The Federal Trade Commission announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.

Modifications to the regulation

  1. Updating Definitions: The Commission has updated several definitions to emphasize the applicability of the final rule to health apps and similar technologies not governed by HIPAA. This includes altering the definition of “PHR identifiable health information” and introducing new definitions for “covered health care provider” and “health care services or supplies.”
  2. Specifying Security Breaches: The rule now specifies that a "breach of security" encompasses unauthorized access to identifiable health information, whether through a data security incident or unauthorized disclosure.
  3. Amending the Definition of PHR Related Entity: The definition of “PHR related entity” has been refined in two significant ways relevant to the rule’s scope. It now specifies that the rule applies to entities that provide products and services via the online services of personal health record vendors, including mobile apps. It also restricts the definition to entities that access or transmit unsecured PHR identifiable health information to a personal health record.
  4. Clarifying Information from Multiple Sources: The rule clarifies the criteria for a personal health record to incorporate PHR identifiable health information from various sources.
  5. Enhancing Electronic Notifications: The final rule permits broader use of email and other electronic methods for sending clear and effective breach notifications to consumers.
  6. Broadening Notice Requirements: The content required in consumer notifications has been expanded. Notices must now include either the name or a description of any third parties who obtained unsecured PHR identifiable health information due to a security breach, especially when revealing the full name poses a risk.
  7. Adjusting Notification Timelines: The final rule changes the timing for notifying the FTC about breaches impacting 500 or more individuals. Covered entities must now notify the FTC concurrently with affected individuals, doing so promptly and no later than 60 calendar days after identifying a breach.
  8. Improving Clarity and Compliance: The final rule also includes modifications to enhance clarity and facilitate compliance.

The rule takes effect 60 days after its announcement in the Federal Register.

Click to read more

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified


Discover our latest articles

View All Blog Posts
April 23, 2024
No items found.

iliomad is deligthed to have supported the ICM - Institut du Cancer de Montpellier in their CNIL's authorization process

We are delighted to share that the ICM - Institut du Cancer de Montpellier was authorized by the French Data Protection Authority (CNIL) to conduct APAD-ECO study. The CNIL granted authorization to conduct a medico-economic study on the effects of physical activity in women treated for breast cancer on April, 19th. This groundbreaking study involves combining data from two clinical trials with that of the Caisse nationale de l’Assurance Maladie, covering the period from 2009 to 2022. The study aims to assess the long-term impacts of physical activity in patients who have undergone treatment for breast cancer. We are proud to have contributed to this project by providing the ICM - Institut du Cancer de Montpellier with a compliant Data Protection Impact Assessment (DPIA), a crucial step in obtaining CNIL approval.