In one month’s time, on July 29, 2024, the Federal Trade Commission’s (“FTC”) revised Health Breach Notification Rule (“HBNR”) will take effect. The rule obliges regulated entities to disclose breaches of personally identifying health information to consumers, the FTC, and, in some cases, the press. The revisions establish that a broad range of entities operating in the consumer health and wellness space are covered by the rule, and that unauthorized disclosures of personally identifying health information, along with data breaches as traditionally conceived of, trigger the rule’s notification obligations. Violators risk substantial fines.
The Final Revised HBNR
The HBNR requires the “vendors” of “personal health records” along with entities—deemed “PHR related entities”—that provide products or services through the websites of such vendors or of certain Health Insurance Portability and Accountability Act (“HIPAA”)-regulated entities, or that otherwise access or send information to personal health records, to disclose breaches of unsecured health information stored in those records. The final HBNR contains a range of modifications to the prior version of the rule, including amendments that codify the agency’s new, expansive interpretation of the HBNR’s scope and that create novel requirements for the consumer notice that companies must provide if a breach occurs.
Of particular note, the final rule:
Creates an expansive definition of “personal health record.”
The original HBNR defined a “personal health record” as “an electronic record of PHR identifiable health information that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” The revised rule clarifies that a personal health record “can be drawn from multiple sources” whenever this record has the “technical capacity” to integrate information from multiple sources. Such technical capacity exists whenever a record is capable of deriving information from multiple sources, such as directly from a consumer as well as from a health tracker integration or from a consumer’s on-device calendar, even if a consumer elects to only pull information from one source in their use of the service.
Establishes that the rule applies to a wide range of online services and apps operating in the health, fitness, fertility and general wellness spaces.
The HBNR regulates entities that “maintain” —or that offer products or services through a website or app that maintains—“personal health records,” or that access or send “unsecured” identifiable health information in or to a “personal health record.” The revised rule clarifies that this scope encompasses records of identifying health information created or received by “any online service such as a website, mobile application, or internet connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” This expansive conception of what constitutes a health-related service aligns with the agency’s stance in recent enforcement activity in the consumer health space, as well as the definitions of “consumer health data” adopted by state health privacy laws including Washington State’s ‘My Health, My Data’ Act (“MHMDA”) (For more on MHMDA, see Mike Hintze’s blog series on the Act).
Defines “breach of security” broadly, creating a de facto opt-in consent requirement for unexpected or unnecessary transfers of health data.
The revised HBNR defines a “breach of security,” which triggers the rules notification obligations, to include cybersecurity incidents as well as disclosures of identifiable health information that consumers did not authorize, including disclosures made to third parties via pixels and other tracking technologies in the advertising context. In guidance published along with the revised rule, the Commission notes that opt-in consent (or “authorization”) is not required for disclosures of identifiable health information that are “necessary to provide a personal health record to a consumer, []consistent with consumer expectations, []disclosed to consumers, and []subject to protections like service provider agreements that limit the use of the data only for the purpose of providing that service to the consumer.” The Commission further notes that not requiring authorization for certain “necessary” transfers of personal health information is consistent with both HIPAA and the MHMDA and Nevada’s SB 370.
Expands the required content of the notice that entities must provide consumers following a breach, and modernizes requirements around notice delivery.
The revised rule requires that breach notices contain: (1) a description of the breach along with the “full name or identity” of any third party that acquired the consumers health information as a result of the breach; (2) a description of the health information involved in the breach; (3) a description of steps individuals can take to protect themselves from harms stemming from the breach; (4) a description of how the entity is investigating the breach, working to prevent future breaches, and attempting to mitigate harms stemming from the breach and to protect affected individuals; and (5) contact information for notifying entity. The revised HBNR requires that entities that experience a breach provide this notice without “undue delay,” and in any case within 60 days. It grants companies flexibility about how they must provide such notice, including giving entities greater leeway to provide notice electronically than the prior version of the rule did. Companies that do not provide the required, and timely, notice are subject to inflation-adjusted civil penalties, currently set at up to $51,744 per violation.
Takeaways for HBNR Regulated Entities
Entities operating in the consumer health and wellness spaces that fall within the HBNR’s scope as a “vendor of personal health records” or a “PHR related entity” should expect the FTC to aggressively enforce the revised rule. Further, business associates that handle both HIPAA and non-HIPAA covered data for covered entities should be aware that a breach in this context could trigger obligations under both HIPAA and the HBNR. Along with maintaining strong cybersecurity practices, such entities should review any data being shared with third parties through cookies, pixels, or other third-party trackers hosted on their website--as well relationships with third parties that involve personal data sharing--to ensure that they are not engaged in unexpected or unauthorized sharing of identifiable health information.
Felicity Slater is an Associate at Hintze Law PLLC. Felicity has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.