Finalization of the Health Breach Notification Rule Changes by the FTC
Last week, the Federal Trade Commission (“FTC”) announced the finalization of updates to the Health Breach Notification Rule (“Rule”), aiming to enhance and modernize its provisions. These changes clarify the rule’s application to health apps and similar technologies, broaden the scope of information that entities must provide to consumers in case of a health data breach, and strengthen notification requirements.
Under the revised Rule, vendors of personal health records (“PHR”) and related entities not covered by HIPAA are mandated to notify affected individuals, the FTC, and in certain cases, the media, following the discovery of a breach involving unsecured personally identifiable health data. Additionally, third-party service providers to these vendors and entities must notify them of breaches they discover.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, emphasized the importance of safeguarding consumers’ health data amidst the increasing use of health apps and connected devices. The FTC received and considered approximately 120 public comments before finalizing these updates in response to evolving trends in the health marketplace.
The key revisions include:
-
Definitions Update. The rule now explicitly covers health apps and technologies not governed by HIPAA, with revised definitions such as “PHR identifiable health information,” “covered health care provider,” and “health care services or supplies.”
-
Security Breach Clarification. It clarifies that a breach includes unauthorized acquisition or disclosure of identifiable health information due to a data security incident.
-
Expanded Scope of PHR Related Entities. The definition now specifies entities offering products and services via vendors’ online platforms, clarifying which entities qualify under the rule.
-
Enhanced Notification Requirements. The updated rule allows broader use of electronic notifications and expands the required content of breach notifications to consumers, including disclosure of third-party recipients of breached information.
-
Notification Timing. For breaches affecting 500 or more individuals, entities must notify affected parties and the FTC simultaneously, within 60 days of discovering the breach.
-
Improvements in Clarity and Compliance. Changes aimed at improving readability and promoting compliance with the rule.
These updates will take effect 60 days after publication in the Federal Register. Alongside these regulatory changes, the FTC announced it has taken enforcement actions against companies like GoodRx and Easy Healthcare (publisher of the Premom app) for violations of the Rule.
The FTC’s decision to finalize these amendments was approved by a 3-2 vote of the Commission, with Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issuing a supportive statement, while Commissioners Melissa Holyoak and Andrew N. Ferguson dissented.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.