The final rule clarifies its applicability to health apps and other similar technologies not covered under HIPAA.
05/10/2024 11:40 P.M.
2 minute read
In a move to bolster consumer privacy in the digital health landscape, the Federal Trade Commission recently announced significant updates to the Health Breach Notification Rule (HBNR). These revisions aim to modernize the rule, ensuring its applicability to emerging technologies like health apps while expanding the scope of information that covered entities must disclose in the event of a data breach.
The HBNR, originally established to safeguard personal health records (PHRs) and related entities not governed by the Health Insurance Portability and Accountability Act (HIPAA), now extends its reach to encompass a broader array of health apps and connected devices.
“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”
Following a period of public feedback initiated in May 2023, the FTC finalized changes to the HBNR, addressing key areas:
- Revised Definitions: The updated rule clarifies the applicability of the HBNR to health apps and similar technologies, introducing new definitions such as “covered health care provider” and “health care services or supplies.”
- Clarification of Breach of Security: It defines a “breach of security” to include unauthorized acquisitions of identifiable health information resulting from data security breaches or disclosures.
- Expansion of Notification Requirements: Covered entities are now required to notify the FTC alongside affected individuals, particularly in breaches involving 500 or more individuals. This notification must occur within 60 calendar days of discovering a breach.
- Enhanced Consumer Notice Content: The rule mandates expanded content in breach notifications, including identifying third parties acquiring unsecured PHR identifiable health information.
- Utilization of Electronic Notification: The updated rule permits the expanded use of electronic means, such as email, for providing breach notifications to consumers.
- Improved Readability: Changes have been made to enhance the rule’s clarity and readability, facilitating compliance among covered entities.
Alongside the rule updates, the FTC has taken action against companies violating the HBNR. Recent enforcement actions against entities like GoodRx and Easy Healthcare.
The commission’s decision to finalize the rule was not without dissent, with Commissioners Melissa Holyoak and Andrew N. Ferguson voting against its publication. However, Chair Lina M. Khan, along with Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, issued a statement in support of the revisions, emphasizing their importance in protecting consumer interests.
The finalized rule is set to take effect 60 days after its publication in the Federal Register.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org.