FTC Finalizes Changes to Health Breach Notification Rule

The changes are aimed to close gaps around HIPAA and help healthcare organizations and consumers control the use of personal health information

Federal officials are making sweeping changes to regulations around digital health apps and platforms in an effort to combat data breaches and fill in the gaps around the Health Insurance Portability and Accountability Act (HIPAA).

The U.S. Federal Trade Commission (FTC) last week announced final changes to the Health Breach Notification Rule (HBNR), which requires vendors of personal health records (PHR) and related entities that are not covered by HIPAA to notify individuals, the FTC and, in some cases, the media of a breach of unsecured personally identifiable health data. The rule also requires third-party service providers to vendors of PHRs and PHR-related entities to notify such vendors and PHR related entities following the discovery of a breach.

The changes aim to close loopholes caused by the proliferation of third-party apps and platforms in the digital health ecosystem and give both healthcare providers and consumers more control over the use and reliability of healthcare data.

“Protecting consumers’ sensitive health data is a high priority for the FTC,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a press release. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

The changes include:

• Revised definitions. Several definitions were rewritten to include health apps and similar technologies not covered by HIPAA. This includes redefining “PHR identifiable health information” and adding new definitions for “covered healthcare provider” and “healthcare services or supplies.”
• Clarifying ‘breach of security.’ A “breach of security” will now include any unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.
• Revised definition of PHR related entity. The definition of a “PHR related entity” will now cover entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. It also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities.
• Clarifying multiple sources of PHR identifiable health information: The final rule clarifies what it means for a personal health record to draw PHR identifiable health information from multiple sources.
• Expanded use of electronic notification: The final rule authorizes the expanded use of e-mail and other electronic means of providing clear and effective notice to consumers of a breach.
• Expanded consumer notice content: The required content that must be provided in the notice to consumers has been expanded to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security.
• New timing requirements. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.
• Improved readability. The final rule also includes changes to improve the rule’s readability and promote compliance.