FTC Undertakes 10-Year Review of Health Breach Notification Rule, Seeks Public Comments

By Jennifer K. Wagner, J.D., Ph.D.


On April 15, 2020, the Federal Trade Commission (FTC) published a notice of its intent to conduct a 10-year review of the Health Breach Notification Rule (HBN Rule) (85 FR 20889) and announced on May 8, 2020 that it would be requesting public comment. The comment period will remain open for 90 days after the request has been published in the Federal Register.


What is the HBN Rule?

The HBN Rule has been around for more than a decade, but it has not garnered as much attention as it perhaps should. It has been overshadowed by the Health Insurance Portability and Accountability Act Breach Notification Rule (HIPAA Rule) enforced by the Department of Health and Human Services (HHS). The FTC and HHS rules are similar to one another but, notably, the FTC’s HBN Rule applies to businesses that are outside of the regulatory reach of HHS’s HIPAA Rule. This has been increasingly important, as much of our individual “health” data is no longer generated, managed, or controlled by businesses traditionally viewed as the keepers of health data (e.g., doctors’ offices with patients’ medical records) but instead generated, managed, or controlled by businesses offering apps, wearables, and  online platforms, portals, and communities. Interestingly, while there apparently have been only two notifications of data breaches involving 500 individuals or more reported to the FTC over the entire decade, hundreds of similar data breach notifications have been reported to HHS in merely the most recent 24 months.


How is the HBN Rule different from the HIPAA Rule?

The HIPAA Rule applies to covered entities (i.e., health plans, health care clearinghouses, and health care providers) and their business associates (i.e., individuals or entities performing certain functions and providing certain services on behalf of covered entities). The HBN Rule applies to those who do not meet those criteria but nevertheless have your health data and engage in activities involving health data on behalf of the consumer/user: vendors of personal health records (PHRs), PHR-related entities, and third-party service providers who support them. A “personal health record” is defined by 16 C.F.R. §318.2(d) as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for an individual.”


What does the HBN Rule do?

The HBN Rule is intended to obligate vendors of PHRs, PHR-related entities, and third-party service providers to alert the FTC and consumers when

  1. there has been an unauthorized acquisition
  2. of PHR-identifiable health information
  3. that is unsecured and
  4. in a personal health record.


When a breach is discovered, the notice to affected consumers must be “without unreasonable delay” and within 60 calendar days of the discovery. The notification is to include a brief description of what happened, what kind of health data was involved, what identity theft risks are associated with the data that was affected and what steps could reduce those risks, a description of what has been done to mitigate the harm and prevent the breach from recurring, and contact information so that consumers may easily obtain additional information.


How quickly the notice must be submitted to the FTC depends on the magnitude of the data breach. If the breach affected fewer than 500 individuals, the notification to the FTC must occur within 60 calendar days following the end of that calendar year. If the breach affected 500 individuals or more, the notification to the FTC must occur within 10 business days of the discovery. Also, if the breach involves 500 individuals or more who reside in one particular location (i.e., a specific state, district, or US territory), the media for that location must also be notified.


Each violation of the HBN Rule can result in civil penalties of $43,280, as per the most recent inflation-adjustments to the maximum civil penalties allowable for the statutes enforced by the FTC (85 FR 2014). Guidance for businesses on how to comply with the HBN Rule has been available since 2010, and a standardized Notice of Breach of Health Information form is to be used (OMB Control No. 3084-0150). (Interestingly, both the version provided on the FTC’s website and the version cited in the request for comments are expired versions—exp. 3/31/2016 and 3/13/2019, respectively).


FTC Seeking Input…Again

This is not the first time the FTC attempted to obtain public input on the HBN Rule. Early last year (February 2019), the FTC sought comments (84 FR 2868) on four issues under the HBN Rule: (1) whether the information collected has “practical utility” for the FTC to perform its functions; (2) the accuracy of the FTC’s estimated burden of the information to be collected; (3) how to “enhance the quality, utility, and clarity of the information to be collected”; and (4) how to “minimize the burden” on businesses. In May 2019 after the comment period was over, however, the FTC indicated (84 FR 18845) that its request had been unsuccessful (eliciting seven “non-germane” comments) and reopened the comment period through June 2019. Judging by the lack of comments appearing in the docket folder on regulations.gov, it appears that attempt was also unsuccessful. The FTC’s most recent request for public comments on the HBN rule seeks input on 23 general and specific questions, suggesting that the FTC is considering a full range of options (i.e., keep the rule, modify the rule, or perhaps even abandon the rule).


This is potentially a much bigger deal than just a breach notification rule that hasn’t been enforced.

Asking whether the HBN Rule remains up to the task and how its design might be improved given today’s contexts does seem appropriate. With the Office of the National Coordinator for Health Information Technology’s (ONC’s) recent issuance of the Final Rule implementing the 21st Century Cures Act and the American Medical Informatics Association (AMIA) emphasizing the importance of “consumer centricity” to data privacy policies, individuals are intended to have far greater access and control over the flow of their own health information than ever before, suggesting that more and more data activities are intended to be performed on behalf of the individual (consumer, research participant, or patient) rather than HIPAA covered entities and their business associates. The input collected as part of this 10-year rule review on the HBN Rule—when combined with the insights from the 14 hearings the FTC has held recently on “Competition and Consumer Protection in the 21st Century” and from the relevant reports issued (e.g., Big Data: Seizing Opportunities, Preserving Values in 2014; the Internet of Things in 2015; Big Data: A Tool for Inclusion or Exclusion in 2016; the HHS report on non-HIPAA entities in 2016)—could become instrumental in shaping how data protection regulations are harmonized, how overlapping agency responsibilities (such as those involving the FTC, FDA, FCC, and CISA) are coordinated and shared, and even how possible comprehensive federal privacy legislation develops.


The FTC has provided us with a significant opportunity to contribute to what our future holds with regard to health data privacy and security. Comments may be submitted online through https://www.regulations.gov until August 2020 (with the exact deadline being 90 days after the request’s publication in the Federal Register).


Correction on November 21, 2021: This post has been revised to correct a typographical error in the original text in which the Health Insurance Portability and Accountability Act was erroneously referred to as the Health Information Portability and Accountability Act. No other revisions have been made.


Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also conducts research as an Assistant Professor in the Center for Translational Bioethics & Health Care Policy at Geisinger. She is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Nature Communications; Nature Medicine; American Journal of Human Genetics; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer.

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.

Leave a Reply

Your email address will not be published. Required fields are marked *