What is the Health Breach Notification Rule, Who Does It Apply To?

WHAT ENTITY TYPES DOES THE HBNR APPLY TO?

The HBNR applies to three entity types: vendors of PHRs, PHR-related entities, and third-party service providers for vendors of PHRs or PHR-related entities.

Understanding a company’s role in this legal landscape requires a thorough comprehension of how the FTC defines key terms, such as a PHR.

The rule defines a PHR  as “an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”

PHR identifiable health information includes individually identifiable health information created or received by a healthcare provider. In this sense, a “healthcare provider” includes any entity that “furnishes healthcare services or supplies.”

“Because these health app purveyors furnish health care services to their users through the mobile applications they provide, the information held in the app is PHR identifiable health information, and therefore many health app purveyors likely qualify as vendors of personal health records,” the rule states.

The rule’s applicability is stated in plain terms today, but that was not always the case. In April 2024, the FTC finalized its long-awaited updates to the HBNR with the goal of clarifying the rule’s applicability to health apps and other technologies that fall outside HIPAA’s purview.

These updates included several revised definitions that make it clear who the rule applies to and how, all of which take effect on July 29, 2024.

For example, the rule now defines “PHR related entities” as “companies that offer products and services through PHR websites or access information in or send information to personal health records.” 

The FTC further clarified that “entities that access or send unsecured PHR identifiable health information to a personal health record—rather than entities that access or send any information to a personal health record—are PHR related entities.”

Lastly, a business is considered a third-party service provider if it provides services to vendors of PHRs and PHR related entities, such as a billing, data storage or analytics vendor.

Candice Moschell, digital security senior manager at Crowe, told HealthITSecurity in an interview that the FTC’s updates to the HBNR essentially clarified and emphasized elements of the rule that were already in place, while making several notable changes.

“The FTC, in the same vein as other regulatory bodies and agencies, is likely trying to emphasize and put some guardrails around the fact that the information that consumers provide to vendors needs to be protected,” Moschell said.

“Vendors essentially are entrusted with data of individuals, be it health data or credit card data. It is really putting some guardrails and some expectations around the fact that they need to protect that data, and they also need to be transparent about how they are leveraging that data, which hasn't historically been the case with a lot of vendors.”

Moschell advised entities that might be questioning whether this rule applied to them sit down with their legal teams and look at the FTC’s definitions carefully.

“If I was an app developer or someone that didn't appear previously to be covered by the rule, first and foremost, you need to validate whether this rule does apply to you,” Moschell advised.

“Look specifically at the definitions the FTC provided, what types of data they are talking about and what types of services they are talking about.”

COMPLIANCE OBLIGATIONS UNDER THE HBNR

The HBNR requires that entities provide a data breach notice when “there has been an unauthorized acquisition of unsecured PHR identifiable health information.”

Like HIPAA, the FTC defines a data breach under the HBNR as not only a cybersecurity intrusion resulting from nefarious behavior but also incidents of unauthorized access and sharing information without an individual’s authorization.

It is important to note that a PHR only encompasses electronic records. If a breach occurs that only involves paper records, entities are not required to provide a notification to the FTC (although organizations should pay close attention to state laws).

Entities must notify the following groups of a breach involving unsecured personal health information according to the following timelines:

• Impacted Individuals: Entities must notify impacted individuals of a breach within 60 days of discovery and “without unreasonable delay.”
• The FTC: Entities must notify the FTC of a breach impacting more than 500 people no later than 60 calendar days after the discovery of the breach.
• The Media: When 500 or more residents of a particular state or US territory are impacted by a breach, entities must provide prominent media outlets in the area with a breach notice within 60 days of discovery.  

In addition, third-party service providers must notify contracted entities within 60 calendar days of discovering the breach and provide the client with a list of impacted individuals.

The time requirements were changed in the 2024 HBNR update, giving entities that suffer a breach impacting for than 500 people 60 calendar days to notify the FTC, compared to 10 business days in the previous iteration.

What’s more, the 2024 amendment expanded the content of the required consumer notice. The notice must now include the name or identity of any third parties that acquired unsecured PHR identifiable health information as the result of a security breach.

Additionally, entities are now permitted to use email and other electronic means to provide notices to impacted consumers, rather than strictly first-class mail.

From a compliance perspective, entities should also pay close attention to the updated definition of a PHR, which changed from an electronic record of PHR identifiable health information on an individual that draws from multiple sources to an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw from multiple sources.

“For example, a depression management app that accepts consumer inputs of mental health states and has the technical capacity to sync with a wearable sleep monitor is a personal health record, even if some customers choose not to sync a sleep monitor with the app,” the FTC states.

Organizations should ensure they have a strong understanding of the technical capabilities of their services to identify HBNR compliance actions.

HOW THE FTC ENFORCES THE HBNR

“The FTC will treat each violation of the Rule as an unfair or deceptive act or practice in violation of a Federal Trade Commission regulation,” the FTC states.

The FTC issued its first enforcement action under it in February 2023, when it imposed a $1.5 million civil penalty on telehealth company GoodRx.

The company allegedly leveraged third-party tracking pixels and “plug and play” software development kits from companies like Facebook and Google that supposedly gathered sensitive data and used it for advertising purposes, the FTC stated. The company also allegedly failed to notify consumers, the FTC, and the media of this unauthorized disclosure.

In May 2023, the FTC issued an enforcement action against Easy Healthcare Corporation, the company that operates the Premom Ovulation Tracker app. The FTC said the company violated the HBNR by failing to notify users that it had shared sensitive personal information with third parties.

Premom allegedly shared highly sensitive user data about users’ sexual and reproductive health and parental and pregnancy status with AppsFlyer and Google via the implementation of each company’s software development kit.

In both cases, the FTC prohibited the companies from sharing personal data with third parties without authorization and engaging in deceptive practices such as sharing health data for advertising purposes.

The nature of the FTC’s recent enforcement actions may provide clarity to organizations that are considering their compliance obligations or questioning what is considered a breach under the HBNR.

Tips for maintaining HBNR compliance

“Organizations oftentimes don't know what type of data they have and where that data resides,” Moschell noted.

“Make sure that you implement a holistic data governance program that not only identifies where your data's at, but actually labels it so you know the data elements that you have, and specifically then what type of governance you need to put around that.”

Moschell also stressed the importance of being transparent with consumers upfront about how their data is being used, especially since consumer protection is at the forefront of the FTC’s efforts.

“I would also want to make sure that my incident response plans were updated to include specific steps to identify the extent of an incident that did occur to identify if essentially this breach notification rule would be triggered,” Moschell added.

Updating incident response plans to account for these changes will ensure that organizations can respond quickly and notify consumers in a timely manner.

Although it went through several revisions and a public comment period before publication, the final rule is still brand new, and further guidance is likely. Moschell suggested drawing insights from the HHS Office for Civil Rights’ enforcement of HIPAA.

“We're probably going to see some organizations that are going to be impacted by this and fines that are going to occur. When there is a new rule like this, I always try to draw from things that are already established that we can learn from,” Moschell stated, pointing specifically to HIPAA and how the Office for Civil Rights (OCR) treats enforcement.

Moschell posited that the FTC may issue future guidance or amendments regarding the HBNR, as HHS did with the HITECH Act.

For now, organizations outside HIPAA’s purview should be prepared to comply with the HBNR as it stands and safeguard health data in an effort to protect consumers.