On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates. We previously covered the proposed rule, which was issued on May 18, 2023.
In the FTC’s announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC” and that the “updated HBNR will ensure [the HBNR] keeps pace with changes in the health marketplace.” Key provisions of the final rule include:
- Revised definitions: The final rule includes changes to current definitions in the HBNR that codify the FTC’s recent position on the expansiveness of the HBNR. Specifically, among other definition changes, the HBNR contains key updates to the definitions of:
- “Personal health records (‘PHR’) identifiable information.” In the final rule, the FTC adopts changes to the definition of PHR identifiable information that were included in the proposed rule to clarify that the HBNR applies to health apps and other similar technologies not covered by the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”). In the final rule, the FTC discusses the scope of the definition, noting that “unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information constitute ‘PHR identifiable health information’ if these identifiers can be used to identify or re-identify an individual.”
- “Covered health care provider.” In the proposed rule, the FTC proposed adding a definition of “health care provider” to include providers of medical or other health services, or any other entity furnishing “health care services or supplies” (i.e., websites, apps, and Internet-connected devices that provide mechanisms to track health conditions, medications, fitness, sleep, etc.). The final rule does not make substantive changes to this proposed definition but does contain a slight terminology change to “covered health care provider” to distinguish that term from the definition of “health care provider” in other regulations.
In the final rule, the FTC notes that the concern (expressed by some commenters) that the scope of these definitions could impermissibly cause the HBNR to cover retailers of general purpose items like shampoo or vitamins is unwarranted—rather, the FTC explains, the threshold inquiry is whether an entity is a vendor of PHR, which is “an entity that offers or maintains a [PHR].” The final rule notes that to be a vendor of PHR covered by the HBNR, an app, website, or online service “must provide an offering that relates more than tangentially to health” and that a PHR must be “an electronic record of PHR identifiable health information on an individual, must have the technical capacity to draw information from multiple sources, and must be managed, shared, and controlled by or primarily for the individual.”
- “Breach of security.” In the final rule, the FTC adopts the proposed changes to the meaning of “breach of security” to capture a company’s intentional but unauthorized disclosures of consumers’ PHR identifiable health information to third party companies, as well as traditional cybersecurity incidents. Notably, the FTC emphasizes in the final rule that the meaning of “breach of security” includes more than just unauthorized disclosures to third parties—the FTC takes the position that the term also includes unauthorized uses, i.e., “where an entity exceeds an authorized access to PHR identifiable health information, such as where it obtains data for one legitimate purpose, but later uses that data for a secondary purpose that was not originally authorized by the individual.”
The final rule notes that the FTC has not added a definition of “authorization,” but provides several examples of what may constitute an “unauthorized” disclosures of PHR identifiable health information, including (i) affirmative privacy misrepresentations to users such that disclosures of PHR identifiable health information are inconsistent with consumer expectations and (ii) “deceptive omissions,” where a company does not disclose, or obtain affirmative express consent from users for, the sharing of their PHR identifiable health information for targeted advertising.
- “PHR Related Entity.” The FTC adopts in the final rule the proposed changes to the definition of “PHR related entity” to affirm that (i) PHR related entities include entities offering products and services through any online service, including mobile applications, (ii) PHR related entities encompass only entities that access or send unsecured PHR identifiable health information to a PHR, and (iii) a third party service provider that accesses PHR identifiable health information in the course of providing services is not automatically rendered a PHR related entity. However, the final rule states that, to the extent a third party service provider uses PHR identifiable health information that it receives in its capacity as a service provider for its own purposes (e.g., its own research and development), this entity is a PHR related entity “to the extent that that it offers its services . . . for its own purposes rather than to provide services.”
The final rule also requires that vendors of PHR and PHR related entities notify their third party service providers that the vendor of PHR/PHR related entity is subject to the HBNR. According to the final rule, the purpose of this notice is to ensure that the third party service providers are aware of the content of the data transmissions received by the third party service providers and that the third party service providers provide timely notice to the vendor of PHR/PHR related entity of any breach under the HBNR.
The final rule states that vendors of PHR and PHR related entities may facilitate compliance with this notice requirement by stipulating via contract whether the transmissions to third party service providers will contain PHR identifiable health information. The final rule suggests that both the vendor of PHR/PHR related entity and third party service provider should monitor for compliance with such contractual provisions taking into consideration the size and sophistication of the entity and the sensitivity of the data. Further, the final rule suggests that certain entities that may act as third party service providers, such as “a large advertising platform,” may have heightened obligations to monitor the data it receives (even where partners promise not to send PHR identifiable health information to it), particularly if the entity has in the past routinely received unsecured PHR identifiable health information notwithstanding vendors’ of PHR/PHR related entities’ commitments to the contrary. The final rule distinguishes these heightened monitoring obligations from those of “small firms that do not engage in high-risk activities where the contract precludes sending such data and there is no history of such transmissions.”
- Clarification of the meaning of a PHR “draw[ing] information from multiple sources:” In the final rule, the FTC adopts the proposed changes to what it means for a PHR to draw information from multiple sources. Specifically, a PHR will now be defined to include an electronic record of PHR identifiable health information that has the technical capacity to draw information from multiple sources. For example, according to the final rule, because a fitness app has the technical capacity to draw identifiable health information from both the user and the fitness tracker, it is a PHR, even if some users elect not to connect the fitness tracker.
- Provision of electronic notice and included content: The final rule adopts the proposal that notice of a breach sent by electronic mail must also be provided by one or more of a text message, within-app message, or electronic banner, which must be clear and conspicuous. The final rule also requires that a notice of breach include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description), website, and contact information of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security.
- Timing changes for notices of breaches: Previously, the HBNR required notice “as soon as possible and in no case later than ten business days following the date of discovery of the breach” for breaches involving 500 or more individuals. For breaches involving less than 500 individuals, the HBNR requires notice within 60 calendar days following the end of the calendar year. The final rule modifies the timing for the notice of a breach of security involving 500 or more individuals to “without unreasonable day and in no case later than 60 calendar days after the discovery of a breach of security.” The notice to the FTC must be sent at the same time as the notice to individuals.
As noted above, this final rule was not issued unanimously—the FTC Commissioners voted 3-2 to finalize the changes, with recently confirmed Commissioners Holyoak and Ferguson opposing the final rule. Among other reasons outlined in their dissenting statement, Commissioners Holyoak and Ferguson argued that the final rule “exceeds the Commission’s statutory authority, puts companies at risk of perpetual non-compliance, and opens the Commission to legal challenge that could undermine its institutional integrity.” While the finalization of these changes to the HBNR is notable, many of these changes reflect the codification of the position already taken by the FTC in recent years in prior guidance and enforcement actions. In 2021, the FTC adopted by a 3-2 vote a policy statement “Statement of the Commission on Breaches by Health Apps and Other Connected Devices,” which took a similarly broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR. Then Commissioners Phillips and Wilson opposed the policy statement based on concerns about the expansion of the HBNR beyond the FTC’s statutory authority, among other concerns. Since the 2021 policy statement, the FTC has brought its first two enforcement actions under the HBNR against GoodRx (issued 4-0) and Easy Healthcare (issued 3-0), leveraging its broad interpretation of the meaning of “breach.”