FTC Expands Healthcare Data Breach Notification Rule to Cover Health Apps and Unauthorized Data Use
The Federal Trade Commission has put the final touches on “significant” amendments to the Health Breach Notification Rule. Firstly, the changes to the Health Breach Notification Rule extend the scope of the jurisdiction it has historically covered beyond vendors of personal health records. Now, the rule focuses specifically on health apps. The point is that more and more people are using digital health apps such as Fitbit to measure their step count, blood pressure, heart rate, etc. The latter technologies require users to enter their health information into the app for the device to be accurate, which means that the rules should apply to them.
Key Changes and Implications
- Expanded Scope: Generally, the new rule provides a more general and combined definition of “Healthcare data breaches,” meaning “unauthorized access, use or disclosure of PHI that compromises the security or privacy of such information, but not limited to the core set of data covered under the existing PHR entities’ “ Healthcare data breaches” definition.” Please note that PHI is Personally Identifiable Health Information.Overall, the Rule took effect on June 25, 2024, and it is expected to strengthen consumers’ health information in the digital era.
- Broader Definition of “Healthcare Data Breach“: Firstly, it is remarkable that the revised rule substantially broadens the definition of a Healthcare data breach that implies more than ordinary data security failures. In particular, it characterizes a healthcare data breach as the unauthorized exposure and application of health information, even when the latter was obtained for a lawful purpose. Thus, companies can be penalized for healthcare data breaches if they use health data in such ways or situations not authorized by the patients.
- Notice Requirements: The amended rule modifies the content and methods for notifying consumers of healthcare data breaches. Notices must now be clear, conspicuous, and reasonably understandable, and should typically include the identity of third parties who acquired the breached information.
Despite this decision, the expansion of the HBNR by the FTC has drawn criticism lately. The final version of the rule was passed with a 3-2 vote, with the dissenting commissioners citing overreach, challenges surrounding compliance, and vulnerability to legal action as major concerns. As such, non-HIPAA-covered businesses that still collect or use health-related information should analyze their approach to the new rule.
Specifically, all data use and transfer agreements, including with vendors, should be reviewed to guarantee legitimate authorization for any disclosures and uses of this information. The regulated companies should also stay extra informed on the issue of the health privacy legislation of states, as the legal situation may shift in the near future.
The Health Breach Notification Rule, as a new and expanded approach to consumer health information equities, represents an important step in this age of digitization, even though it poses considerable challenges regarding compliance due to its broader definition and extended scope of healthcare data breaches.