FTC Proposes Modifications to the Health Breach Notification Rule to Clarify Its Scope

On May 18, 2023, the Federal Trade Commission (“FTC”) announced a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Breach Notification Rule (“HBNR”). The proposed changes are primarily intended to clarify the scope of entities subject to the HBNR and what constitutes a breach that triggers the rule’s notification requirements. Comments on the NPRM are due 60 days after the NPRM is published in the Federal Register.

The NPRM comes during a flurry of legislative, regulatory, and enforcement activity intended to make entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) accountable for their practices related to the collection, use, and sharing of health information. These include many health apps and other direct-to-consumer technologies, such as fitness trackers and wearable monitors, which generally handle health information directly on behalf of consumers, not covered entities or business associates, and are therefore outside the scope of HIPAA. Consumer use of such technologies has increased significantly in recent years, creating swaths of health information that largely remain unregulated. The NPRM, if finalized, would change this regulatory landscape.

I. Background

In the event of a breach of security of unsecured personal health records (“PHRs”), the HBNR requires vendors of PHRs and PHR-related entities to notify consumers, the FTC, and, in breaches affecting 500 or more residents of a state or jurisdiction, prominent media outlets serving that state or jurisdiction. If a service provider to one of these entities experiences a breach, it must notify the entity, which in turn must carry out its notification obligations.

Notice to individuals must be provided without unreasonable delay and no later than 60 calendar days after discovery of a breach. If a breach affects 500 or more individuals, notice must be provided to the FTC as soon as possible and no later than 10 business days after discovery of the breach.

The HBNR only requires notification for breaches of “unsecured” health information, which is defined as health information that is not secured through technologies or methodologies specified by the Department of Health and Human Services. The HBNR also does not apply to covered entities and business associates subject to HIPAA.

As further detailed in a previous article, the FTC issued a policy statement in September 2021 (“Policy Statement”) that swept in a large number of technology companies and activities, including health apps. The Policy Statement also clarified that a “breach” is not limited to cybersecurity intrusions or nefarious behavior, but also covers incidents of unauthorized access such as sharing of covered information without an individual’s authorization. In addition, the FTC recently started initiating enforcement actions under the HBNR (which we covered here and here). The FTC also recently took enforcement action against BetterHelp, Inc. under section 5 of the FTC Act for allegedly sharing consumers’ health information for advertising purposes.

II. Key Proposals

The key changes proposed in the NPRM are summarized below.

A. Clarifications to the HBNR’s Scope

To clarify the scope of the HBNR, the FTC proposes to revise the definition of “PHR identifiable health information” and add definitions of “health care provider” and “health care services and supplies” in an effort to clarify and broaden the scope of the rule:

• “PHR identifiable health information” would be revised to mean information (1) that is provided by or on behalf of the individual; (2) that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual; (3) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (4) is created or received by a health care provider, health plan, employer, or health care clearinghouse. This change is not intended to be substantive, and the preamble clarifies that the FTC believes this definition covers traditional health information (e.g., diagnoses or medications), health information derived from consumers’ interactions with apps and other online services (e.g., health information created from tracking technologies on websites or mobile apps), and emergent health data (e.g., health information inferred from non-health-related data points such as location and recent purchases).
• “Health care provider” would be defined similarly as it is under HIPAA as a provider of services, a provider of medical or health services, or any other entity furnishing health care services or supplies.
• “Health care services and supplies” would be defined as any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.

The result of these changes is that developers of health apps and similar technologies that provide health care services and supplies would constitute health care providers under the HBNR, and any individually identifiable health information collected or used by these products and services would constitute PHR identifiable health information subject to the HBNR. Another result of these changes is that mobile health apps would generally constitute PHRs covered by the rule and developers of such apps would constitute vendors of PHRs.

The FTC also proposes to revise the definition of “PHR-related entity,” which is currently defined as an entity, other than a HIPAA-covered entity or business associate, that: (1) offers products or services through the website of a vendor of PHRs; (2) offers products or services through the websites of HIPAA-covered entities that offer individuals PHRs; or (3) accesses information in a PHR or sends information to a PHR. The FTC proposes to revise this definition as follows:

• The first prong would be revised to clarify that PHR-related entities include entities that offer products and services not only through the websites of vendors of PHRs but also through any online service, including mobile apps.
• The third prong would be revised so that it only covers an entity that accesses or sends unsecured PHR identifiable health information (not simply any information, as it is under current HBNR regulations) to a PHR. This change is intended to eliminate confusion and narrow the scope of the term PHR-related entity.

The FTC also notes in the preamble that certain businesses may be considered both a PHR-related entity and a third-party service provider depending on the circumstances. For example, a firm that performs attribution and analytics services may be a PHR-related entity to the extent it accesses unsecured PHR identifiable health information in a PHR, but a third-party service provider in other arrangements. This is not the FTC’s intent, so it proposes to amend the HBNR such that a third-party service provider is not a PHR-related entity when it accesses unsecured PHR identifiable health information in the course of providing services.

B. Clarifications Regarding Breaches of Security

Building on the Policy Statement and its recent enforcement actions, the FTC proposes to expressly clarify in the HBNR that a “breach of security” encompasses unauthorized acquisitions that occur as a result of a data breach or an unauthorized disclosure. This change is intended to clarify that breaches include voluntary disclosures by PHR vendors or PHR-related entities where such disclosure was not authorized by the consumer.

C. Clarifications Regarding Drawing PHR Identifiable Health Information from Multiple Sources

Currently, the HBNR defines a PHR as an electronic record of PHR identifiable health information that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. The FTC proposes to revise this definition such that it means an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual. This change is intended to clarify two points: (1) a product is a PHR if it can draw information from multiple sources, even if the consumer elects to limit information from only a single source; (2) a product is a PHR if it can draw any information from multiple sources, even if it only draws health information from one source. Ultimately, it is the FTC’s intent to further clarify the HBNR’s applicability to developers and purveyors of products that are merely technically capable of drawing information from more than one source.

D. Changes to Requirements Regarding the Method and Content of Notices

The FTC proposes to permit notification of a breach by “electronic mail” if the individual has specified electronic mail as the primary contact method. The FTC proposes to define electronic mail to mean email in combination with one or more of text message, in-app messaging, or electronic banner.

The FTC also proposes five changes to the HBNR’s notice content requirements:

• Notices must include a brief description of the potential harm that may result from the breach (e.g., medical or other identity theft).
• Notices must include the full name, website, and contact information of any third parties that acquired unsecured PHR identifiable health information as a result of the breach (if this information is known).
• The HBNR currently requires that notices describe the types of unsecured PHR identifiable health information that were involved in the breach. The FTC proposes to expand the sample list of types of PHR identifiable health information in the regulations.
• Notices must include a brief description of what the entity is doing to protect affected individuals (e.g., offering credit monitoring).
• Currently, the HBNR only requires one of a toll-free telephone number, email address, or postal address. The FTC proposes to require that the contact procedures specified in the notice include two or more of the following: toll-free telephone number, email address, website, within-application, or postal address.

III. Takeaways

The FTC has been taking on a larger role in regulating the use of consumer health information and has been using the tools at its disposal – namely, the HBNR and FTC Act – to enforce against businesses that misuse or share health information without individuals’ authorization. The NPRM is just the latest in the FTC’s efforts to regulate this space and ensure that businesses not regulated by HIPAA do not use and share health information in contravention of consumers’ wishes and expectations. With the FTC’s renewed interest in enforcing the HBNR, the NPRM should pique the interest of many businesses in the health care space, and such businesses should take the time to review the NPRM, including the FTC’s requests for comment, and submit a comment to help shape the final modifications to the HBNR.

We expect to see more activity on this front in the near future, not only from the FTC but also from states, which are increasingly trying to regulate businesses that process health information. Most recently, Washington state enacted the My Health My Data Act to impose requirements on entities that collect, use, or share health information, including a requirement to obtain opt-in consent prior to collecting health information.

***

For more information on the NPRM or how these changes may impact your organization, or for assistance in submitting comments, please contact the professionals listed below or your regular Crowell & Moring contact.