The Federal Trade Commission (FTC), having recently taken its first enforcement actions under the Health Breach Notification Rule (HBNR) it adopted in 2009,1 is now proposing, in a notice of proposed rulemaking (NPRM) published on June 9, 2023,2 significant expansions to the HBNR's scope. As stated in an earlier press release, the FTC believes "it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened," and "[t]he proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology."3

The HBNR requires notification to individuals, the FTC, and in some cases the media, of breaches of the security of "personal health records" (PHRs) experienced by PHR "vendors," "PHR related entities," and "third party service providers." A PHR under the HBNR is an electronic record of PHR identifiable health information that can be drawn from multiple sources, and that is managed, shared, and controlled by or for the individual to whom the information pertains. Although the HBNR was generally viewed as quite limited in scope, nine months ago the FTC issued a policy statement warning mobile app developers about their potential status as PHR vendors and that when such a vendor "discloses sensitive information without users' authorization, this is a 'breach of security' under the [HBNR]."4 All of the agency's recent (and only) enforcement actions under the HBNR were against mobile app developers.

As explained in the NPRM, the FTC now intends to codify its interpretations of the HBNR expressed in the September 2021 policy statement and to make additional HBNR modifications. The FTC is inviting comments on the proposed modifications until August 8, 2023.

Regulatory Scope

The HBNR implements provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which required both the FTC and the U.S. Department of Health and Human Services (HHS) to promulgate regulations requiring notification of security breaches involving individually identifiable health information. The HHS regulations apply to entities subject to the privacy and security rules implementing the Health Insurance Portability and Accountability Act (HIPAA), and those entities are exempt from the HBNR.

In its current proposal, the FTC seeks to clarify the scope of the HBNR by refining certain existing definitions of pertinent terms, as well as defining new, relevant terms.

"PHR Identifiable Information"

The FTC proposes a minor revision to the existing definition of "PHR identifiable health information"5 to clarify that the term encompasses not only traditional health information (e.g., diagnoses, medications), but also health information derived from consumers' interactions with mobile apps and other online services (e.g., health information generated from tracking technologies used by websites or mobile app interactions) and emergent health data (e.g., health information inferred from non-health-related data points, like location or recent purchases).6

"Health Care Services or Supplies"

The FTC also proposes to add a definition of "health care services or supplies" to clarify the scope of "vendors of PHRs." Under the proposed rule, "health care services or supplies" would include "any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools."7 Mobile apps and other technologies providing these types of health care services or supplies would be deemed "health care providers" under the HBNR, and the individually identifiable health information collected through these technologies would constitute "PHR identifiable information."8 These definitional modifications would clarify that developers of these types of technologies are "PHR vendors" under the HBNR.

In connection with these proposed modifications, the FTC seeks responses to, among others, the following questions:

  • Do the proposed changes clarify for the market which entities are covered by the HBNR and under what circumstances?
  • Would the proposed changes and added definitions apply to entities that offer other technologies and, if so, is such application appropriate? If not, how could the scope be limited?
  • Should any adjustments be made to the proposed definition of "healthcare services or supplies"?

"Personal Health Record"

The FTC proposes to clarify the definition of a PHR by replacing the definition's current reference to information that "can be drawn from multiple sources"9 to refer to records that have the technical capacity to draw information" from multiple sources.10 Regarding this proposed change, the FTC seeks comments on the following questions:

  • Should the proposed definition be adjusted to take into account consumer use (e.g., where no or de minimis customers use a feature)?
  • How likely it is that an app would have the technical capacity to draw information from multiple sources, but have that capacity entirely or mostly unused, either because it remains a Beta feature, has not been publicized, or is not popular?

"Breach of Security"

The FTC also proposes to expand the definition of a "breach of security" under the HBNR to clarify that "a breach is not limited to cybersecurity intrusions or nefarious behavior" of an external actor. Currently, the definition refers to "acquisition without authorization" of unsecured PHR identifiable health information.11 Under the FTC's proposal, the definition would include an unauthorized acquisition that "occurs as a result of a data breach or an unauthorized disclosure."12 This addition is intended to underscore that a "breach of security" includes an unauthorized disclosure, such as a voluntary disclosure made by a PHR vendor without obtaining the consumer's consent, consistent with the FTC's position in its HBNR enforcement actions.

Notice Requirements

With respect to breach notifications, the FTC proposes to permit vendors of PHR or PHR-related entities to provide notice via electronic mail (if specified by the consumer as the primary contact method), rather than only by first-class mail.13 Electronic mail would be defined to include "email in combination with one or more of the following: text message, in-app messaging, or electronic banner."14 Vendors would be required to secure consumer consent before adopting electronic mail as the vendor's notification method and to enable consumers to opt out of electronic mail notifications.15

The FTC also proposes adding several elements to the required content of breach notifications, including "a brief description of the potential harm that may result from the breach (e.g., medical or other identity theft)."16 Regarding this proposal, the FTC solicits comment on:

  • Would the description of potential harms serve the public interest and benefit consumers?
  • Are notifying entities able to assess the potential harms to individuals following a breach, and if not, can notifying entities minimize the potential risks by informing individuals that they are unaware of any harms that may result from the breach?
  • In the absence of known, actionable harm resulting from a breach, what would be the best way for notifying entities to describe to individuals the potential harms they may experience?
  • Might additional and more specific data elements overwhelm or confuse recipients?

Changes Considered and Subject to Public Comment

The NPRM includes requests for comment on HBNR changes that the FTC considered but did not actually propose. For example, the FTC considered defining "authorization" (relevant to whether a disclosure was "unauthorized") to mean affirmative express consent of the individual, where affirmative express consent is consistent with state laws that define consent. The FTC is soliciting comments on, among other things, the following:

  • What constitutes acceptable methods of authorization?
  • Is it acceptable to obtain an individual's authorization to share PHR information through an individual's click in connection with a pre-checked box?
    • Is it sufficient if an individual agrees to terms and conditions disclosing such sharing but that individual is not required to review the terms and conditions?
    • Or is it sufficient if an individual uses a health app that discloses in its privacy policy that such sharing occurs, but the app knows via technical means that the individual never interacts with the privacy policy?
  • Are there certain types of sharing for which authorization by consumers is implied, because such sharing is expected and/or necessary to provide a service to consumers?

And with respect to the timing of required notices, the FTC's questions for public comment are:

  • Would earlier notification to consumers better protect them, or would that instead lead to partial notifications because the entity may not have had time to identify all relevant facts?
  • Should the timeline for notices to the FTC be extended to give entities more time to investigate breaches and better understand the number of individuals affected, or would an extension instead facilitate dilatory action and minimize opportunity for important dialogue with the FTC?

Implications

While the FTC has already been using the HBNR in its recent enforcement actions consistent with the broadened scope reflected in the definition of PHR identifiable information and vendors of PHRs, the notice and comment period gives mobile app developers, digital health companies, and others using health and wellness information an opportunity to attempt to clarify the scope of what will certainly be a broader HBNR landscape.

Footnotes

1. See our previous blogs here, here, and here.

2. 88 Fed. Reg. 37819 (Jun. 9, 2023) available here.

3. FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule, Federal Trade Commission (May 18, 2023), available here.

4. Id.

5. See 88 Fed. Reg. at 37822-23 (PHR identifiable information encompasses identifiable health information provided by or on behalf of an individual and received by a health care provider, health plan, employer, or health care clearinghouse).

6. Id. at 37823.

7. Id.

8. Id.

9. 16 C.F.R. § 318.2(d).

10. 88 Fed. Reg. at 37826 (emphasis added).

11. 16 C.F.R. § 318.2(d).

12. 88 Fed. Reg. at 37824 (emphasis added).

13. Id. at 37827.

14. Id.

15. Id.

16. Id. at 37828 (The Proposed Rule also seeks comment related to potential other content requirements, including (1) the full name, website, and contact information of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security; (2) a brief description of what the entity is doing to protect affected individuals (e.g., offering credit monitoring); and (3) the contact procedures specified by the notifying entity, including two or more of the following: toll-free telephone number, email address, website, in-app messaging, or postal address.).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.