FTC seeks to strengthen protections for personal health data

The Federal Trade Commission (FTC) is asking for public input on changes it’s proposing to the Health Breach Notification Rule (HBNR) that include clarifying how the rule applies to health apps and similar technologies.

The rule requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to PHR vendors and PHR-related entities to notify such vendors and PHR-related entities when a breach is discovered.

The proposed changes come as business practices and technological developments increase both the amount of health data collected from consumers, and the incentive for companies to use or disclose that sensitive data for marketing and other purposes, Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a news release.

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information,” Levine said. “When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened.”

On May 17, 2023 the FTC announced a proposed order settling allegations that the fertility app Premom violated the HBNR. In February 2023, the agency announced its first enforcement action under the HBNR against telehealth and prescription drug discount provider GoodRx Holdings Inc. It said GoodRx and Premom had each violated the rule by not notifying users about their unauthorized disclosure of users’ personally identifiable health information to third parties.

The proposed changes to the HBNR include:

• Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies”;
• Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
• Revising the definition of “PHR related entity” in two ways that pertain to the rule’s scope. For example, it makes clear that only entities that access or send unsecured PHR identifiable information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
• Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;
• Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;
• Expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information; and
• Making changes designed to improve the rule’s readability and promote compliance.

The public has 60 days from May 18, the date the notice was published in the Federal Register, to submit comments on the proposed changes to the rule. Information on how to submit a comment can be found in the notice. Once processed, the comments will be posted to Regulations.gov.