Generally, in its current state, the rule requires vendors of “personal health records” and related entities not covered by HIPAA to notify consumers, the FTC, and the media of a breach of unsecured identifiable health information. While the HBNR had long been a dormant arrow in the Commission’s quiver, it resurfaced in 2021 when the FTC released a somewhat controversial position statement about the scope of the rule and its applicability. Since then, the FTC has continued to take interest in health data not covered by HIPAA, including several enforcement actions this year. The proposed rule seeks to codify some of the positions taken in the Agency’s position statement. Specifically, the proposed rule seeks to:
- Expanded scope of entities. The changes would revise several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. More entities will be subject to this rule through the addition of two terms – “health care provider” and “health care services or supplies” which includes any online service that provides health-related services or tools to track diseases, health conditions, medications, diet, sexual health, and more.
- Revised definition of breach. A reportable breach under the Proposed Rule includes not just data breaches, but any disclosure that is not authorized by a consumer.
- Clarifications about drawing health information from multiple sources. The PHR definition applies to products with the ability to obtain data from multiple sources. The proposal would clarify that this includes applications that have the technical capacity to draw information from multiple sources, even if a consumer only uses one of those sources when using an app.
- Additional notification options. The Proposed Rule would permit notification to impacted consumers, with their consent, by text, in-app messaging, or electronic banner in an application.
- Changes to content requirements for notifications. In addition to the existing content requirements, the Proposed Rule would require a description of the potential harm that could result from the breach, contact information of any third parties that acquired the information at issue, and what the entity is doing to protect affected individuals.
Putting it into Practice. In light of the FTC’s recent string of HBNR enforcement actions, developers of health and wellness apps and devices should assess whether HBNR applies and ensure that any sharing of information would not constitute an unauthorized disclosure. Comments on the proposed rule will be accepted until August 8, 2023.