What You Should Know:
– The Federal Trade Commission (FTC) has finalized significant changes to the Health Breach Notification Rule (HBNR), aiming to improve consumer protection in the digital age.
– These updates clarify the rule’s application to modern technologies like health apps and expand the information healthcare providers must disclose in the event of a data breach.
Key Updates to Health Breach Notification Rule Summary
- Focus on Health Apps and Emerging Technologies: The revised rule clarifies its application to health apps and similar technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA). This ensures these platforms are held accountable for safeguarding health data.
- Expanded Breach Definition: The rule now encompasses unauthorized access or disclosure of identifiable health information, providing broader protection for consumers.
- Clearer Scope and Definitions: Definitions like “PHR identifiable health information,” “covered healthcare provider,” and “healthcare services or supplies” have been revised for better clarity. Additionally, the revised definition of “PHR related entity” specifies that only entities accessing or sending unsecured health data to a personal health record qualify.
- Enhanced Consumer Notifications: The final rule mandates covered entities to provide more detailed breach notifications to consumers. This includes disclosing the identity of any third parties who acquired unsecured health data during the breach.
- Electronic Notification Options: The updated rule allows for wider use of email and other electronic means to deliver clear and effective breach notifications.
- Revised Timing Requirements: The FTC notification timeframe is adjusted for breaches impacting 500 or more individuals. Covered entities must now notify the FTC simultaneously with sending notifications to affected individuals, with a deadline of 60 calendar days after the breach discovery.
- Improved Readability: The revised rule simplifies language for better comprehension and promotes compliance.
Effective Date and Additional Actions
These changes will take effect 60 days after publication in the Federal Register. The FTC remains vigilant in protecting consumer data security, with recent enforcement actions against companies like GoodRx and Easy Healthcare (Premom app) for violating the HBNR. While the Commission approved the final rule with a 3-2 vote, dissenting statements were issued by Commissioners Holyoak and Ferguson.
The FTC offers resources to educate consumers about their rights and how to report scams and unfair business practices.
“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”
