FTC Proposes Health Breach Notification Rule Amendments
The Federal Trade Commission (FTC), at its May 18, 2023, open Commission meeting, voted unanimously to issue a Notice of Proposed Rulemaking to amend the Health Breach Notification Rule (HBNR). The FTC’s proposed amendment aims to codify the HBNR’s application to digital health and mobile technologies, as the FTC initially set forth in its 2021 policy statement. The FTC published its proposed amendment in the Federal Register on Friday, June 9, 2023 (88 FR 37819). Interested parties should consider submitting comments by August 8, 2023.
The American Recovery and Reinvestment Act of 2009 (ARRA) charged the FTC with developing a breach notification rule that applied to entities not covered under HIPAA’s breach notification rule, which was also created under ARRA. In other words, the FTC was tasked with addressing consumer-facing entities that are not “covered entities” or “business associates” under HIPAA. Congress granted rulemaking authority to the FTC to issue regulations requiring vendors of personal health records (PHRs) and “PHR related entities” to notify consumers in the event of an information security breach.
In response, the FTC issued its HBNR in 2009, which requires PHRs and PHR related entities to notify their impacted customers, the FTC and in some instances the media in the event of a breach of individually identifiable health information (74 Fed. Reg. 42962). The HBNR requires notice to affected consumers and the FTC when there has been an unauthorized acquisition of unsecured identifiable health information from PHRs, and notice to the media if the breach affects 500 or more consumers in a particular state or jurisdiction. The HBNR defines PHRs as electronic records of individually identifiable health information that can be drawn from multiple sources and that are managed, shared and controlled by or primarily for individuals (unlike, for example, the electronic medical records maintained by healthcare providers in rendering healthcare services to individuals). PHR related entities are companies that offer products or services through PHR websites, access information in PHRs or send information to PHRs.
At the time the FTC issued the HBNR, the rule’s reach was limited. Few PHRs existed on the market, and the general understanding was that the “multiple sources” referenced in the definition of a PHR excluded information entered by the consumer.
In fall 2021, the FTC signaled its intention to take a more expansive interpretation of its authority. It approved a policy statement entitled “On Breaches by Health Apps and Other Connected Devices” in order to “clarify the scope of” the HBNR by stating that the rule applies to health apps and connected devices that are not subject to HIPAA but are capable of drawing information from multiple sources “even if the health information comes from only one source” (for example, through a combination of consumer inputs and application programming interfaces). This policy statement effectively reclassified most healthcare apps not already regulated by HIPAA as arguably within the FTC’s jurisdictional reach. We described the 2021 HBNR policy statement in depth in a prior publication, which can be accessed here.
The FTC exercised its enforcement under the HBNR, as interpreted by the 2021 guidance, for the first time in settlements against GoodRx and Easy Healthcare Corporation (which publishes a fertility tracking app called Premom) in February and May 2023. These settlements, in their breadth, allegations and disciplinary approach, resolve any questions about the FTC’s intended intense focus on consumer privacy in the healthcare space.
Building on these settlements, the FTC now turns to amending the HBNR to reflect the posture of the current Commission. The FTC stated that it proposes to amend the HBNR to ensure that health applications provide consumers and the FTC with notice in the event of a breach of consumer health information. The proposed amendment offers the following changes, among others:
Multiple Source Rule: Would define that a product is a PHR if it has the technical capacity to draw information from multiple sources (e.g., through an application programming interface), even if the consumer or entity elects not to connect the product to more than one source. The FTC’s 2021 policy statement and the proposed amendment highlight the agency’s position that the HBNR covers virtually all non-HIPAA-regulated online services, including websites, apps and internet-connected devices, that provide healthcare services or supplies.
Authorization Requirement: Would require health apps, including fitness, sleep, mental health and nutrition applications, to obtain authorization from consumers to share their information with third parties. Health apps would also be required to notify consumers if their information is accessed by third parties without their authorization.
Breach of Security Definition: Would enshrine the FTC’s position taken in the GoodRx and Premom settlements that a “breach of security” under the HBNR includes an unauthorized acquisition of identifiable health information that occurs because of a data security breach or an unauthorized disclosure to a third party. In other words, a breach is not limited to third-party hacking or intrusion into a health app’s systems, but occurs when a health app discloses sensitive health information without the user’ authorization.
PHR Related Entities: Would clarify that only entities that access or send unsecured PHR identifiable health information to a PHR qualify as PHR related entities.
Modernized Method of Notice: Would authorize the expanded use of email and other electronic means to provide consumers with clear and effective notice of a breach.
Expanded Notice Content Requirements: Would expand the information that must be included in the notice to consumers—for example, requiring an explanation about the potential harm stemming from the breach and the names of any third parties that might have acquired the information.
Penalties for Non-Compliance: Would clearly state that entities that fail to comply with the HBNR are subject to penalties of up to $50,120 per violation per day (increased annually for inflation).
Several aspects of the proposed amendment lack clarity and are likely to cause confusion within the regulated community unless further clarified through the ongoing rulemaking process. Entities considering submitting comments may want to explore some or all of the following areas:
The FTC’s position that consent and privacy policies are necessary (but not always sufficient) tools for obtaining consumer permission for data disclosures may leave some entities feeling uncertain as to how a health app should obtain the required authorization from a consumer. The agency considered defining the term “authorization” in the proposed amendment, but ultimately chose not to do so. The proposed rule seeks public comment on whether the HBNR should define the term. The FTC references commentary from the original HBNR stating that “[b]uried disclosures in lengthy privacy policies do not satisfy the standard of ‘meaningful choice,’” (74 FR 42967) but does not provide a safe harbor or other parameters for the method and format of appropriate consent. Although much of the proposed amendment is framed as an effort to “clarify” the HBNR’s longstanding intent, without additional guidance on what the FTC considers to be a compliant consumer authorization, a significant point of uncertainty will persist.
The FTC suggests that PHR vendors could avoid breaches by de-identifying health information before sharing it with a service provider; however, the FTC does not provide a definition of, or guidelines related to, de-identification.
The FTC proposes to amend the individual breach notification content requirements to include additional information about what the regulated entity can offer to protect affected individuals. The agency offers the example of informing impacted individuals about credit monitoring, identity restoration services and identity theft protection services. In practice, impacted individuals are always made aware of these services because they need to opt in to access the offered services. However, these services may not be offered in circumstances where the breached data does not place affected individuals at risk of identity theft, financial or other harm that these services are designed to protect. In these situations, it’s unclear what the regulated entity should include in the notice to comply with the proposed amendment, and whether the absence of a disclosure in circumstances where such services are not offered would be considered a violation of the HBNR.
The proposed amendment may create reluctance on the part of vendors and connected healthcare devices to integrate with PHR related entities. For example, without a clear understanding of how a user can authorize data sharing between entities, connected devices and vendors may not share PHR identifiable health information with a PHR related entity.