The rule requires vendors and entities in the health care sector to notify the commission of any breach related to personally identifiable health data.
05/30/2023 3:20 P.M.
4 minute read
The Federal Trade Commission is seeking comment on proposed changes to the Health Breach Notification Rule (HBNR) that include clarifying the rule’s applicability to health apps and other similar technologies, according to a recent news release.
Health apps and other direct-to-consumer health devices, such fitness trackers, have become widespread since the rule’s adoption. Due to changing business practices and technology advancements, more consumer health data is being collected, which increases the motivation for businesses to use or reveal that sensitive data for marketing and other purposes.
“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the rule will allow it to keep up with marketplace trends and respond to developments and changes in technology.”
The rule requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data, according to the news release.
It also requires third-party service providers to vendors of PHRs and PHR-related entities to provide notification to such vendors and PHR-related entities following the discovery of a breach.
The FTC announced a proposed order earlier this month to resolve claims that the fertility app Premom had broken the HBNR. The FTC stated in February 2023 that it would take GoodRx Holdings Inc. to court as part of its first enforcement action under the HBNR. According to the FTC, GoodRx and Premom both broke the law by neglecting to alert customers to their improper disclosure of their personally identifiable health information to third parties.
Additionally, in 2020, the FTC requested feedback on whether modifications to the HBNR were necessary as part of a routine review of commission regulations. The HBNR must be followed by connected devices and health apps that collect or use customers’ health information, according to a policy statement released by the FTC in September 2021.
After reviewing the public comments and consistent with the policy statement, the FTC has proposed the following changes to the HBNR:
- “Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA;
- Clarifying that a ‘breach of security’ under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
- Revising the definition of ‘PHR related entity’ in two ways that pertain to the rule’s scope;
- Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;
- Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;
- Expanding the required content that should be provided in the notice to consumers; and
- Adding changes to improve the rule’s readability and promote compliance.”
The public will have 60 days after the notice is published in the Federal Register to submit comments on the proposed changes to the rule. Information on how to submit a comment can be found in the notice. Once processed, the comments will be posted to Regulations.gov.
Resources to Combat Health Care Cyber Threats
New resources have been made available by the Department of Health and Human Services’ (HHS) Cybersecurity Task Force to assist organizations in the health care and public health (HPH) sector in thwarting the increasing number of cyberattacks that are directed at the industry and strengthening their cybersecurity posture.
The HHS Cybersecurity Task Force has published three different resources to combat these threats, including:
- An online educational platform that delivers free cybersecurity training that can be used by HPH organizations to raise the security awareness of the workforce;
- An updated edition of the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, which details the top cyber threats faced by the HPH sector; and
- A report on the current state of cybersecurity preparedness of hospitals, measured against the NIST Cybersecurity Framework.
ACA members working as business associates of health care providers should review these proposals to be familiar with them as they are working with their consumer clients.
Additionally, ACA members can access articles and resources detailing HIPAA compliance as well as the Safeguards Rule as it ties into the commission’s oversight on the Safeguards Rule Resource Center.