On May 18, 2023, the Federal Trade Commission (“FTC”) announced a Notice of Proposed Rulemaking (the “Proposed Rule”), which both clarifies the scope of the Health Breach Notification Rule (“HBN Rule”) to include broader types of companies, such as those that develop fitness apps and wellness products, and creates a more granular set of requirements around notifications of breaches. These changes signify two important things: (1) the HBN Rule applies to more types of companies than previously understood; and (2) for the first time, the FTC appears to be focusing on its enforcement authority related to the HBN Rule. After the final rules are published, we can expect greater enforcement for companies that are not traditionally considered “healthcare” companies.
The FTC’s HBN Rule was first promulgated in 2009 and requires covered organizations to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. The HBN Rule applies to vendors of personal health records, certain related entities, and third-party service providers that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities or other entities in their capacity as a business associate.
In 2021, the FTC began its push to expand the reach of the HBN Rule when it issued a Policy Statement — followed by guidance resources (see here and here) in 2022 — advising that the HBN Rule applies broadly to health apps and devices, and covers not only security violations such as cybersecurity breaches, but also privacy violations such as disclosure of health data without consumer authorization. In 2023, the FTC brought its first enforcement actions (see here and here) under the HBN Rule pursuant to the broadened interpretation in the Policy Statement. Now, the FTC is seeking to codify its interpretation with the Proposed Rule.
Because of its limited scope and lack of prior enforcement, the HBN Rule traditionally has not been top of mind for many healthcare providers or their vendors and service providers. However, given the FTC’s expanded view, along with the proliferation of health technology subject to the HBN Rule such as apps, fitness trackers, and wearable blood pressure monitors, the Proposed Rule merits a close inspection by healthcare providers, vendors, and technology developers.
The Proposed Rule would modify the HBN Rule in the following ways:
- Clarify the HBN Rule’s scope, including its coverage of developers of many health applications, including in many instances even if an app is positioned as a “wellness” product rather than a “health” product;
- Amend the definition of “breach of security” to clarify that a breach of security includes data security breaches and unauthorized disclosures, including unauthorized disclosures of consumers’ personal health record (“PHR”) identifiable health information to third-party companies, and is not limited to cybersecurity intrusions or nefarious behavior;
- Revise the definition of PHR related entity, with the goals, in part, to avoid competing notice obligations in the case of a breach, and to create incentives for responsible data stewardship and for de-identification;
- Clarify what it means for a PHR vendor to draw PHR identifiable health information from multiple sources, for example, making clear that simply the ability to draw information from multiple sources would qualify (regardless of whether a consumer uses that feature), and that drawing any information (not just health information) from multiple sources could also bring the activities under the purview of the HBN Rule;
- Modernize the method of notice to authorize expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers, provided consumer consent is obtained in advance for use of such method;
- Expand the content of the notice in a variety of ways, including that a notice would be required to provide: (i) a brief description of the potential harm that may result from the breach, such as medical or other identity theft; and (ii) the full name, website, and contact of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security, if this information is known; and
- Improve the HBN Rule’s readability by clarifying cross-references and adding statutory citations, consolidating notice and timing requirements, and articulating the penalties for non-compliance.
Each of the above proposals is discussed in more detail in the Proposed Rule, and specific topics on which the FTC is requesting public comment are outlined as well. Instructions for submitting comments can be found on the publication page with the Proposed Rule. Written comments must be received by the FTC on or before August 8, 2023.
A Note on Application of the HBN Rule and Organization Privacy Promises
A unique component of the Proposed Rule, which was emphasized in the recent HBN Rule enforcement actions, is that FTC considers failure to comply with privacy promises to be a violation of the HBN Rule. The HBN Rule is expressly a breach notification regulatory regime, which stands in contrast to more fulsome privacy and security regimes, such as HIPAA, which mandate not only breach notification obligations, but also how patient information may be used and disclosed. In its commentary to the Proposed Rule, FTC clarifies its intent to “make clear to the marketplace that a breach includes an unauthorized acquisition of identifiable health information that occurs as a result of a data breach or an unauthorized disclosure, such as a voluntary disclosure made by the PHR vendor or PHR related entity where such disclosure was not authorized by the consumer.”
What Companies Should Do in Response to This Proposed Rulemaking
As organizations evaluate how and when the HBN Rule applies to their operations, they should consider: (1) what portion of their organization and activities could be subject to the HBN; and (2) what privacy promises the organization is making to consumers.
Affected organizations should take the opportunity to review the applicability of the HBN Rule and consider submitting comments to the Proposed Rule to the extent the proposed changes may affect the organization.
For more information or for assistance assessing the applicability of the HBN Rule to your organization, please contact Jackie Cooney, Madison Pool, or Erin Doyle.