FTC Completes Updates to Health Breach Notification Rule for Health Apps

The Federal Trade Commission announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.

‍

Modifications to the regulation

1. Updating Definitions: The Commission has updated several definitions to emphasize the applicability of the final rule to health apps and similar technologies not governed by HIPAA. This includes altering the definition of “PHR identifiable health information” and introducing new definitions for “covered health care provider” and “health care services or supplies.”
2. Specifying Security Breaches: The rule now specifies that a "breach of security" encompasses unauthorized access to identifiable health information, whether through a data security incident or unauthorized disclosure.
3. Amending the Definition of PHR Related Entity: The definition of “PHR related entity” has been refined in two significant ways relevant to the rule’s scope. It now specifies that the rule applies to entities that provide products and services via the online services of personal health record vendors, including mobile apps. It also restricts the definition to entities that access or transmit unsecured PHR identifiable health information to a personal health record.
4. Clarifying Information from Multiple Sources: The rule clarifies the criteria for a personal health record to incorporate PHR identifiable health information from various sources.
5. Enhancing Electronic Notifications: The final rule permits broader use of email and other electronic methods for sending clear and effective breach notifications to consumers.
6. Broadening Notice Requirements: The content required in consumer notifications has been expanded. Notices must now include either the name or a description of any third parties who obtained unsecured PHR identifiable health information due to a security breach, especially when revealing the full name poses a risk.
7. Adjusting Notification Timelines: The final rule changes the timing for notifying the FTC about breaches impacting 500 or more individuals. Covered entities must now notify the FTC concurrently with affected individuals, doing so promptly and no later than 60 calendar days after identifying a breach.
8. Improving Clarity and Compliance: The final rule also includes modifications to enhance clarity and facilitate compliance.

The rule takes effect 60 days after its announcement in the Federal Register.

‍

Click to read more