By Jennifer K. Wagner, J.D., Ph.D.
At the open commission meeting held on May 18, 2023, the Federal Trade Commission (FTC) voted unanimously (3-0) to issue a Notice of Proposed Rulemaking (NPRM) to make modifications to the Health Breach Notification (HBN) Rule (16 CFR Part 318).
Proposed changes to the FTC HBN Rule
There are several proposed changes to the HBN Rule. Definitions would be revised to clarify (1) that most developers of health apps and similar technologies not otherwise covered by HIPAA are covered by the FTC’s HBN Rule as “vendors of personal health records” (or PHRs) and (2) that a “breach of security” includes not only a data breach but also an unauthorized data disclosure.
Two definitional refinements are proposed to “PHR related entity.” The first change is so that it more clearly covers entities that offer products and online services recognizing that online services might involve not only websites but also mobile apps. The second change offers specificity to remove confusion about the breadth of the HBN Rule’s reach. Just sending any kind of information to a PHR is not sufficient to qualify an entity as a “PHR related entity.” Rather, a “PHR related entity” refers to entities accessing or sending specifically “unsecured PHR identifiable health information” to a PHR. Additionally, the definition of PHR would be refined to clarify that it is the “technical capacity to draw information” from multiple sources that matters for the HBN Rule, regardless of whether a consumer/user utilizes those technical features or not and regardless of whether health information is drawn from one or multiple sources.
The HBN Rule would also be refined in both the method and content of requisite notices. Rather than mandate an antiquated “snail mail” notification, the revisions would allow notice by email that is “clear and conspicuous.” The content of the notice would need to involve additional information than what is currently required by the HBN Rule, including the potential harm from the breach of security incident as well as the steps the vendor is taking on behalf of affected consumers. A model notice has been developed and offered in the NPRM as well that vendors would be permitted but not required to use.
Revisions intended to make the HBN Rule easier to read were proposed. For example, it will include parenthetical explanations, and will consolidate the separate notification requirements and timing requirements into one section of the rule.
Finally, the NPRM would also clarify that violations of the HBN Rule constitute a violation of Section 18 of the Federal Trade Commission Act and that such non-compliance would involve penalties of up to $50,120 per violation per day (with that amount increased annually per law).
Questions posed for public comment
In addition to the proposed amendments to the HBN Rule, the FTC also presented questions for public comment related to three areas of amendments that it has considered but has not yet proposed.
First, the FTC is particularly interested in gauging whether it has already provided sufficient guidance related to how it will whether a breach of security (e.g., unauthorized data disclosure) has occurred or, alternatively, whether it is necessary to add definitions to the rule for “authorization” and “affirmative express consent.”
Second, the FTC seeks public comment on whether the definition of “third party service provider” should be modified to clarify the scope of actors it might reach in light of ever-changing technologies and business models and potentially different conceptualizations of “provide services.”
Third, the FTC seeks public comment on the HBN Rule’s timing requirement for notification following a breach of security and (1) whether entities need more than 10 days to gather information before notifying the FTC about an incident and (2) how consumers are affected by the timing of notifications. For example, early notifications could potentially protect consumers more by putting them on alert promptly to enable them to take risk mitigation steps personally; however, early notifications might be incomplete if the entities don’t have adequate time to gather the relevant information about the breach to make meaningful notification. Presumably, the FTC might be considering whether harmonization with the HIPAA Breach Notification Rule, which has an elongated timing requirement (i.e., notifications to HHS must occur “without unreasonable delay and in no case later than 60 calendar days” after the breach incident).
Proposed changes in context
That the FTC is seeking to strengthen digital health policies should come as no surprise. Previous coverage on this blog has noted the FTC began a 10-year review of the HBN Rule in 2020 and issued a policy statement in September 2021 clarifying data privacy and security obligations for digital health. While enforcement of the HBN Rule had notoriously been nonexistent, the FTC has taken action twice already in 2023: in a historic first with action against GoodRx in February and more recent action against the app Premom in May.
Several government agencies have been trying to bolster digital health privacy protections, as dataveillance and information privacy concerns have been rising since the 2022 U.S. Supreme Court decision of Dobbs. For example, the Department of Health and Human Services (DHHS) in April issued its own NPRM to strengthen reproductive health privacy under HIPAA and the HITECH Act, having previously penned clarifying guidance on what current law allows or requires. The FTC’s HBN Rule, which was issued in 2009, is undoubtedly due for an update given the proliferation of smartphones, wearables, and consumer health apps since that time.
There is 60-day public comment period on the NPRM for the FTC HBN Rule, similar to the public comment period held open for the NPRM on reproductive privacy issued by DHHS (which closes on June 16, 2023).
Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy, and Engineering at Penn State University. She has been a member of the PBA Cybersecurity & Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report, and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Disclosure: Related to the content of this blog post, Dr. Wagner has conducted research funded by NHGRI Grant No. R01HG011051. Views expressed are her own.