On April 26, 2024, the Federal Trade Commission (“FTC” or the “Commission”) announced changes to the Health Breach Notification Rule (“HBNR”), which requires certain entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify consumers, the FTC, and, in some cases, the media of breaches of unsecured personally identifiable health data.[1]  The final rule seeks to address technological and industry advancements since the original HBNR was adopted in 2009 by clarifying the rule’s applicability to direct-to-consumer health technologies (such as fitness trackers) which have proliferated in recent years.  The final rule also expands the information that covered entities must provide to consumers when notifying individuals of a data breach.

The Health Breach Notification Rule

Section 13407 of the American Recovery and Reinvestment Act of 2009 (“the Act”) created certain protections for personal health records (“PHRs”), electronic records of individually identifiable health information “that can be drawn from multiple sources and that [are] managed, shared, and controlled by or primarily for the individual.”[2]  Since vendors of PHRs and PHR related entities (defined below) were collecting consumers’ health information but were not subject to HIPAA’s security requirements, the Act directed the FTC to issue a rule requiring such entities, and their third party service providers, to provide notification of any breach of unsecured PHR identifiable health information.

  • Businesses qualify as vendors of PHRs if they offer or maintain an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual.  Thus, if a company offers a health app that collects information from a consumer and can sync with a consumer’s fitness tracker, remote blood pressure cuffs, connected blood glucose monitor, etc., then that company would qualify as a vendor of PHRs.  The health app itself would qualify as a PHR.
  • Businesses qualify as PHR related entities if they interact with a vendor of PHRs either by offering products or services through the vendor’s website, app, or other online service – even if the vendor’s service is covered by HIPAA – or by accessing information in a PHR or sending information to a PHR.  For instance, if a company offers fitness trackers, remote blood pressure cuffs, connected blood glucose monitors, etc., that can send information to health apps, then that company would qualify as a PHR related entity.
  • Businesses qualify as third-party service providers if they offer services involving the use, maintenance, disclosure, or disposal of health information to vendors of PHRs or PHR related entities.  For example, if a vendor of PHRs hires a company to provide billing, debt collection, or data storage services related to health information, then that company would qualify as a third party service provider.

The rule that the Commission issued in 2009 requires vendors of PHRs and related entities not covered by HIPAA to notify consumers, the FTC, and, in some cases, the media of breaches of unsecured personally identifiable health data impacting 500 or more individuals.  Third party service providers must also notify covered entities of any data breaches of unsecured PHR identifiable health information. 

While the core of this rule remains the same, the FTC has updated the HBNR in light of the increasing amount of health data that companies collect from consumers and the growing incentive for companies to disclose that data for marketing or other purposes.

Modifications to the Rule

The finalized changes to the rule include:

  • Revising or creating definitions for “PHR identifiable health information,” “covered health care provider,” and “health care services or supplies” to underscore that the rule covers health apps and similar technologies not covered by HIPAA.  Under the revised rule, developers of health apps and similar technologies providing “health care services or supplies” are considered “covered health care providers” and data collected or used by their products constitutes “PHR identifiable health information.” 
  • Updating the definition of “personal health record” to clarify what it means for a PHR to “draw information from multiple sources.” Under the updated rule, a product qualifies as a PHR if it has the technical capacity to draw information (not just health data) from multiple sources, regardless of whether the consumer enables such syncing features. 
  • Modifying the definition of “breach of security” to cover not only data breaches, but also unauthorized disclosures.  A company thus commits a breach of security when it shares or sells consumers’ information to third parties in a manner inconsistent with the company’s representations to consumers (i.e., without disclosure and without affirmative express consent).
  • Amending the definition of “PHR related entities” in two ways to clarify the HBNR’s scope.  First, the final rule broadens the definition to cover entities that offer products and services through a PHR vendor’s online services (including mobile device apps).  Second, the rule narrowed the definition to cover only entities that access or send “unsecured PHR identifiable health information” to a PHR, as opposed to entities that access or send any other information to a PHR.  For example, remote blood pressure cuffs or fitness trackers could qualify as a PHR related entity when individuals sync them with a health app (a PHR).  However, a grocery delivery service that sends information about food purchases to a diet and fitness app is unlikely to qualify as a PHR related entity.
  • Authorizing electronic notification for individuals who have specified electronic mail as their primary contact method.  The rule defines “electronic mail” to mean email in combination with text messaging, within-app messaging, and/or an electronic banner.  Any notification delivered via electronic mail must be clear and conspicuous.
  • Expanding the content included in consumer notices to incorporate four additions.  First, the notice must include the full name or identity (or a description, if providing the name or identity would pose a risk to individuals or the notifying entity) of any known third parties that acquired unsecured PHR identifiable health information as a result of a breach.  Second, the updated rule expands the exemplar list of data that should be included in a notice’s description of affected information.  The updated list of potential data now includes, among other information, health diagnosis or condition, lab results, medications, other treatment information, the individual’s use of a health-related app, and device identifiers.  Third, the notice must also now include a brief description of what the breached entity is doing to protect affected individuals.  Finally, the new rule requires that the notice provide two or more of the following methods of contacting the notifying entity: toll-free phone number, email address, website, within-app, or postal address.
  • Changing the timing of FTC notification under the HBNR.  Under the original rule, covered entities had to notify the FTC within ten business days of discovering a breach involving 500 or more individuals.  Now, covered entities who experience a breach involving 500 or more people must notify the FTC at the same time they notify affected individuals and in no case later than 60 calendar days after the discovery of the breach.
  • Improving the readability of the HBNR by including explanatory parentheticals for internal cross-references, adding statutory citations, consolidating notice and timing requirements, and revising the Enforcement section to state the penalties for non-compliance more plainly.

The final rule will go into effect 60 days after its publication in the Federal Register.

[1] FTC Finalizes Changes to the Health Breach Notification Rule, (Apr. 26, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule.

[2] 42 U.S.C. 17921(11).