What is the FTC’s revised health breach notification rule? 

To address the issue of the protection of consumer health data, the Federal Trade Commission (FTC) has implemented changes to the health breach notification rule (HBNR), originally introduced in 2009. The revised regulation safeguards individuals' sensitive health information stored in various digital platforms, including mobile apps and internet-connected devices.

Understanding the regulation before the revision

Prior to the implementation of the HBNR in 2009, a regulatory void existed when it came to protecting consumer digital health information. While the Health Insurance Portability and Accountability Act (HIPAA) required covered entities and business associates to protect such information, consumers whose data was stored in personal health records by vendors and third-party apps that were not HIPAA-covered entities or business associates were left without adequate regulatory protection.

The original HBNR was introduced to address this gap, mandating that regulated entities notify affected consumers of any breaches of their digital health information. However, as digital health platforms have grown more complex, with new technologies such as smartphone user tracking, the 2009 HBNR definitions of regulated technologies have become outdated.

Read more: What is the HIPAA Breach Notification Rule? 

Highlights of the revised health breach notification rule

To keep pace with the rapid advancements in digital health technologies, the FTC has recently revised the health breach notification rule, with the updated version becoming effective on July 29, 2024. The revised rule introduces several changes, including:

Expanded definitions

The FTC has revised and expanded several definitions to ensure that the rule now covers a wider range of digital health technologies and platforms. These revisions include:

• Personal health record (PHR): An electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and is managed, shared, and controlled by or primarily for the individual.
• PHR identifiable health information: The HBNR equivalent of the HIPAA definition of protected health information (PHI), relating to an individual's health and created or received by a covered health care provider, employer, health plan, or healthcare clearinghouse.
• Covered health care provider: A provider of medical or other health services, or any other entity furnishing healthcare services or supplies.
• Healthcare services or supplies: Any online service, such as a website, mobile application, or internet-connected device, that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.

Clarified breach of security

The revised HBNR now defines a "breach of security" to include unauthorized acquisitions of identifiable health information due to a data security breach and unauthorized disclosures of protected health information. This change addresses instances where mobile app developers intentionally share or sell consumers' data in violation of their privacy policies and promises.

Expanded notification requirements

The revised rule also introduces the following changes to the notification requirements:

• Regulated entities must now notify the FTC at the same time they send notices to affected individuals for breaches involving 500 or more people.
• The notification to consumers must include the name or identity (or a description, if providing the full name or identity would pose a risk) of any third parties that acquired the unsecured PHR identifiable health information as a result of the breach.
• The rule authorizes the expanded use of email and other electronic means to provide clear and effective notice to consumers of a breach.

Related: Navigating HIPAA’s Breach Notification Rule 

In the news

The Federal Trade Commission (FTC) imposed a $7.1 million fine on mental health startup Cerebral, upon allegations of consumer privacy violations and deceptive trading practices.

The company and its former CEO, Kyle Robertson, were accused of breaching privacy promises and disclosing protected health information (PHI) to third parties for advertising. 

According to an FTC press release, Cerebral shared the sensitive data of nearly 3.2 million consumers with third parties like Snapchat, TikTok, and LinkedIn. Cerebral is fined $5.1 million for consumer refunds and a $10 million civil penalty, partially suspended to $2 million due to the company's financial constraints.

See more: FTC fines Cerebral $7.1 million for privacy violations and deceptive practices 

FAQs

What is the HIPAA health breach notification rule? 

The HIPAA breach notification rule (2009) makes it mandatory for healthcare providers to report all data breaches of unsecured protected health information (PHI).

What are the potential benefits of the revised health breach notification rule? 

• Improved protection of consumer digital health information across a broader range of digital health technologies
• Increased transparency and accountability for mobile app developers and digital health platforms regarding the handling of user data
• Enhanced consumer trust in the digital health ecosystem, as affected individuals are notified in a timely and accessible manner about any breaches of their personal health data.

How can you identify a breach?

Identifying a HIPAA breach involves recognizing any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Monitoring access logs, conducting regular security assessments, and promptly investigating any suspicious incidents are steps in identifying potential breaches. Early detection enables prompt action to mitigate harm and fulfill reporting requirements under HIPAA regulations. 

What is the difference between a HIPAA breach and a HIPAA violation?

A HIPAA breach involves the unauthorized disclosure of PHI, triggering notification requirements, while a HIPAA violation encompasses any failure to comply with HIPAA regulations, whether or not it leads to a breach. Both breaches and violations can result in penalties, but the severity of the consequences may vary depending on the nature and extent of the non-compliance.

Learn more: HIPAA Compliant Email: The Definitive Guide