FTC Finalizes Modifications to Broaden the Applicability of the Health Breach Notification Rule

On April 26, 2024, the Federal Trade Commission (“FTC”) announced a final rule (“Final Rule”) modifying the Health Breach Notification Rule (“HBNR”). The Final Rule, which largely finalizes changes proposed in a Notice of Proposed Rulemaking published last year (“2023 NPRM”), broadens the scope of entities subject to the HBNR, including many mobile health applications (“apps”) and similar technologies, and clarifies that breaches subject to the HBNR include not only cybersecurity intrusions but also unauthorized disclosures, even those that are voluntary. The Final Rule will take effect 60 days after its publication in the Federal Register.

In the event of a breach of security of unsecured personal health record (“PHR”) identifiable health information in a PHR, the HBNR requires vendors of PHRs and PHR-related entities to notify consumers, the FTC, and, in breaches affecting 500 or more residents of a state or jurisdiction, prominent media outlets serving that state or jurisdiction. If a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must carry out its obligations to notify affected individuals, the FTC, and, in some cases, media outlets. The HBNR does not apply to covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

The Final Rule comes on the heels of the 2023 NPRM, a number of recent enforcement actions under both the HBNR and the FTC Act, and a 2021 Policy Statement, which have signaled a greater regulatory and enforcement focus on the privacy and security practices of health apps and similar technologies.

Key Changes

Clarifications Regarding the HBNR’s Scope

The Final Rule revises the definitions of “PHR identifiable health information” and “PHR-related entity” and adds definitions of “covered health care provider” and “health care services or supplies” to clarify and broaden the scope of the HBNR. The preamble also provides various other clarifications that are likely to be of interest to regulated entities.

As a result of these changes, the individually identifiable health information collected or used by health apps and similar technologies generally constitutes PHR identifiable health information, and such apps and technologies can constitute PHRs depending on whether they draw information from multiple sources and are managed, shared, and controlled by or primarily for the individual. Consequently, the developers of such apps and technologies can be vendors of PHRs subject to the HBNR.

1. PHR Identifiable Health Information

   The Final Rule defines “PHR identifiable health information” as information that:

   • • Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and
       • identifies the individual; or
       • with respect to which there is a reasonable basis to believe that the information can be used to identify the individual; and
     • Is created or received by a:
       • Covered health care provider;
       • health plan (as defined under HIPAA);
       • employer; or
       • health care clearinghouse (as defined under HIPAA); and
     • with respect to an individual, includes information that is provided by or on behalf of the individual.

   The FTC clarifies that this is intended to be a broad definition that encompasses, for example, unique, persistent identifiers (e.g., unique device and mobile advertising identifiers) when combined with health information (if they can be used to identify an individual). The FTC also clarifies that data that has been de-identified in accordance with HIPAA standards is not PHR identifiable health information as there is not a “reasonable basis to believe that information can be used to identify the individual.”
   
   

2. Covered Health Care Provider

   The Final Rule creates a new term, “covered health care provider,” that closely tracks the 2023 NPRM’s proposed definition of “health care provider,” and defines it as a provider of services (as defined in 42 U.S.C. 1395x(u)), a provider of medical or other health services (as defined in 42 U.S.C. 1395x(s)), or any other entity furnishing health care services or supplies. The FTC notes that the addition of the word “covered” to the term is not meant to be substantive and is intended to distinguish the term from interpretations of the term “health care provider” in other contexts.
   
   

3. Health Care Services or Supplies

   The Final Rule creates another new term, “health care services or supplies,” defining it as any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools. Combined with the addition of the term “covered health care provider” and the revised definition of “PHR identifiable health information,” this helps expressly expand the scope of the HBNR to cover health apps and similar technologies.
   
   

4. PHR-Related Entity

   The Final Rule adopts, without change, the 2023 NPRM’s proposed revisions to the definition of “PHR-related entity,” which are intended to clarify that (1) PHR-related entities include entities that offer products and services not only through websites of vendors of PHRs but also through any online service, including a mobile app; (2) PHR-related entities include only entities that access or send unsecured PHR identifiable health information to a PHR; and (3) while some third-party service providers may access unsecured PHR identifiable health information when providing services, this does not render the third-party service provider a PHR-related entity.

   In response to commenters who expressed concerns that certain data recipients (e.g., health information service providers) might not fully understand their obligations under the HBNR since they do not know the content of the data transmissions they receive, the FTC notes the requirement that vendors of PHRs and PHR-related entities notify third-party service providers of their status as vendors of PHRs or PHR-related entities. This requirement is intended to put data recipients on notice about the potential content of data transmissions. The FTC adds that companies may choose to stipulate via contract whether data transmissions will contain unsecured PHR identifiable health information.
   
   

5. Other Clarifications

   Some commenters expressed concern that the 2023 NRPM’s proposed definitions of “health care provider” (“covered health care provider” under the Final Rule) and “health care services or supplies” would make the HBNR applicable to retailers of general-purpose items such as tennis shoes, shampoo, or vitamins. The FTC clarifies that this is not the case and such retailers are not considered vendors of PHRs. Entities that are not in the business of offering or maintaining (e.g., selling, marketing, providing, or promoting) a health-related product or service are not subject to the HBNR. The FTC clarifies that to be a vendor of PHRs, an app, website, or online service must provide an offering that relates “more than tangentially” to health.

   The FTC also clarifies that purchases of items at brick-and-mortar retailers where there is no app, website, or online service to access or track the purchase information electronically is not a PHR as there is no electronic record.

   Ultimately, whether a health app or electronic record constitutes a PHR is a fact-intensive inquiry that depends on the nature of the information contained in the record, its technical capacity, its sources of information, and its relationship to the individual.

Clarifications Regarding Breaches of Security and Authorization

The Final Rule adopts the change proposed in the 2023 NPRM to expressly clarify in the definition of “breach of security” that it includes unauthorized acquisitions of PHR unsecured PHR identifiable health information that occur as a result of a data breach or an unauthorized disclosure. Thus, the HBNR’s notification requirements are triggered not only by cybersecurity intrusions but also by voluntary disclosures that have not been authorized by the consumer, such as voluntary but unauthorized disclosures to third-party vendors.

The Final Rule does not create any specific exemptions or safe harbors to the definition of breach of security. The Final Rule also does not expressly define “authorization,” which the FTC was considering but did not formally propose in the 2023 NPRM. Instead, whether a disclosure is authorized will be a fact-specific inquiry that depends on the context of the interactions between the consumer and the company; the nature, recipients, and purposes of those disclosures; the company’s representations to consumers; and other applicable laws. Disclosures must therefore be consistent with the company’s disclosures and consumers’ reasonable expectations, and there must be meaningful choice in consenting to sharing. The FTC notes that buried disclosures in lengthy privacy policies do not satisfy the “meaningful choice” standard.

Based on examples provided in the preamble and accompanying guidance, when determining whether a disclosure is authorized in the absence of opt-in consent the FTC will likely focus on whether:

• the disclosure is necessary to provide a PHR to a consumer,
• the disclosure is consistent with consumer expectations,
• the sharing is disclosed to consumers, and
• the sharing is subject to protections like service provider agreements that limit the use of data.

The FTC notes that breaches of security include not only unauthorized disclosures but also unauthorized uses of data. This may occur, for example, where an entity obtains data for one legitimate purpose but later uses the data for a secondary purpose not authorized by individuals. The FTC also notes that the unauthorized access or use of derived PHR identifiable health information may constitute a breach of security. For example, this includes health information generated from tracking technologies on websites or apps, as well as emergent health data (e.g., health information inferred from non-health-related data, such as location and recent purchases).

Clarification of What It Means for a PHR to Draw Information from Multiple Sources

Adopting the 2023 NPRM’s proposed changes, the Final Rule modifies the definition of PHR to mean an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual. As illustrated in the preamble’s examples, this change is intended to clarify two points: (1) a product is a PHR if it merely has the technical capacity to draw information from multiple sources, even if the consumer elects to limit information from only a single source; and (2) a product is a PHR if it can draw any information from multiple sources, even if it only draws health information from one source (e.g., by collecting calendar information or location from a source). Ultimately, as clarified in the preamble, a PHR is generally an electronic record of an individual’s health information by which the individual maintains access to the information and may have, for example, the ability to manage, track, control, or participate in his or her own health care. If these elements are not present, the service might not be “managed, shared, and controlled by or primarily for the individual” and therefore is not a PHR.

The Final Rule does not include any exemptions requested by commenters, such as for apps and services where there are available but unused or unpublicized application programming interfaces (“APIs”) or integrations, apps and services that are not yet in their final form (e.g., those that are in beta testing), or scenarios where a change is required to an app’s code to draw information from another source. The FTC emphasizes, however, that the HBNR only applies to breaches of unsecured PHR identifiable health information, incentivizing the use of de-identified data or secured information (e.g., through encryption) in product testing.

Changes to Requirements Regarding the Method, Content, and Timing of Notices

The Final Rule makes several changes regarding the permissible method and required content of breach notifications. Specifically, the Final Rule permits notification by “electronic mail” if the individual has specified electronic mail as the primary contact method. The Final Rule defines electronic mail to mean email in combination with one or more of text message, in-app messaging, or electronic banner, essentially creating a two-part electronic notice. Notice via first-class mail also continues to be permitted.

The Final Rule also modifies several provisions regarding the content of notices:

• Notifying entities must include the full name or identity (or where doing so would pose risk to individuals or the notifying entity, a description) of the third parties that acquired the PHR identifiable health information as a result of the breach.
• The Final Rule expands the sample list of types of PHR identifiable health information listed in the regulatory text.
• Notices must include a brief description of what the notifying entity is doing to protect affected individuals (e.g., offering credit monitoring).
• Notifying entities must include contact procedures in the notice, which must include two or more of the following: toll-free telephone number, email address, website, in-app, or postal address.

Notably, the Final Rule does not adopt the 2023 NPRM’s proposal to require notices to include a brief description of the potential harm that may result from the breach.

Although the 2023 NPRM did not formally propose changes to timing requirements, the Final Rule modifies the required timing for notice to the FTC in the event of a breach involving 500 or more individuals. While the HBNR formerly required such notice within 10 business days, notice to the FTC is now required under the Final Rule to be provided contemporaneously with notice to affected individuals.

Takeaways

The Final Rule is the culmination of the FTC’s efforts in the last several years to broaden the scope of the HBNR and has significant implications for digital health companies. The FTC is likely to take enforcement of the HBNR seriously, as evidenced by its recent enforcement actions, which have resulted in several corrective action plans and seven-figure penalties against digital health companies for violating their privacy promises to consumers.

Health apps and other digital health companies should carefully review the changes finalized in the Final Rule and identify any actions necessary to comply with the new regulations. While the regulatory text of the HBNR itself is fairly straightforward, essentially just requiring notification in the event of a breach of certain health information, the Final Rule’s express clarification that breaches include not only cybersecurity intrusions but also unauthorized uses or disclosures, even those that are voluntary, creates significant compliance obligations. As illustrated by the guidance and examples in the Final Rule, as well as recent enforcement actions, mitigating risk under the HBNR will require an in-depth examination of several practices related to health information, including how the regulated entity uses and discloses health information, whether it obtains consent from consumers, what privacy representations it makes to consumers (e.g., in privacy policies) and whether such representations are clear and conspicuous, and what contractual obligations are in place with third-party recipients of health information.