FTC Finalizes Changes to Health Breach Notification Rule: What Digital Health Companies and App Developers Need to Know
The Federal Trade Commission (FTC) finalized changes to the Health Breach Notification Rule (HBNR), clarifying its applicability to health apps and similar technologies, including those that are not subject to HIPAA. In 2023, FTC began enforcing the HBNR in earnest, with an expanded interpretation of their authority under the HBNR. In the 2024 Final Rule (the 2024 Final Rule), the agency conforms the HBNR to this expanded interpretation, clarifying its breadth for industry and the public.
When we talk with clients about the HBNR, we’re often met with surprise: “We’re not a covered entity or business associate, so we don’t have to do breach notification, right? Isn’t that a HIPAA thing?” Yes. And no.
How is the HBNR Different from HIPAA?
The Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), establishes various safeguards for “protected health information” (PHI), including how it's used, disclosed, and secured. Breach notification obligations are just one aspect of HIPAA, which applies to (a) “covered entities” – providers, payors, and health care clearinghouse, and (b) “business associates” – entities that provide services to or on behalf of covered entities and with whom covered entities disclose PHI.
The HBNR applies to entities NOT regulated by HIPAA that maintain “personal health records” (PHRs), including digital health companies, apps, and other companies sending or receiving unsecured PHR identifiable health information (i.e., vendors of PHRs). To determine whether the HBNR applies to your company, you need to determining whether you’re collecting ‘personal health records. These are:
electronic records of “PHR identifiable health information” on an individual, that
have the technical capacity to draw information from multiple sources (e.g., a wearable fitness app or provider EHR), and
that is managed, shared, and controlled by or primarily for the individual.
PHR identifiable health information includes data provided by or on behalf of the individual related to an individual's health, healthcare, or payment for healthcare that is created or received by a covered health care provider.
The agency’s evolving interpretation of what qualifies as a PHR is the subject of this update.
Some entities may handle or process both PHI covered under HIPAA and other forms of health data covered under the HBNR. It’s critical for organizations to understand the relevant breach notification requirements for the types of data they are handling.
Multi-Million-Dollar Penalties and the Evolution of the HBNR
The HBNR was first implemented by the FTC [CN2] in 2009 to advance the use of health information technology while strengthening privacy and security protections for health information not covered by HIPAA. Prior to 2021, the HBNR was widely viewed as applying narrowly to instances of theft or misappropriation of consumer medical records held by electronic medical record vendors. From its passage in 2009 until 2023, the FTC did not bring a single action enforcing the HBNR.
Beginning in 2021, this long-held position began to change. Starting with the FTC’s September 2021 Policy Statement, the FTC began more broadly interpreting the HBNR. Among other things, the FTC asserted that the HBNR applied to consumer health-related website browsing and app usage data shared with advertising vendors via tracking pixels without consumer consent.
In 2023, the FTC brought the first ever enforcement action against a company under the HBNR. GoodRx paid a $1.5 million civil penalty “for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.” Specifically, GoodRx shared sensitive information (i) contrary to its privacy policies and (ii) without limiting third-party use. The FTC found that GoodRx – a pharmacy discount service, app, and website – is a vendor of PHRs and its practices violated the HBNR.
Later in 2023, BetterHelp paid a civil penalty of $7.8 million “to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.” Specifically, BetterHelp revealed a variety of consumer information (health questionnaires information email addresses, etc.) to various social media companies for advertising purposes. The FTC also found BetterHelp – an online counseling app and web site – to be a vendor of PHR in violation of the HBNR. According to the FTC, BetterHelp (i) failed to maintain adequate policies and procedures governing sensitive information, (ii) failed to place limits on how advertisers could use sensitive information, and (iii) failed to obtain consumer’s consent before disclosing their health data.
The HBNR’s Reach into Digital Health
The 2024 Final Rule cemented current FTC policy, making the HBNR broadly applicable to nearly any digital health tool that creates, collects, discloses, or processes PHRs. The Final Rule clarified that vendors who manage/share/control, on behalf of an individual, identifiable healthcare information created or received by an entity furnishing “healthcare services or supplies,” are subject to the HBNR. Specifically, this includes any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools. This definition makes clear the FTC is looking at both medical and wellness use cases.
The 2024 Final Rule further expands its reach by more broadly defining “PHR related entity” to include entities that offer products and services through online services (including mobile apps) of both HIPAA covered entities that offer PHRs, and vendors of PHRs. These entities could include, for example, remote monitoring companies that sell their blood pressure cuffs or CGMs on an app or web site and then access, or send the device data to, a PHR. Both PHRs and PHR related entities are subject to the HBNR.
The 2024 Final Rule also made the following substantive changes:
Aligning the definition of a “breach” with HIPAA:
“Breach of security” now includes any unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure. This aligns with the HIPAA definition of breach, which includes unauthorized access to data in addition to a third-party breach.
Clarifying the requirement that a PHR “draw information from multiple sources”:
The 2024 Final Rule clarifies that “personal health record” under the HBNR requires PHR identifiable health information on an individual that has the “technical capacity to draw information from multiple sources,” even if the individual user doesn’t avail themselves of such functionality. See two examples from the 2024 Final Rule, below:
Expanding use of electronic notification:
The 2024 Final Rule authorizes the expanded use of email and other electronic means of providing clear and effective notice to consumers of a breach. However, specific requirements must be met for use of electronic notification, so digital health developers relying on electronic notification should be aware of the specific requirements that will apply to them.
Expanding consumer notice content:
The 2024 Final Rule expands on the content entities must provide to consumers in a breach notice. For example, the notice must include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security.
Revised FTC notification requirement:
For breaches involving 500 or more individuals, vendors of PHRs and PHR related entities must now notify the FTC at the same time affected individuals are notified.
Vendor Notice:
The 2024 Final Rule also requires that vendors of PHRs and PHR related entities notify third party service providers of their status as vendors of personal health records or PHR related entities. This requirement aims to put recipients of data on notice about the potential content of the data transmissions they receive.
What Should Digital Health Companies and App Developers Do Right Now?
1. Identify Whether the HBNR Applies to You
The first step is to identify whether the HBNR applies to your organization and the data you create, collect, or process.
2. Establish Appropriate Data Security Safeguards and Controls
The 2024 Final Rule requires that you provide notice when there has been an unauthorized acquisition of unsecured PHR identifiable health information that occurs as a result of a data breach. Your organization should establish appropriate and reasonable data security controls for all PHR identifiable health information that you create, collect, or process.
3. Establish Policies & Procedures to Prevent Unauthorized Disclosures of PHR
If the HBNR applies to your organization, you should (i) publish and maintain accurate privacy policies on all consumer-facing websites, patient portals, and mobile applications and (ii) require and obtain user consent before disclosing user health information with third parties for advertising purposes.
4. Notify Third Party Service Providers of HBNR Status
If you are a vendor of personal health records or a PHR related entity, the 2024 Final Rule requires you to notify third party service providers of your status as a vendor of personal health records or a PHR related entity.
5. Develop a Breach Notification Strategy
To facilitate compliance with the notification requirements under the HBNR, applicable organizations should prepare a breach notification strategy.
6. Reach out to an expert!
Complying with myriad healthcare-specific data privacy laws (HIPAA, HBNR, and state statutes) is a daunting task for healthcare companies of all sizes. The 2024 Final Rule further complicates the healthcare data compliance picture. We’re here to help you navigate both the implications of the 2024 Final Rule and the broader data privacy. Click here to get started.