The Federal Trade Commission (“FTC”) plans to “strengthen and modernize” the Health Breach Notification Rule with renewed and stricter oversight of entities that maintain health information, including health apps, websites and other direct-to-consumer services.

The FTC recently announced a final rule that amends the Health Breach Notification Rule (“HBNR”) to explicitly extend it to health apps, websites, and other direct-to-consumer services that contain certain health information. The HBNR requires regulated entities to notify consumers, the FTC, and, in some cases, the media of a “breach” of unsecured personally identifiable health information (“IHI”) contained in a personal health record (“PHR”). The original HBNR went into effect in 2009 and was first enforced in 2023. With the new final rule, the FTC plans to “strengthen and modernize” the HBNR with renewed and more rigorous oversight of entities that hold health information. The final rule will go into effect on July 29, 2024.

Important updates include:

Regulated entities, technology and infringements

Regulated entitiesThe FTC has approved the application of the HBNR to certain “online service(s) such as a website, mobile application, or Internet-connected device(.)” As a result, health apps, fitness trackers, and similar direct-to-consumer services may fall fully within the scope of the HBNR. The HBNR still does not apply to entities covered by the Health Information Portability and Accountability Act.

TechnologyThe FTC expanded the scope of the data and sources considered a PHR, explaining that a PHR need only have the “technical capacity” to draw from multiple sources, even if it does not actually use them.

InfringementThe FTC clarified that “breach” is not limited to cyberattacks and intrusions, but extends to “an entity’s intentional but unauthorized disclosure(.)” Therefore, an entity’s intentional sharing of such information — for example, with ad vendors — could constitute a breach.

Reports of infringements

Time flexibilityThe final rule extended the notification deadline for breaches involving 500 or more individuals. Previously, entities had 10 business days to notify the FTC, but now may provide such notifications concurrently with notices to affected individuals, no later than 60 calendar days after discovery of the breach.

Contents of the notificationThe FTC has expanded the information required in an infringement notice to include, to the extent possible, the following:

  • The name or identity of any third party who obtained the protected information as a result of a breach;
  • Descriptions of the types of covered information affected by the breach; and
  • Descriptions of the regulated entity’s efforts to protect individuals.

The new HBNR and the FTC’s recent HBNR enforcement activities are another indication of the trend toward increased regulation of entities that maintain health information, which is also evident in the plethora of new state privacy laws emerging. To reduce legal risk, health apps, websites, and direct-to-consumer services should consider the following:

  • Conducting data inventories to confirm what type of health information they contain;
  • Mapping disclosures to third parties to confirm compliance with internal policies and compliance with applicable laws, including the revised HBNR; and
  • Updating breach response protocols to align with revised reporting requirements.