The FTC Expands Notification Requirements for Health Breaches on Health Apps

By: Ashton Brock, Burr & Forman LLP

On April 26, 2024, the Federal Trade Commission (FTC) published a final rule aiming to clarify the current Health Breach Notification Rule (HBN Rule), giving greater protections and expanding breach notification requirements for vendors of personal health information who are not regulated by HIPAA. Pursuant to the FTC, this final rule is designed to strengthen and modernize the HBN Rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.

To start, the FTC first developed a breach notification rule for consumer-facing entities that are not HIPPA covered entities or business associates in 2009 when the American Recovery and Reinvestment Act of 2009 granted them the rulemaking authority to do so. The FTC’s first version of its HBN Rule was limited. Although limited, its goal was to hold accountable those entities existing in the market that offered personal health record (PHR) services which were not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA). This first rule required that PHR related entities notify impacted consumers, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health information. 

Now however, the FTC has clarified and expanded the initial rule to broaden protections and notice requirements to include health apps and similar technologies. As such, physicians should pay particular attention to this updated HBN Rule if they are involved in the development of apps or in any way related to the information that is collected on these apps. Specifically, the updated rule finalized changes that include: 

• Revising definitions of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies;”
• Clarifying what a “breach of security” is, to state that it includes unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
• Revising the definition of a PHR related entity. This is two-fold, starting with making clear that the final rule covers entities that offer products and services through online services, including mobile applications, of vendors of PHRs, and then further makes clear that only entities that access or send unsecured identifiable health information to a PHR — rather than entities that access or send any information to a PHR — qualify as PHR related entities; 
• Clarifying what it means for a PHR to draw PHR identifiable heath information from multiple sources; 
• Expanding consumer notice requirements, now stating that the notice must include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security; 
• Changing the time requirement, stating that for breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security; and 
• Improving the rules readability to promote compliance.

All in all, the final rule seeks to clarify and broaden the reach of the HBN Rule to keep up with the ever-changing innovations in the healthcare industry. This includes health apps or websites that offer products or services solely through online services or mobile applications and that both send and receive identifiable health information, like fitness trackers and wearable blood pressure monitors. Now, these apps or websites are required to alert their vendors of their status as a PHR related entity or vendor of PHR in order to put vendors on notice of the potential implications under the Rule.

The final rule becomes effective 60 days after publication in the Federal Register. With breaches of the HBN Rule subject to civil penalties under Section 18 of the FTC Act, physicians should immediately review the final rule’s requirements if you have not already done so. For the full rule, see https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule.

Ashton Brock is an Associate at Burr & Forman LLP. Ashton may be reached at (205) 458-5340 or abrock@burr.com.