FTC to update Health Breach Notification Rule for apps, connected devices
On May 18, 2023, the Federal Trade Commission (FTC or Commission) declared its intention to hold companies more accountable for their collection and use of consumers’ health information. In an open Commission meeting, FTC Chair Lina Khan, Commissioner Rebecca Slaughter, and Commissioner Alvaro Bedoya voted unanimously to update the FTC’s Health Breach Notification Rule (HBNR) to cover more vendors of personal health records that access or send unsecured personal health record data.
The proposed rule (Proposed Rule) to amend the HBNR further advances the FTC’s aggressive enforcement priorities around sensitive personal information. Additionally, it would expand considerably the breach notification obligations for personal health record vendors and certain other non-HIPAA covered entities under the Health Information Technology for Economic and Clinical Health Act (HITECH).
Moreover, the Proposed Rule confirms the Commission’s intention to interpret “breach” not just as a nefarious intrusion, but as any unauthorized disclosure of individually identifiable health information by non-HIPAA covered entities, such as providers of apps, wearables, and other technologies for health advice, information, and tracking.
The FTC’s HBNR applies to vendors of personal health records (PHR) and related entities not covered by HIPAA. It requires those entities to issue notifications to consumers, the Commission, and the media in the event of a breach of identifiable health data. In addition, if a service provider to one of those vendors has a breach, it must notify the vendor, which in turn must notify customers.
Although the HBNR has been in effect since 2009, the FTC has only recently begun to enforce compliance. Since December 2022, the Commission has brought two enforcement actions against entities alleged to have violated the HBNR by sharing their users’ personal health data with third parties without authorization or consent.
Previously, in September 2021, the Commission voted 3-2 along party lines to adopt a Policy Statement asserting that the HBRN applies to health apps and connected devices that collect, use, or transmit consumer health information. Dissenting statements from then-Commissioners Noah Phillips and Christine Wilson argued that the Policy Statement improperly expanded the FTC’s statutory authority and did so unilaterally, rather than in concert with other agencies with relevant jurisdiction.
Under the Policy Statement, all applications consumers use to store and process data about anything related to health – for example, consumers’ steps or the food they eat – are “health care providers.” So too would be retailers that sell health care supplies, like Neosporin and vitamins. That broad definition is not the one used by the Department of Health and Human Services and the Social Security Administration (those agencies focus on traditional health care providers, like doctors, nursing homes, and pharmacies). It also goes far beyond discussion both in Congress and at the Commission at the time the law was written and the HBNR was drafted.
The Proposed Rule now seeks to amend the HBNR by incorporating many aspects of the 2021 Policy Statement.
The Proposed Rule would have four significant implications for developers of non-HIPAA covered health applications and connected devices.
1. Definitions of “health care provider” and “health care services or supplies”
First, the Proposed Rule would amend the HBNR to cover virtually all health and wellness apps and connected health devices not subject to HIPAA – even though HITECH refers only to PHR-vendors, certain PHR-related entities, and their third-party service providers. The FTC would pull in a broader swath of entities through the addition of two terms: “health care provider” and “health care services or supplies,” both of which factor into the definition of “PHR identifiable health information.”
Under the HBNR, a vendor of PHRs is an entity other than a HIPAA covered entity or business associate that offers or maintains a PHR. A PHR is defined to include certain electronic records of PHR identifiable health information. PHR identifiable health information is defined under HITECH in reference to HIPAA’s definition of individually identifiable health information which includes certain health records created or received by a “health care provider.” HIPAA defines a “health care provider” as a provider of services (as defined in section 1395x(u) of this title), a provider of medical or other health services (as defined in section 1395x(s) of this title), and any other person furnishing “health care services or supplies.”
In contrast to the definition of “health care” developed under HIPAA – which is limited to care, services, and supplies related to (a) physical or mental conditions, or functional status, of an individual or that affects the structure or function of the body, and (b) prescription drugs and devices – the Proposed Rule’s definition is far more expansive.
The Proposed Rule would define the term “health care services or supplies” to include any online service (such as a website, mobile application, or internet-connected device) that provides health-related services or tools such as mechanisms to track:
- Health conditions
- Diagnoses or diagnostic testing
- Vital signs
- Bodily functions
- Sexual health
- Mental health
- Genetic information or
2. Revised definition of “breach of security”
Second, a reportable “breach of security” under the Proposed Rule would no longer be limited to data breaches but instead include any disclosure of unsecured PHR identifiable health information not authorized by a consumer. This amendment would effectively require PHR vendors and PHR-related entities to obtain consumer consent for every disclosure of identifiable health information.
3. Additional notification options
Third, to align the methods for breach notifications with the methods often used by health apps to communicate with customers, the Proposed Rule would permit notification to impacted consumers (with their consent) by text message, in-app messaging, or electronic banner within the application. The Proposed Rule would require that such electronic notice be provided in a clear and conspicuous manner.
4. Changes to content requirements for individual notifications
Finally, the Proposed Rule’s breach notification provisions would require covered entities to detail how consumers could be harmed by the breach. Currently, the HBNR requires the notice to include (to the extent possible) the following:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- A description of the types of unsecured PHR identifiable health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code)
- Steps individuals should take to protect themselves from potential harm resulting from the breach
- A brief description of what the entity that suffered the breach is doing to investigate the breach, to mitigate harm, and to protect against any further breaches, and
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, email address, website, or postal address.
The Proposed Rule would require the following additional items to be included in the notice:
- A brief description of the potential harm that may result from the breach, such as medical or other identity theft,
- The full name, website, and contact information (such as a public email address or phone number) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security, if this information is known, and
- A brief description of what the entity that experienced the breach is doing to protect affected individuals, such as offering credit monitoring or other services.
In view of the FTC’s recent HBNR enforcement actions and the Proposed Rule, developers of health and wellness applications and connected devices should closely assess whether their operations comply with the HBNR, particularly with respect to any use of trackers for advertising purposes. In addition, these organizations should consider the following:
- Covered entities. Companies that collect and use consumer health information should review the Proposed Rule to assess whether they would be subject to the FTC’s expanded interpretation of HITECH’s breach of security provisions and the potential impact to their operations that depend on processing of health information.
- Public feedback. Companies that could be impacted by the Proposed Rule will have 60 days to submit comments following its publication in the Federal Register.
- Impact on standing in breach class actions. The Proposed Rule’s breach notification provisions would require covered entities to detail how consumers could be harmed by the breach. This change could potentially complicate the ability of such entities to argue against standing in breach class actions.
For more information about these developments, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Cybersecurity or Healthcare practices.
 See Dissenting Statement of Commissioner Christine S. Wilson, Policy Statement on Breaches by Health Apps and Other Connected Devices, September 15, 2021.
 See Dissenting Statement of Commissioner Noah Joshua Phillips, Policy Statement on Breaches by Health Apps and Other Connected Devices, September 15, 2021.
 16 C.F.R. § 318.6.
 The FTC offered the following rationale for its proposal: “[t]he Commission proposes adding this provision so that individuals better understand the nexus between the information breached and the potential harms that could result from the breach of such information. In some cases, it is unclear to individuals what harms may flow from the breach of their information …”