FTC enhances data protections with updated Breach Notification Rule

The Federal Trade Commission (FTC) recently finalized significant updates to the Health Breach Notification Rule, which extends the rule's coverage to include health apps and similar technologies not previously covered by HIPAA. 

What happened 

On April 26, 2024, the Federal Trade Commission (FTC) updated the Health Breach Notification Rule to include revised definitions and protocols that extend its coverage to health apps and other technologies not covered by HIPAA. This rule now requires vendors of personal health records and related entities to notify affected individuals, the FTC, and sometimes the media about any breach of unsecured personally identifiable health data. 

The updated rule, approved by a narrow 3-2 vote, also specifies new requirements for the content and methods of breach notifications, including the use of electronic communication like email. This action is based on feedback from approximately 120 comments received after a Notice of Proposed Rulemaking issued in May 2023.

Going deeper

1. Revised definitions: The rule has expanded and clarified definitions to cover a broader spectrum of digital health technologies. This includes defining terms such as “PHR identifiable health information,” “covered health care provider,” and “health care services or supplies.” 
2. Clarification of breach of security: The rule now specifies that a "breach of security" means any unauthorized acquisition of identifiable health information that occurs either as a result of a data security breach or an unauthorized disclosure. 
3. Expanded scope of PHR-related entity: The rule revises the definition of “PHR-related entity” to include entities that offer products or services through online services, such as mobile applications, of vendors of personal health records. It clarifies that only entities that access or transmit unsecured PHR identifiable health information qualify as PHR-related entities.
4. Enhanced notification methods: The update permits the use of email and other electronic means to notify consumers of a breach, expanding beyond previous methods to adapt to current communication trends and improve the efficiency of breach notifications.
5. Expanded content of consumer notices: The rule now requires that notifications to consumers include more detailed information. Specifically, it should include the identity (or description, if full identity disclosure poses risks) of any third parties who acquired unsecured PHR identifiable health information as a result of the breach.
6. Timing of notifications: There is a specific requirement for the timing of notifications to both the FTC and affected individuals. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they notify affected individuals, without unreasonable delay and in no case later than 60 calendar days after discovering the breach.

See also: HIPAA and the FTC Act 

What was said 

“Protecting consumers’ sensitive health data is a high priority for the FTC,” stated Sam Levine, the Director of the FTC Bureau of Consumer Protection, “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

See also: HIPAA Compliant Email: The Definitive Guide

What’s next 

The next steps involve the implementation phase for affected organizations. Starting 60 days after its publication in the Federal Register, healthcare providers, vendors of personal health records, and related entities, particularly those involved with health apps and other technologies not covered by HIPAA, must comply with the new provisions. 

These organizations must adjust their data security and breach notification protocols to meet the revised definitions, expanded scope, and enhanced notification requirements. They must make sure that their systems can effectively notify consumers and the FTC in the event of a data breach, within the specified time frames, using approved methods. 

See also: Top 12 HIPAA compliant email services

FAQs

What is the FTC?

The FTC, or Federal Trade Commission, is a U.S. federal agency tasked with enforcing antitrust law and protecting consumers from deceptive and unfair business practices.

What is the purpose of HIPAA?

The purpose of HIPAA, the Health Insurance Portability and Accountability Act, is to protect the privacy and security of individuals' medical information and ensure the confidentiality of patient health data.

What is a data breach?

A data breach is an incident where confidential, sensitive, or protected information is accessed, disclosed, or used without authorization.