue to carefully and regularly assess the applicability of the HBNR to their practices and review their efforts to comply with the HBNR, paying close attention to the clarifications made under the final rule. See our client alert on the HBNR final rule for additional background on the HBNR and its requirements.