Houston, Texas (June 28, 2023) – The Federal Trade Commission (FTC) has proposed significant amendments to the Health Breach Notification Rule (HBNR) in response to the rapid evolvement of health apps and other health related technologies. These changes aim to strengthen and modernize the rule, ensuring that consumers' health data are protected and that companies provide timely notifications when breaches occur.

The Need for Updates

Since the issuance of the HBNR in 2009, the development and use of health apps and connected devices has dramatically expanded. However, many of these technologies fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA). This regulatory gap creates challenges in safeguarding consumers' sensitive health information and ensuring proper breach notifications.

Proposed Amendments and Expansions

The FTC's proposed amendments to the HBNR are aimed at addressing the gaps and challenges posed by the evolving health technology industry. Key changes under consideration include:

  1. Clarifying Applicability: The proposed amendments seek to clarify the rule's applicability to health apps and similar technologies that are not covered by HIPAA. This would ensure that entities responsible for collecting and processing health data through these technologies comply with the HBNR.
  2. Expanded Scope: The FTC aims to expand the HBNR's scope to cover a wider range of entities involved in handling health data. These would include vendors of personal health records (PHRs) and certain non-HIPAA covered entities.
  3. Enhanced Breach Notification Obligations: The proposed amendments would strengthen breach notification obligations, requiring companies to provide timely notifications to affected individuals, the FTC, and, in some cases, the media. The goal is to ensure that individuals are promptly informed about any unauthorized acquisition of their personally identifiable health data.
  4. Updated Definitions and Notice Requirements: The FTC intends to introduce new and clarified definitions within the rule and revise notice requirements to align with the evolving landscape of health technology and data breaches.

To ensure a comprehensive and inclusive rulemaking process, the FTC is actively seeking public comments on the proposed amendments to the HBNR. Interested stakeholders, including industry participants, consumer advocacy groups, and privacy experts, have an opportunity to provide their insights, concerns, and recommendations to shape the final rule. The public comment period will remain open until August 8, 2023.

Importance of the Proposed Changes

The proposed amendments to the HBNR are intended to further protect consumers' health data and maintain trust in the digital health ecosystem, demonstrating the agency's commitment to safeguarding this information in the rapidly evolving digital health landscape. With the increasing prevalence of health apps and connected devices, it is essential to have robust regulations that keep pace with technological advancements and that ensure responsible data practices. The amendments would help close regulatory gaps and improve transparency, accountability, and consumer privacy in the health technology sector. Moreover, the collection of public input in the rulemaking process will play a vital role in shaping the final amendments and establishing necessary and effective safeguards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.