The FTC recently announced that it had finalized the changes to the Health Breach Notification Rule (HBNR). This is roughly one year later from when the proposed changes were first released and three years later from the Agency’s initial “position statement” on the rule sparking controversy. The final changes clarify the scope of the rule to health apps and expands what must be told to consumers when notifying them of a breach. The updated rule goes into effect June 25, 2024.
Though enacted in 2009, the HBNR had not been enforced (or really even discussed) until 2021. The Rule as originally drafted was intended to apply narrowly to vendors of “personal health records” and related entities not covered by HIPAA to notify consumers, the FTC, and the media of a breach of unsecured identifiable health information. With the Agency’s increasing interest in health information not covered by HIPAA, HBNR resurfaced into discussions in 2021. In recent enforcement actions, the FTC has controversially asserted that HBNR could apply to health related browsing and usage data shared with advertising vendors without consent.
The finalized updated Rule incorporates changes to key definitions including “PHR identifiable health information”; “breach of security”; and “PHR related entity.” Notably (though consistent with the proposed changes), a “breach” is more broadly defined to include not just data security breaches, but also intentional, but unauthorized disclosures and unauthorized uses. Commentary in the Final rule says that where data has been obtained for one legitimate purpose, but later used for a secondary purpose that was not originally authorized by the individual, that may be a “breach.” While the FTC has long-held that secondary use of data may be “deceptive,” (under FTC Section 5) classifying such activity as also a potential “breach” is new. The amended rule also adopts changes to the method and content for notice to consumers.
The unprecedented and expansive view taken by the FTC in this amendment was not issued unanimously. The Commissioners voted 3-2 to finalize the changes. In a dissenting statement, Holyoak and Ferguson that the HBNR final rule adopted by the FTC “exceeds the Commission’s statutory authority, puts companies at risk of perpetual non-compliance, and opens the Commission to legal challenge that could undermine its institutional integrity.”
Putting it into Practice. Companies not covered by HIPAA but that are collecting or providing mechanisms to track health related information should evaluate to what extent this law may apply. Data uses and data sharing activities (even with vendors) should be closely analyzed to confirm that there is evidence of authorization for such disclosures and uses in place. This is in addition to considering how the emerging state health privacy law landscape may apply.