The Federal Trade Commission (“FTC”) has announced finalized changes to the Health Breach Notification Rule (“HBNR”). The changes to the rule attempt to modernize the HBNR and address novel issues presented by the increased popularity of apps and other health technologies such as fitness trackers and wearable blood pressure monitors. The FTC also cited its enforcement actions against GoodRX and Easy Healthcare, making clear its intent to broaden security breaches to unauthorized disclosures. Entities that access information that falls under the expanded definition of PHR identifiable health information should review their collection and disclosure policies, as well as any consumer-facing representations regarding such information, and confirm compliance with the updated HBNR.
Below, we have provided a high-level summary of the seven proposed substantive changes to the HBNR:
- Clarification of Covered Entities: The FTC has changed some definitions in the HBNR, including the definition of Personal Health Record (“PHR”) identifiable health information which now covers traditional health information, health information derived from consumers’ interactions with apps and other online services, and emergent health data (including information inferred from non-health related data points). The definition of “health care services or supplies” has also been modified to clarify that developers of health apps and similar technologies qualify as “health care providers,” such that any individually identifiable health information the products collect or use would be covered by the HBNR.
- Clarification of What It Means for A PHR to Draw Information From Multiple Sources: The FTC modified the definition of “personal health record” from “an electronic record of PHR identifiable health information that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual” to “an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” Per the FTC, this shift clarifies that a product is a personal health record if it can draw information from multiple sources, even if the consumer does not use all the product’s capabilities. For example, an app that accepts inputs of mental health states and has the technical capacity to sync with a wearable sleep monitor is a personal health record, even if the particular consumer does not sync a sleep monitor. Additionally, the change in definition clarifies that a product is a personal health record if it can draw any information from multiple sources, even if it only draws health information from one source.
- Clarification Regarding Types of Breaches Subject to the Rule: The definition of a “breach of security” has also been expanded to include unauthorized acquisitions that occur as a result of a data breach or an unauthorized disclosure. A company’s unauthorized selling or sharing of information to third parties that is inconsistent with the company’s representations to consumers would now be covered under the new HBNR. Further, the FTC’s rule “provides for a rebuttable presumption…[that] when there is unauthorized access to data, unauthorized acquisition will be presumed unless the entity that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”
- Clarification of What Constitutes a PH Related Entity: The FTC revised the definition of a PHR related entity to: (a) include entities offering products and services through any online service, including mobile apps; (b) encompass only entities that access or send unsecured PHR identifiable health information to a personal health record; and (c) affirm that, while some third party service providers may access unsecured PHR identifiable health information in the course of providing services, that does not immediately render the service provider a PHR related entity. For example, a company providing security, cloud computing, advertising, and analytics services to a health app as specified by a service provider contract for the app vendor’s benefit would be classified as a third party service provider, not a PHR related entity.
Notably, the FTC draws a fine line around obligations for service providers and PHR related entities regarding notification. In one of the provided examples, the FTC states that when an analytics firm providers services for both a health app’s benefit and its own, the analytics firm is a service provider to the extent it provides services for the app’s benefit and a PHR related entity to the extent it offers services for its own benefit. However, if the functions “are indistinguishable,” the FTC will consider the firm a third party for policy reasons. Per the FTC “a firm that functions…as a service provider may not be consumer-facing, such that the consumer may be surprised by a breach notification from that entity.” It is “better for the consumer to receive notice from the health app with whom the consumer directly interacts as a matter of policy. - Facilitating Greater Opportunity for Electronic Notice: In order to modernize notice methods, the FTC adopted an update to the notice requirement which allows email notification when the email is sent in combination with one or more of the following: text message, within-app messaging, or electronic banner. The email should be clear and conspicuous and the FTC developed a model notice for entities to refer to in drafting their notices, as needed.
- Revisions to the Required Notice: The content of the breach notice must include: (a) the full name or identity (or where providing name or identity would pose a risk to individuals or the entity providing notice, a description) of the third parties that acquired the PHR identifiable health information as a result of a breach of security; (b) a description of types of unsecured PHR identifiable health information involved in a breach; (c) a description of what the entity is doing to protect affected individuals; and (d) two or more methods of contact including a toll-free telephone number, email address, website contact, within-app contact, or postal address.
Timing of Notice to the FTC: The FTC revised the notice timing to require entities to notify the FTC no later than 60 calendar days after the discovery of a breach of security for breaches involving 500 or more individuals.