On April 26, 2024, the Federal Trade Commission (FTC) issued a final rule to amend its Health Breach Notification Rule (HBN Rule). The HBN Rule works as a complement and counterpart to the breach notification requirements established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for HIPAA-regulated entities. Specifically, the HBN Rule requires that vendors of personal health records (PHRs) and related entities that are not covered by HIPAA notify individuals, the FTC and, in some cases, media outlets of a breach of unsecured personally identifiable health data.

The final rule aims to clarify the HBN Rule’s application to certain direct-to-consumer health apps and similar technologies that are not regulated by HIPAA and attempts to modernize the regulation to remain current in the face of evolving business practices and technological developments. The HBN Rule also includes requirements for third-party service providers supporting direct-to-consumer apps, which may include data aggregators, cloud computing service providers and more.

The FTC initially proposed amendments on May 18, 2023, and published the final HBN Rule in April 2024 after considering public comments to the proposed rule. The amendments are effective 60 days after the date of its publication in the Federal Register. At the time of publishing this article, the final rule has yet to be published in the Federal Register.

For more information about the proposed amendment issued under the HBN Rule, see our prior On the Subject.

IN DEPTH

BACKGROUND

The American Recovery and Reinvestment Act of 2009 (ARRA) directed the FTC to develop a breach notification rule for consumer-facing entities that are not HIPAA “covered entities” or “business associates.” ARRA specifically granted rulemaking authority to the FTC to require vendors of PHRs and “PHR related entities” to notify consumers in the event of an information security breach. In response, the FTC issued its first version of the HBN Rule later in 2009 (74 Fed. Reg. 42962), which required PHRs and PHR related entities to notify impacted consumers, the FTC and, in some cases, media of a breach of unsecured personally identifiable health information.

In 2009, when the HBN Rule was originally published, its reach was limited. At that time, relatively few entities existed in the market that offered a PHR service. However, in promulgating this rule, the FTC recognized that despite relatively few actors, there were wide swaths of health information that were not covered by HIPAA and still susceptible to breaches that could harm consumers.

In fall 2021, the FTC signaled its intention to interpret its authority more expansively to broaden the reach of the HBN Rule. It approved a policy statement entitled On Breaches by Health Apps and Other Connected Devices to “clarify the scope of” the HBN Rule principally by reinterpreting the definition of a PHR such that the rule applies to health apps and connected devices that are not subject to HIPAA but are capable of drawing information from multiple sources even if the health information only comes from one source. For example, health information that a consumer directly inputs into an app (e.g., blood sugar levels) and non-health data drawn from another source (e.g., dates from a user’s phone calendar). The policy statement effectively reclassified most healthcare apps that were not already regulated by HIPAA to be within the FTC’s jurisdiction. We describe the 2021 HBN Rule policy statement in depth in a prior publication.

The FTC exercised its enforcement under the HBN Rule, as interpreted by the 2021 guidance, for the first time in settlements last year against GoodRx, a digital health company focusing on prescription purchases, and Easy Healthcare Corporation, the publisher of the fertility tracking app Premom. The FTC has leaned on these settlements and associated allegations and disciplinary approach to resolve any questions about the FTC’s perception of its role in consumer privacy in the healthcare space.

On May 18, 2023, days after the proposed settlement with Easy Healthcare Corporation was announced, the FTC issued a notice of proposed rulemaking (NPRM) to amend the HBN Rule to “clarify” its applicability to health apps and other similar technologies and expand the information that must be provided to consumers when notifying them of a breach of their health data.

On April 26, 2024, the FTC issued a final rule that largely adopted the changes it proposed in the NPRM.

CLARIFICATION ON SCOPE AND APPLICABILITY OF THE HBN RULE

Applicability to Health Applications

The FTC explains that its modifications to the HBN Rule are motivated by a desire to harmonize the applicability of the HBN Rule with innovations in healthcare delivery and evolving privacy considerations. The FTC modifies the HBN Rule definition of “PHR identifiable health information” to clearly apply to developers of health applications and similar technologies and adds two new definitions for “covered health care provider” and “health care services or supplies.”

In its final rule, the FTC declined to explicitly broaden the categories of data captured in the definition of “PHR identifiable health information,” recognizing that its application is already broad, capturing all information characterized as maintaining “unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information . . . if the identifiers can be used to identify or re-identify an individual.” For example, the FTC indicates this definition captures information about sexual health and substance use disorders because the information “relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

To highlight the interplay of definitions in the HBN Rule, the FTC provides a few examples of health applications and similar technologies that would and would not be subject to the HBN Rule:

1. Health apps or websites that are purely informational and do not track or record consumer information are not subject to the HBN Rule. A health advice application or website that is not covered by HIPAA would not be subject to the HBN Rule if its function is purely informational (e.g., provides information regarding various medical conditions), and it does not maintain a mechanism for consumers to track or record their information. In this example, a health advice application or website would not be a PHR because it is not an electronic record of PHR identifiable health information of any consumer.
2. Health apps or websites that provide medical information and maintain an interface for consumers to track their symptoms where the consumer is the only source of information are not subject to the HBN Rule. A health advice application or website that is not covered by HIPAA would not be subject to the HBN Rule if it does not have the technical capacity to draw information from multiple sources. A health app or website that provides information on medical conditions and a symptom tracker for consumers who log in with a username and password would be considered an electronic record of PHR identifiable health information on an individual because the information (1) is provided by the consumer, (2) is associated with the individual’s account information, (3) relates to their health conditions and (4) is received by a healthcare provider (in this case the health app or website). However, if the health app or website does not have the capability to pull information from multiple sources, it is not a PHR and, thus, not subject to the HBN Rule. Importantly, the classification does not depend on whether the health application is actually pulling from multiple sources rather whether it has the technical capacity, as discussed in more depth below.
3. Health apps or websites that provide medical information and maintain an interface for consumers to track their symptoms and collect geolocation data or draw information from a data broker are subject to the HBN Rule. In contrast to the previous example, a health app or website that has the capacity to draw information from multiple sources, such as collecting geolocation data through the application programming interface (API) and consumer inputs or from a data broker and consumer inputs, is considered a PHR and subject to the HBN Rule.

Further, commenters raised concerns with the definitions of “covered health care provider” and “health care services or supplies” using the term “online services,” noting that this definition could impermissibly cause the HBN Rule to cover retailers of general purpose items (e.g., sellers of tennis shoes, shampoos and vitamins). In response, the FTC indicated that a threshold inquiry under ARRA is whether an entity is a “vendor of personal health records” and notes that “to be a vendor of personal health records under the Rule, an app, website, or online service must provide an offering that relates more than tangentially to health.”

Multiple Source Rule

The FTC adopts the changes made in the NPRM to clarify what it means for a PHR to draw information from “multiple” sources and defines that a product is a PHR if it has the technical capacity to draw information from multiple sources (e.g., through an API), even if the consumer or entity elects not to connect the product to more than one source. To address stakeholder concern of the breadth of the multiple sources test, the FTC notes that the HBN Rule still requires drawing PHR identifiable health information from at least one source to count as a PHR.

In the final rule preamble commentary, the FTC indicates that a product feature or integration that exists and has the capability to draw PHR identifiable health information is considered a “source,” even if the feature is in beta testing, is not yet in its final form or is only available to a subset of users. As a reminder of a key limiting principle on HBN Rule liability, the FTC underscores that a website or health app must be “managed, shared, and controlled by or primarily for the individual” to constitute a PHR and that simply drawing information on a consumer in and of itself does not pull the entity under the scope of the HBN Rule.

Expanded Scope for “Breach of Security”

The FTC enshrines its position taken in the GoodRx and Premom settlements that a “breach of security” under the HBN Rule includes an unauthorized acquisition of identifiable health information that occurs because of a data security breach or unauthorized disclosure to a third party. In other words, a breach is not limited to third-party hacking or an intrusion into a health app’s systems but occurs when a health app discloses PHR identifiable health information without the user’s authorization. The FTC has taken a strong position that security breaches are not limited to cybersecurity intrusions or nefarious behavior and could also arise when PHR identifiable health information is used in ways that are inconsistent with a company’s disclosures and consumers’ reasonable expectations. The HBN Rule provides examples of events that could trigger notification requirements, including failing to disclose how a company accesses, uses, processes, discloses or retains data. The determination of whether a disclosure is authorized under the HBN Rule will be a fact-specific inquiry that depends on the context of the interactions between the consumer and the company; the nature, recipients, and purposes of those disclosures; the company’s representations to consumers; and other applicable laws.

The HBN Rule continues to include the rebuttable presumption for unauthorized access to an individual’s data from the 2009 HBN Rule, which permits entities to rebut the presumption of acquisition in instances of unauthorized access by providing “reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” In commentary to the original HBN Rule, the FTC noted that no breach of security has occurred if an unauthorized employee inadvertently accesses an individual’s PHR and logs off without reading, using or disclosing anything. “If the unauthorized employee read the data and/or shared it, however, he or she ‘acquired’ the information, thus triggering the notification obligation in the Rule.” Accordingly, the circumstances under which an entity may rebut the presumption of a breach of security under the HBN Rule are narrower than under HIPAA’s “low probability of compromise” assessment.

In response to commenter concerns, the FTC reiterates that the HBN Rule is only triggered by breaches of unsecured PHR identifiable health information and does not apply to information that is “secured” or protected. This clarification indicates that stakeholders should consider using de-identified data or employ encryption methods when engaging in product testing to protect its consumers’ data and avoid liability under the HBN Rule.

PHR Related Entity

The final rule adopts the proposed revised definition of PHR related entities to clarify certain PHR vendors’ notification obligations under the HBN Rule. Specifically, the revised definition contemplates whether vendors providing services for PHRs are considered PHR related entities (and therefore subject to broader obligations under the HBN Rule) or “third party service providers.” The adopted definition of PHR related entities was revised to (1) more clearly include vendors of PHRs that offer products and services solely through online services or mobile applications, (2) limit the definition of PHR related entities to only include those that send or receive identifiable health information, as opposed to any information, and (3) indicate that not all third-party service providers who access PHR identifiable health information are necessarily a PHR related entity. Additionally, the FTC reiterates that under the existing rule, PHR related entities and other PHR vendors are required to alert their vendors of their status as a PHR related entity or vendor of PHRs to put third-party vendors on notice of the potential implications under the HBN Rule.

In the preamble commentary, the FTC provides examples to aid in the differentiation between a PHR related entity and a third-party service provider. One of these examples compares the use of a search engine by a health tracking website that would qualify as PHR. In this example, the FTC draws a distinction between a search engine whose logo is prominently displayed to the consumer and providing services for its own benefit against a search engine that runs services on the back end. The consumer facing entity would be considered a PHR related entity because it “offers its services through the website, which is a personal health record.” This situation is contrasted to a search engine firm that provides back-end services, stating that since a consumer may not be aware that the search bar is offered through a separate service and receiving a notice from the search engine may cause consumer confusion, this back-end search provider is not a PHR related entity even though it received identifiable information from the PHR.

Modernize Method of Notice

Recognizing that mailing notices can incur high costs to an entity and that physical mailing is generally inconsistent with the communication method for users of health apps, the FTC has adopted the use of electronic mail as a notice method in certain circumstances for a PHR to meet its obligations under the HBN Rule. Importantly, the FTC has defined electronic mail to be email in combination with a text message, in-app message or electronic banner. The dual method electronic mail notice requirement was met with substantial stakeholder commentary, however, the FTC denied changing the requirements for electronic mail noting that two methods of communication to an individual will help ensure that the individual receives the notice.

Under the final rule, electronic mail can be used to satisfy the individual notice requirement only when the individual has designated electronic mail as their preferred method of communication. Additionally, electronic mail notice must be “clear and conspicuous,” which is newly defined to mean that a “notice is reasonably understandable and designed to call attention to the nature and significance of the information.” The FTC points out that this term closely mirrors the existing definition of clear and conspicuous in the FTC’s Financial Privacy Rule to improve consistency across various privacy rules. The FTC did not proscribe details on how the notification is presented to the individual, remaining rather flexible to account for changing technologies. If the methods required under electronic mail notice are not available or the individual has not chosen electronic mail as their preferred contact method, first-class mail can be used to satisfy written notice requirements.

Expand Content of Notice

Initially, the FTC proposed several updates to expand the content of individual notices, however, it reigned in these changes in the final rule to address stakeholder commentary. The proposed changes to the content of the notice included adding (1) a brief description of the potential harm to the individual that may result from the breach, (2) the full name, website name, and contact information of third parties that acquired unsecured identifiable information, (3) a description of the types of information involved, (4) a brief description of what the entity experienced, mitigation steps, and credit protection services being offered, and (5) at least two methods of contact information.

In the final rule, the FTC decided against requiring a brief description of the potential harm to the individual, agreeing with commentary that this could cause confusion to individuals. The final rule also amends its proposed requirement that PHRs provide details about the third party that received access to the data and, instead, only requires the full name or identity of the third party. This also creates an exception to including the identifying information of the third party if it would create a risk for individuals or the entity (e.g., where disclosing the identity of a hacker or hacking group could subject affected individuals or the entity providing notice to further harm). In these cases, the disclosure only needs to include the type of third party (e.g., “hacker”) who acquired individual’s PHR identifiable health information. The remaining proposals to the content of the notice were adopted without modification.

Additional Considerations

The final rule incorporated comments on improving readability in part by creating a new section for penalties. This section more clearly indicates that the violations of the HBN Rule are considered violations of Section 18 of the FTC Act, and incur the civil penalties associated with those violations.

The FTC also requested comments in the NPRM related to the timing requirements related to notice to the FTC, the HBN Rule currently requires notice to the FTC within 10 business days of the discovery of the breach. In response largely to comments that it is difficult to submit a thorough and complete notice to the FTC in such a short time period, the final rule now extends the timeline for notification to the FTC affecting 500 or more individuals to be contemporaneous with individual notification ― i.e., without unreasonable delay and in no case later than 60 days after discovery. Similar to HIPAA, breaches affecting less than 500 individuals can be submitted annually to the FTC.

NEXT STEPS

• Organizations that operate or maintain applications or websites in the wellness or health market and developers that create health related apps or websites, should assess whether they are subject to the HBN Rule based on the expanded definitions adopted in the final rule.
• Stakeholders should be mindful that the “multiple sources” rule in the HBN Rule does not require that a health application or website actively use or pull multiple sources of user information (i.e., other data besides the data provided by the consumer), but instead, solely requires that the health application or website have the technical capacity to pull such other sources of information.
• Stakeholders should prioritize use of secured data over unsecured data in product testing to avoid and limit their liability under the HBN Rule. For instance, stakeholders should use de-identified or encrypted data in product testing and avoid using sources of unsecure PHR identifiable health information to the extent possible.
• The final rule adopts definitions from the NPRM that more clearly provide guidance on what types of entities are considered PHR related entities, subject to certain reporting requirements, and which are third-party service providers. It is important for PHRs and PHR related entities to understand the distinction between these two types of vendors. To help with this categorization, stakeholders should review the examples provided by the FTC. The examples indicate the type of criteria and situations where the FTC would distinguish between a third-party service provider and PHR related entity. From the examples, the FTC would consider, among other things, the consumer perception of the role the vendor has in the PHR functionality, access to identifiable health information, and whether services are provided for the vendor’s purpose or the PHR’s.
• Organizations working with PHR vendors should confirm that PHR vendors can satisfy reporting obligations under the HBN Rule. PHR related entities and other PHR vendors should assess their methods of notifying vendors of their status as a PHR related entity or PHR vendor to put third-party vendors on notice of the potential implications under the HBN Rule.
• Stakeholders should consider the new ability to give notice to individuals electronically when planning their information security program. This new flexibility to provide notice can offer financial and logistical savings for the organization. However, before relying on the electronic mail notice option, the organization must give individuals the opportunity to select a preference on method of communication and must take into account that electronic mail notice requires e-mail in addition to another type of notification.