The Federal Trade Commission (FTC) recently proposed changes to the Health Breach Notification Rule (Rule), enacted in 2009, to clarify that the Rule applies directly to an estimated 170,000 health and wellness mobile applications (apps), as well as similar technologies that have proliferated since the Rule’s enactment. Recognizing the increasing prevalence of health apps and direct-to-consumer health technologies like fitness trackers, the FTC now seeks to update the Rule in what appears to be an aggressive fashion to effectively respond to changes in the health technology marketplace. The Proposed Rule is specifically intended to cover developers and vendors of health and wellness apps and internet-connected health devices, such as wearable blood pressure monitors, that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) because they are neither “covered entities” nor “business associates” under HIPAA. This article does not address all of the FTC’s proposals but instead focuses on updated and new definitions that vastly expand the scope of information and types of entities covered by the Rule.
The Rule currently includes the following key defined terms:
A “vendor of personal health records” (PHRs) is an organization that is neither a HIPAA covered entity nor a business associate and that offers or maintains a PHR.
A PHR is an electronic record of “PHR identifiable health information” about an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.
“PHR identifiable health information” (PHR IHI) is individually identifiable health information that is provided by or on behalf of an individual and identifies the individual or there is a reasonable basis to believe that the information may be used to identify the individual.
A “PHR related entity” is an entity, other than a HIPAA covered entity or business associate, that (1) offers products or services through the website of a vendor of PHRs; (2) offers products or services through the websites of HIPAA covered entities that offer individuals PHRs; or (3) accesses information in a PHR or sends information to a PHR.
In an effort to strengthen and modernize the Rule, the FTC has proposed a number of significant changes. Several of these proposed changes involve new or revised definitions.
Initially, the Proposed Rule would newly define a “health care provider” as “a provider of services . . . , a provider of medical or other health services . . . , or any other entity furnishing health care services or supplies.”
“Health care services or supplies” would include “any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”
The Proposed Rule’s new definition of “health care provider” is modeled after the HIPAA definition of this term, but its inclusion of the new term “health care service or supply” considerably expands the customary definitions of a health care “service or supply” and a “health care provider.” Through this definitional framework, the FTC asserts that developers of health and wellness apps are “health care providers”—akin to HIPAA covered entities—for purposes of the Proposed Rule. Likewise, mobile health apps constitute PHRs—analogous to the HIPAA term “designated record set”—and app developers also are “vendors of personal health records” (analogous to covered entities) under the Proposed Rule. These proposed new terms and interpretations qualitatively expand the scope of what constitutes a PHR or a vendor of PHRs under the Rule far beyond the concept, accepted at the time the Rule was enacted, of a PHR as a patient-controlled repository of health information.
The FTC further proposes to substantially align the definition of PHR IHI with the HIPAA definition of “individually identifiable health information” (IIHI), with an important distinction. PHR IHI is IIHI that is created or received by a health care provider, health plan, employer, or health care clearinghouse. Combined with the new definition of “health care provider” and “health care service or supply,” “PHR identifiable health information” would now include individually identifiable information related to health care or a health condition that is created or received by a website, mobile app, or interconnected device that offers mechanisms to track health or wellness indicators, including many additional categories of information—vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, and diet among them—that are not specifically listed as HIPAA identifiers in the Privacy Rule.
Although the FTC asserts that this definitional revision is not substantive, it acknowledges that the updated definition is intended to cover (1) “traditional” health information (e.g., diagnoses or medications), (2) health information derived from consumer interactions with apps and online services (e.g., health information generated from tracking technologies used on websites or mobile apps), and (3) “emergent” health data (e.g., information inferred from non-health-related data, such as location and recent purchase information). Given that the second and third categories of information were not previously covered by the Rule, the impact of the proposed revision is indeed substantive.
The definition of “PHR related entity” would be narrowed so that only entities accessing or transmitting unsecured PHR IHI to a PHR would qualify as PHR related entities, thereby specifically excluding from the definition those entities which access or transmit only information that is not unsecured PHR IHI to a PHR. Companies that perform attribution and analytics services for health apps and similar technologies are “third party service providers,” not PHR related entities. These adjustments would make a third party service provider’s relationship to a PHR related entity analogous to a business associate’s relationship to a covered entity under HIPAA.
The Proposed Rule also would clarify that a "breach of security" is not limited to an unauthorized acquisition of unsecured PHR IHI that occurs due to a ransomware or other data breach; instead, it also would include unauthorized acquisition of PHR IHI without the individual’s authorization. This approach is problematic, because the FTC does not define what constitutes an individual’s “authorization” for purposes of the Rule.
The FTC considered defining the term “authorization” to mean “the affirmative express consent of the individual” consistent with state consumer protection laws that define consent, but it decided against doing so because commentary to the current Rule offers guidance on the types of disclosures the FTC determines to be unauthorized—namely, “unauthorized” PHR data sharing exists when “such use is [no longer] consistent with the entity’s disclosures and individuals’ reasonable expectations.”
The FTC specifically requests public comment regarding whether this commentary and the agency’s recent settlement with telehealth and prescription drug discount provider GoodRx puts companies on sufficient notice about when and how they must obtain individual authorization for disclosures of PHR IHI, or whether defining “authorization” is necessary to “better inform companies of their compliance obligations.”
In this instance, clarity achieved through rulemaking is preferable. The FTC’s proposed approach to rely on enforcement activity achieved through pre-litigation settlements, combined with non-binding guidance appearing in the preamble to the Rule, would not offer sufficient notice or guidance to regulated entities.
Unlike HIPAA, which specifies what uses and disclosures of PHI are permitted or required without authorization, the relatively limited circumstances under which an individual’s authorization is required to use or disclose their PHI, and the required contents of an authorization, the Proposed Rule would require an individual’s authorization whenever the use of PHR IHI is inconsistent with “the entity’s disclosures and individuals’ reasonable expectations.” Regulated entities are left to guess whether such authorizations must be memorialized in writing, must require an individual to do more than click on a button indicating agreement, or must contain electronic signatures; for how long such authorizations must be maintained; and whether the entities must enter into business associate-like agreements with or audit any third parties with whom they share PHR IHI to assure that such third parties are not using the PHR IHI in a manner inconsistent with the regulated entity’s disclosures and individuals’ reasonable expectations.
HIPAA also requires covered entities to provide a Notice of Privacy Practices (NPP) to individuals indicating how individuals’ PHI may be used and disclosed without their consent or in the absence of their objection, and when disclosure of PHI requires a patient’s authorization, all in accordance with the various requirements of the HIPAA Privacy Rule. The FTC’s Proposed Rule would require health and wellness apps and other regulated entities to provide a NPP analogue, but in the absence of an underlying framework specifying legally permitted uses and disclosures of unsecured PHR IHI absent individual authorization, identifying all the appropriate contents of such a notice will be challenging.
Finally, unlike HIPAA, the Proposed Rule does not address de-identification of PHR IHI as a legitimate way to avoid a breach of unsecured PHR IHI, nor does it provide exceptions to what constitutes a “breach of security” or a risk assessment framework to assist regulated entities in determining whether an incident constitutes a reportable breach of security. Guidance on some or all of these concepts would be welcome and likely would result in regulated entities focusing more attention on precisely what health-related information they maintain and use and how to appropriately secure that information.
For these reasons, the proposed clarification to what constitutes a “breach of security” under the Rule creates a great deal of uncertainty and, without additional guidance, likely will result in organizations covered by the Rule believing they are required to make, or simply making, breach notifications in a broad range of circumstances where such notifications would not be required.
The FTC already has been successful in bringing enforcement actions against developers of health apps and other entities under the Rule, including GoodRx and the fertility app Premom. These proposed changes would remove any previous uncertainties regarding the Rule’s reach and applicability to such entities while dramatically increasing the likelihood that a use or disclosure of consumer health-related information for which specific individual authorization is not obtained will result in a breach of security requiring notification and potentially resulting in enforcement activity. Those interested in submitting comments to the Proposed Rule highlighting these or other concerns are encouraged to do so on or before August 8, 2023.