Health Breach Notification Rule Updated

In April 2024, the Federal Trade Commission (FTC) finalized changes to the Health Breach Notification Rule (HBNR). The updates clarify the rule’s applicability to health apps and similar technologies. The new rules also expand the information that covered entities must provide to consumers when notifying them that their health data has been breached.

The HBNR applies to vendors of personal health records (PHR) and related entities not covered by HIPAA. The rule also requires vendors to notify individuals, the FTC, and in some situations, the media about a breach of personally identifiable health data. Third-party service providers must also notify PHR vendors of a breach.

Changes to the HBNR include:

Revising Definitions

The Commission revised several definitions to underscore the final rule’s applicability to health apps and similar technologies that have not been historically covered by HIPAA. This includes modifying the definition of “PHR identifiable health information,” and adding two new definitions for “covered health care provider” and “healthcare services or supplies.”

Clarifying Breach of Security

The Final Rule clarifies that a “breach of security” includes an unauthorized acquisition of identifiable health information that occurs because of a data security breach or an unauthorized disclosure.

Revising the Definition of PHR-related Entity

The definition of “PHR-related entity” has been revised in two ways that pertain to the Final Rule’s scope. The revised definition clarifies that the HBNR covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. The Final Rule also clarifies that only entities that access or send unsecured PHR identifiable health information to a personal health record, rather than entities that access or send any information to a personal health record, qualify as PHR-related entities.

Clarifying Multiple Sources of PHR Identifiable Health Information

The Final Rule clarifies what it means for a personal health record to draw PHR identifiable health information from multiple sources.

Expanding the Use of Electronic Notification

The Final Rule authorizes the expanded use of email and other electronic means of providing clear and effective notice to consumers of a breach.

Expanding Consumer Notice Content

The Final Rule expands the required content that must be provided in the notice to consumers. For example, the notice must include the name or identity of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security.

Changing Timing Requirement

Lastly, the Final Rule modifies when the FTC must be notified under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals. The notification must occur without unreasonable delay and within 60 calendar days after the discovery of a breach.

The FTC, with the help of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has been proactive in taking actions against companies that violate the Health Breach Notification Rule. In 2023, GoodRx was hit with a $1.5 million penalty for failing to report its unauthorized disclosure of consumer health data to Facebook, Google, and other companies. That same year, Easy Healthcare Corporation was barred from sharing health data for advertising after failing to notify users that its Premom app had been sharing their data to third parties.

CompliancePoint has a team of experienced healthcare, privacy, and cybersecurity professionals that can help any organization comply with the HBNR, and all aspects of HIPAA, and achieve HITRUST certification. Contact us at connect@compliancepoint.com to learn more about our services.