The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

FTC Proposes Changes to Modernize the Health Breach Notification Rule

The Federal Trade Commission (FTC) has proposed changes to the Health Breach Notification Rule to strengthen the applicability of the Rule to health apps and other emerging direct-to-consumer technologies that collect, store, and transmit identifiable health data.

There has been an explosion of health apps and connected devices that collect health data, and those apps and devices are collecting vast amounts of health data. There are also incentives for companies that collect health data to disclose that information to third parties for advertising and other purposes. The Health Insurance Portability and Accountability Act (HIPAA) requires health data to be safeguarded, places restrictions on uses and disclosures of health data, and if a data breach occurs, the HIPAA Breach Notification Rule requires notifications to be issued. While health apps and connected devices may collect health data that would be classed as Protected Health Information under HIPAA if collected by a HIPAA-regulated entity, most health apps and connected devices are not covered under HIPAA.

The FTC Health Breach Notification Rule applies to vendors of personal health records (PHR) and related entities that are not covered by HIPAA and requires those companies to issue notifications to consumers, the FTC, and the media in the event of a breach of identifiable health data. When a data breach occurs at a third-party service provider to vendors of PHRs and PHR-related entities, the Health Breach Notification Rule requires those entities to issue notifications to vendors and PHR-related entities. The Health Breach Notification Rule has been in effect for a decade, but the FTC has only just started enforcing compliance. Since December 2022, the has taken two enforcement actions against entities alleged to have violated the Health Breach Notification Rule – GoodRx and Easy Healthcare (Premom) –  both of which were found to have failed to issue timely notifications about breaches of identifiable health data.

In September 2021, the FTC issued a policy statement confirming the Health Breach Notification Rule applies to health apps and connected devices that collect, use, or transmit consumer health information. The FTC has reviewed the comments received about the policy statement and has determined that the Health Breach Notification Rule needs to be modernized to clarify its applicability to health apps, connected devices, and other direct-to-consumer technologies.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

The proposed updates include a change to the definition of “PHR identifiable health information,” and new definitions have been added for “health care provider” and “health care services or supplies.” The definition of “PHR related entity” has been revised to make it clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities. The FTC has also clarified what it means for a personal health record to draw PHR identifiable health information from multiple sources. The proposed update makes it clear that a “breach of security” includes the unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.

The FTC has also authorized the expanded use of email and other electronic means as a way of providing clear and effective notice of a breach to consumers, and the required content of notifications has also been expanded. Notifications will need to include information about the potential harm that can be caused by the breach, and notifications must include the names of any third parties who might have acquired unsecured personally identifiable health information.

The comment period on the proposed changes is 60 days from the date of publication of the Notice of Proposed Rulemaking in the Federal Register.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist