The US Federal Trade Commission (FTC) has proposed changes to the Health Breach Notification Rule (HBNR) and is inviting public comment. The proposed changes aim to provide clarity on how the rule applies to health apps and similar technologies. The HBNR requires personal health record (PHR) vendors to notify individuals, the FTC, and sometimes the media of unsecured personally identifiable health data breaches. The proposed changes come at a time when business practices and technological developments are increasing the amount of health data collected from businesses. FTC Consumer Protection Director Samuel Levine has noted that many health apps and connected devices are exempt from HIPAA but are collecting vast amounts of highly sensitive consumer health information. Mr. Levine emphasized the importance of timely notification to consumers and the FTC if this information is compromised.
The proposed changes include clarifying definitions related to health apps and similar technologies. These definitions include “PHR identifiable health information,” “healthcare provider,” and “healthcare service or supplies.” The changes also aim to expand the mandatory content that must be provided to consumers, including information about potential harm resulting from the breach and the names of third parties who may have obtained unsecured personally identifiable health information. Also, revise the definition of PHR-related entity to the scope of the rule.
The public has 60 days to submit comments on the proposed rule change. The FTC has included instructions on how to submit comments in the notification, which will be posted to Regulations.gov once processed. The proposed changes to the HBNR come after the enforcement action against GoodRx Holdings Inc. and Premom for HBNR violations. The proposed changes aim to improve the readability of the rules and promote compliance. Overall, the FTC seeks to ensure that individuals and entities are aware of their obligations under the HBNR and take appropriate action when breaches occur.