FTC Updates Health Breach Notification Rule
At a Glance
- The HBNR applies to vendors of personal health records, PHR-related entities, and third-party service providers. Violations of the HBNR are treated as an unfair or deceptive practice under the Federal Trade Commission Act, which can subject violators to penalties of $51,744 per violation.
- These amendments clarify that the HBNR covers what we typically consider health information such as diagnoses or medications, but also “health information derived from consumers’ interactions with apps and other online services” such as tracking technologies used on websites, and “emergent health data” such as health information inferred from nonhealth-related information.
- The Final Rule amends the definition of “breach of security” to make it clear that a breach is not limited to cybersecurity incidents but includes when vendors of PHR voluntarily make unauthorized disclosures of identifiable health information, such as sharing or selling information to a third party without authorization.
- The Final Rule expands uses of email and other electronic means to provide clear and effective notice of a breach to consumers.
- Many of the amendments the Final Rule makes to the HBNR are part of a trend, happening at the federal and state level, of regulating health information not covered by HIPAA and intentionally making it more difficult for companies to use a consumer’s health information for purposes other than providing consumers with the products and services they requested.
On July 1, 2024, the amendments to the Health Breach Notification Rule (HBNR) went into effect. First promulgated in 2009, the HBNR applies to vendors of personal health records — entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) and that offer or maintain a personal health record (PHR). The Final Rule was published by the Federal Trade Commission (FTC) on April 26, 2024, and adopts the changes proposed in the June 9, 2023, Notice of Proposed Rule Making with minimal updates. The amendments codify the interpretation of the HBNR that the FTC developed in the September 15, 2021, Policy Statement and 2023 enforcement actions against GoodRx and Easy Healthcare. The Final Rule demonstrates the FTC’s continued focus on how companies are using and disclosing consumer’s health information, especially health information that is not covered under HIPAA.
Background
The HBNR applies to vendors of personal health records, PHR-related entities, and third-party service providers (i.e., companies that provide services such as billing, data storage, attribution or analytics). Violations of the HBNR are treated as an unfair or deceptive practice under the Federal Trade Commission Act, which can subject violators to penalties of $51,744 per violation.
In 2023, the FTC took its first enforcement action under the HBNR against GoodRx for allegedly disclosing identifiable health information via third-party trackers on its website. Shortly thereafter, the FTC brought another HBNR enforcement action against Easy Healthcare Corp., a company that publishes an ovulation and period tracking mobile application, alleging similar conduct to that alleged against GoodRx. In both these regulatory actions, the FTC used the HBNR to target companies for disclosing identifiable health information under circumstances that don’t fall within the traditional understanding of a “security breach.” Indeed, the FTC, in updating the HBNR, has clarified that a breach is “not limited to cybersecurity intrusions or nefarious behavior,” but instead includes the disclosure of identifiable health information “without the authorization of the individual.”1
The Final Rule makes several changes to the HBNR. Some of those changes clarify the scope and applicability of the HBNR, while others are procedural changes, amending the method, content and timing of notifications. The amendments will go into effect 60 days after the Final Rule is published in the Federal Register.
Clarifications to the Scope and Applicability of the HBNR
Clarification of What Constitutes “PHR Identifiable Information”
The Final Rule broadens the definition of “PHR identifiable information” to include information that (i) is provided by or on behalf of the individual; (ii) identifies the individual or there is a reasonable basis to believe the information could identify the individual; (iii) “relates to the past, present, or future physical or mental health or condition of an individual” or “the provision of health care to an individual”; and (iv) is created or received by a covered health care provider.2 A covered health care provider is any entity that furnishes health care services or supplies.3 Health care services and supplies are defined to include “any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”4
According to the FTC, these amendments clarify that the HBNR covers what we typically consider health information such as diagnoses or medications, but also “health information derived from consumers’ interactions with apps and other online services” such as tracking technologies used on websites, and “emergent health data” such as health information inferred from nonhealth-related information.5 As the FTC points out in its commentary, PHR identifiable health information also includes “unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information … if these identifiers can be used to identify or re-identify an individual.”6
Clarification of What It Means to “Draw Information From Multiple Sources”
The Final Rule purports to clarify what it means for a personal health record to “draw information from multiple sources.” The Rule amends the definition of “personal health record” to mean an “electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”7 This means that a product is a personal health record if it can draw information from multiple sources even if a consumer can choose to only provide information from one source. In addition, a product is a personal health record if it draws health information from only one source, but draws any other information from multiple sources.8
For example, a medication-tracking app that allows consumers to login with a username and password and input when they took their medication that also collects geolocation data through an application programing interface (API) is a personal health record because it meets all of the elements in the amended definition of a PHR. It is an electronic record of identifiable health information because (i) it identifies the individual via username and password, (ii) it relates to the individual’s health condition because it is about their medication, and (iii) it is received by a covered health provider because the entity providing the app is an entity that is furnishing the health care services of an app that provides a mechanism to track medications. The app also has the technical capacity to draw information from multiple sources — the consumer’s input and geolocation data through the API. Finally, the app is managed primarily for the purpose of an individual. Moreover, the medication tracking app would still be a PHR even if the consumer turned off the function that allows the app to collect geolocation data through the API because the app still has the “technical capacity” to collect that information.
Clarification of What Constitutes a “Breach of Security”
The Final Rule amends the definition of “breach of security” to make it clear that a breach is not limited to cybersecurity incidents but includes situations where vendors of PHR voluntarily make unauthorized disclosures of identifiable health information, such as sharing or selling information to a third party without authorization from the consumer.9 However, the FTC declined to define “authorization” in the HBNR. According to the FTC, whether a disclosure is authorized is a “fact specific inquiry that will depend on the context of the interactions between the consumer and the company; the nature, recipients, and purposes of those disclosures; the company’s representations to consumers; and other applicable laws.”10
For additional guidance on what is considered “authorized,” the FTC directs stakeholders to previous guidance on the HBNR. Specifically, the FTC points to the commentary from the 2009 Final Rule, which states that a use of identifiable health information is “authorized” only when it is “consistent with a company’s disclosures and consumers’ reasonable expectations and where there is meaningful choice in consenting” to disclosure.11 Disclosures buried in lengthy privacy policies do not constitute meaningful choice.12 The FTC also points to the GoodRx and Easy Healthcare enforcement actions, which make clear that the use of “dark patterns” to obtain consent is an invalid form of authorization.13 Dark patterns refer to user interfaces that are created in a way that manipulate or deceive consumers to provide consent, and do not satisfy the standard of “meaningful choice.”
Moreover, the commentary also provides a few examples of when a disclosure may be authorized or unauthorized. For example, the FTC provides that a medication app that shares identifiable health information for the purpose of targeted advertising, without disclosing this use to consumers and without obtaining consumer consent, is an unauthorized disclosure. Without informing consumers that their identifiable health information will be used for targeted advertising and without obtaining express affirmative consent from consumers, consumers would not expect that their identifiable health information would be used and disclosed in this way. In contrast, a medication app that (i) shares identifiable health information with a service provider to assist with the functions that are necessary to the operation of the app, (ii) contractually prohibits the service provider from using the information for purposes other than providing the services, and (iii) clearly and conspicuously discloses in the app’s privacy policy that identifiable health information will be shared with the service provider is an authorized disclosure because it is consistent with consumer expectations.14
Finally, in the commentary, the FTC also notes that unauthorized uses of health information, where a company obtains identifiable health information for one purpose but uses it for a secondary purpose that was not authorized by the individual, could also constitute a breach of security.15
Clarification of What Constitutes a “PHR Related Entity”
The Final Rule makes further clarifications regarding when an entity is considered a PHR related entity (and has obligations to notify individuals and potentially the FTC in the event of a breach) versus when an entity is considered a service provider (and is required to notify the vendor of PHR but not individuals impacted by the breach). Under the Final Rule, PHR related entities include those that offer products and services through online services and mobile applications of vendors of PHR, and accesses or sends unsecure PHR identifiable health information.16 The FTC also provided several examples of entities that are PHR related entities as opposed to third-party service providers. For example, a firm that provides data security, cloud computing, or advertising and analytics services to a health app under a service-provider contract with the health app is a third-party service provider under the HBNR, because it is providing services to a vendor of PHR so the app can function, and the firm only accesses the unsecure PHR identifiable health information as a result of those services. In contrast, a search engine firm that integrates a search bar with its logo on a health-tracking website and offers it search functions through the website is a PHR related entity.17
Procedural Changes to Notifications Required Under the HBNR
Method of Notification
The Final Rule expands uses of email and other electronic means to provide clear and effective notice of a breach to consumers. For individuals, a company must provide notice to the person’s last known contact information, which may include via electronic mail.18 Electronic mail is defined as “email in combination with one or more of the following: text message, within-application messaging, or electronic banner.”19 If the entity does not have the individual’s email address, the notice must be made to the last known physical address via first-class mail. In circumstances where the contact addresses of 10 or more individuals are not known or are insufficient, then the entity must provide “conspicuous” substitute notice of the breach (i) on the entity’s website for 90 days, or (ii) in a major print or broadcast medium in the geographic areas where the breach subjects are likely to reside. Additionally, if the breach affects 500 or more individuals, then notice must be made directly to “prominent media outlets.” If the breach affects fewer than 500 individuals, then an entity may log such breach and submit it to the FTC to satisfy its notification requirement.20
The content requirements of the notice are also amended in the Final Rule. Using “plain language,” an entity must specify (i) what happened, including the date of the breach and the date of the discovery of the breach, and the full name or identity of any third parties that acquired unsecured identifiable health information as a result of a breach of security; (ii) a description of the types of unsecured PHR identifiable health information that were involved in the breach; (iii) steps individuals should take to protect themselves from potential harm resulting from the breach; (iv) a brief description of what the entity that experienced the breach is doing to investigate the breach, to mitigate harm, to protect against any further breaches, and to protect affected individuals, such as offering credit monitoring or other services; and (v) contact procedures for individuals to ask questions or learn additional information, which must include two or more of the following: a toll-free telephone number, email address, website, within-application or postal address.21 Sample notices that comply with the HBNR are included in Appendix A of the Final Rule.
Finally, the Final Rule extends the timeframe a vendor of PHR has to report a breach to the FTC from 10 days to 60 days.22
Key Takeaways
Many of the amendments the Final Rule makes to the HBNR are part of a trend, happening at the federal and state level, of regulating health information not covered by HIPAA and intentionally making it more difficult for companies to use a consumer’s health information for purposes other than providing consumers with the products and services they requested. In the commentary to the Final Rule, the FTC states that the HBNR “addresses breach notification, not omnibus privacy protections.”23 However, many of the amendments to the HBNR, particularly the broad definitions of breach of security and PHR identifiable health information, have the effect of imposing significant compliance obligations on companies considered to be “vendors of personal health records.”
Under the amended HBNR, a breach of security includes unauthorized uses and disclosures of identifiable health information. This means companies that are considered vendors of PHR will, at minimum, have to take the following steps to ensure their uses and disclosures of health information are authorized:
- Adopt a privacy notice that informs consumers what health information the company collects, how they will use that health information, and to whom health information is disclosed and why.
- Enter into contracts with service providers that limit the service provider’s use of the health information to what is necessary to provide the services.
- Limit the use and disclosure of the health information to what is necessary to provide the personal health record to consumers and for purposes that are consistent with consumers’ expectations.
- If the company plans to use the health information for a different purpose, such as targeted advertising (including via cookies), obtain explicit, affirmative opt-in consent.
If a company does not take these steps, the use and disclosure of the health information may be considered a breach of security, requiring the company to notify the individuals whose health information was used or disclosed in an unauthorized way and potentially the FTC and media, or face potential penalties from the FTC for failing to make notification.
- Final Rule, Part I.1.
- See id. at Part V, § 318.2(i).
- Id. at Part V, § 318.2(f).
- Id. at Part V, § 318.2(e).
- Id. at Part II.1.c.
- See id.
- Id. at Part II.2.a (emphasis added).
- See id.
- See id. at Part II.3.a.i.
- Id. at Part II.3.d.
- Id.; see also 74 Fed. Reg. 42967 (Aug. 25, 2009).
- See Final Rule, Part II.3.d.
- United States v. GoodRx Holdings, Inc., No. 23-cv-460 (N.D. Cal. 2023); United States v. Easy Healthcare Corp., No. 1:23-cv3107 (N.D. Ill. 2023).
- See Final Rule, Part II.3.d.
- See id.
- Id. at Part V, § 318.2(j).
- Id. at Part II.4.c.
- Id. at Part V, § 318.5
- Id. at Part V, § 318.2(d).
- Id. at Part V, § 318.5.
- See id. at Part V, § 318.6.
- See id. at Part V, § 318.4(b).
- See id. at Part II.1.c.