September 16, 2021

Zombie PHR Breach Rule Rises From the Dead

Yesterday, the FTC issued a policy statement announcing a new interpretation of the FTC’s 10-year-old “Personal Health Record Breach Notification Rule.” As the FTC acknowledges, this rule has never been enforced by the FTC. The FTC’s announcement indicates its intention to begin enforcing this rule, which allows the FTC to assess penalties of $43,792 per day of violation.

What’s changed? According to three of the commissioners on the FTC: nothing, as reported in the press release. Indeed, the policy statement suggests that the FTC has simply reiterated a rule “many appear to misunderstand.”

But most objective observers would agree that, at a minimum, the FTC has announced a previously unarticulated view of the definition of “personal health record.” Under the existing regulation, if an “electronic record . . . of identifiable health information” draws “information” from multiple sources, it constitutes a regulated PHR.

The FTC’s policy statement announces the FTC’s belief that this does not mean the record must draw “health information” from multiple sources, but rather means that the record (1) includes health information and (2) draws any other information from multiple sources. The FTC gives this example: “if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it is covered under the Rule.”

This position was not found in the FTC’s original 2010 Guidance on PHRs, which specifically noted that apps which relied exclusively on user-inputted information were not subject to the Rule.

Second, the FTC announced that it views the definition of “breach” as including any “sharing of covered information without an individual’s authorization.” This includes sharing information with advertisers and other third parties. Two of the three commissioners approving the new policy statement have previously argued that the FTC’s recent enforcement action against Flo Health, Inc., should have been brought as a violation of the PHR Breach rule. Flo Health was alleged to have shared information with marketing and analytics providers.

Who is exempt? HIPAA Covered Entities and Business Associates are exempt from the PHR Breach rule.

What’s required? If an entity that offers a PHR identifies a breach of the information contained in that record, then it is required to provide notice to each impacted individual and to the FTC. The notices to individuals must be provided within 60 calendar days of discovery. Notices to the FTC, however, must be provided within 10 business days of discovery when the incident impacts more than 500 individuals. Breaches are treated as “discovered” as of the date the breach was “known or reasonably should have been known” to the entity.