The FTC recently published two new resources for complying with the Health Breach Notification Rule. The Rule requires vendors of personal health records (PHR), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information. The guidance reaffirms and adds further clarity to the Agency’s broad interpretation of the Rule released in its policy statement last fall.
The shorter guidance largely provides a high level overview of the Rule. The second, lengthier guidance provides more detail about applicability of the rule, what triggers notification, and notification requirements in the event of a breach. It also provides answers to questions asked about the Rule. This new guidance confirms the FTC’s position that breaches are not limited to just cybersecurity intrusions. It also includes incidents of unauthorized access, including sharing of covered information without authorization. A settlement from last year with a popular fertility tracking app demonstrates how broadly the FTC may interpret such “sharing.” The guidance also clarifies that the Rule preempts contradictory state breach notification laws. But, it does not preempt state laws that impose additional, non-contradictory breach notification requirements.
Putting it into Practice. Health and wellness apps and wearables that sit outside of HIPAA are reminded of other requirements they may have from the FTC. This includes considerations under unfair and deceptive trade practice laws (Section 5) as well as the Health Breach Notification Rule. In light of the broad interpretation of “breach” under this Rule, companies should consider auditing all instances of “sharing” of health information. Companies in this space are also reminded of potential obligations under upcoming state privacy laws (California, Colorado, and Virginia).