FTC Proposes Changes to Clarify the Health Breach Notification Rule

On May 18, the Federal Trade Commission (FTC) proposed changes to the Health Breach Notification Rule (the HBNR or the Rule), including clarifying the rule's applicability to health apps and other similar technologies. These proposed changes are looking to formally institutionalize the FTC's broad interpretation of the Rule, as outlined in its 2021 policy statement.

Specifically, these proposed changes would significantly expand how the HBNR applies compared with the way many parties had previously understood the relevant legislation and the rule. These changes would both broaden the types of entities that are covered under the Rule (such as by applying to certain health apps that were not previously thought to be covered under the Rule) and expand the types of activities that trigger the Rule's notification obligations (such as the unauthorized disclosure of certain health information to a third party without consumer consent). While these interpretations are consistent with both the FTC's recent guidance and enforcement decisions, they are a new development that this proposed rule would now cement as a legal requirement. Companies potentially affected by this proposal should evaluate this additional breadth and coverage in the context of the original statutory authority and consider how best to respond during this comment period to these proposed changes.

Additionally, the FTC's proposed changes to the HBNR are part of a series of actions that the agency has taken to show that it is particularly concerned about protecting what it deems to be "sensitive" categories of data. In addition to its recent enforcement actions involving health data, the FTC has recently announced two enforcement actions against companies for processing children's data in violation of the Children's Online Privacy Protection Act. It also issued guidance in May about the increased risks associated with processing biometric information, indicating that the agency is paying attention to this issue as well. Companies that process these more sensitive categories of data in the ordinary course of business should be aware that the FTC is paying close attention and should ensure that their privacy practices are consistent with the agency's recent guidance and enforcement actions.

We have summarized the key proposed changes to the Rule below and are happy to answer any questions you may have. You can continue to stay on top of our updates by subscribing to the WilmerHale Privacy and Cybersecurity Blog.

Many health apps and similar technologies are not covered by HIPAA, but this clarified scope of the Rule would cover such companies. Companies that offer wellness-related services that might not have been traditionally viewed as health or medical issues should also note that this clarified scope intends to cover them—a product branded as a "wellness" product (rather than a "health" product) might still be subject to the HBNR obligations under these proposed changes.

The proposed changes would also clarify that only entities that access or send unsecured PHR identifiable health information are considered PHR-related entities, in the agency's attempt to narrow the scope of entities under this definition. To avoid conflicting obligations as a result of this new definition, the agency also seeks to clarify that a third-party service provider is not considered a PHR-related entity when it accesses unsecured PHR health information in the course of providing services.

Expanding the Definition of a Security Breach

Under the changes, the Rule would also update the definition of security breach to cover unauthorized acquisition of PHR identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.

The current Rule defines a security breach as "the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual" and includes a rebuttable presumption for unauthorized access to an individual's data. The new definition would include "an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure" (emphasis added). The new definition would make evident that unauthorized acquisition of identifiable health information that occurs as a result of a breach or unauthorized disclosure would be covered under the Rule.

Companies sharing information with third parties should ensure that such disclosures were authorized by the customer. Under the new definition, a voluntary disclosure made by a PHR vendor without authorization from the consumer would explicitly qualify as a security breach, consistent with recent FTC actions such as in the GoodRx and Easy Healthcare cases.

Modernizing Notice Methods

Under the new Rule, electronic would mean email in combination with at least one of the following: text messaging, within-application messaging or electronic banner. The addition of the second prong to an email notice is intended to increase the likelihood of consumers encountering the breach notification.

Companies are currently mandated to include in their notices a description of the types of unsecured PHR identifiable health information that could have been involved in the breach. The current Rule sets forth examples of such information, such as full name, date of birth, Social Security number, account number or disability code. Under the proposed changes, this list would be expanded to include other types of PHR identifiable health information, such as health diagnosis or condition information, lab results, medications, other treatment information, the user's use of a health-related mobile application, and device identifier. The FTC notes that the exposure of health information can lead to a variety of harms; for instance, even the disclosure of an individual's use of a health-related mobile application could lead to injuries including embarrassment, social stigma, more expensive health insurance premiums and even loss of employment. Companies that experience a security breach should think carefully about what type of health information may have been exposed, because the agency is signaling a broad interpretation of what PHR identifiable health information entails.

The final proposed change to the Rule require companies to provide at least two contact procedures so individuals can learn more about the breach.