To address the issue of the protection of consumer health data, the Federal Trade Commission (FTC) has implemented changes to the health breach notification rule (HBNR), originally introduced in 2009. The revised regulation safeguards individuals' sensitive health information stored in various digital platforms, including mobile apps and internet-connected devices.
Prior to the implementation of the HBNR in 2009, a regulatory void existed when it came to protecting consumer digital health information. While the Health Insurance Portability and Accountability Act (HIPAA) required covered entities and business associates to protect such information, consumers whose data was stored in personal health records by vendors and third-party apps that were not HIPAA-covered entities or business associates were left without adequate regulatory protection.
The original HBNR was introduced to address this gap, mandating that regulated entities notify affected consumers of any breaches of their digital health information. However, as digital health platforms have grown more complex, with new technologies such as smartphone user tracking, the 2009 HBNR definitions of regulated technologies have become outdated.
Read more: What is the HIPAA Breach Notification Rule?
To keep pace with the rapid advancements in digital health technologies, the FTC has recently revised the health breach notification rule, with the updated version becoming effective on July 29, 2024. The revised rule introduces several changes, including:
The FTC has revised and expanded several definitions to ensure that the rule now covers a wider range of digital health technologies and platforms. These revisions include:
The revised HBNR now defines a "breach of security" to include unauthorized acquisitions of identifiable health information due to a data security breach and unauthorized disclosures of protected health information. This change addresses instances where mobile app developers intentionally share or sell consumers' data in violation of their privacy policies and promises.
The revised rule also introduces the following changes to the notification requirements:
Related: Navigating HIPAA’s Breach Notification Rule
The Federal Trade Commission (FTC) imposed a $7.1 million fine on mental health startup Cerebral, upon allegations of consumer privacy violations and deceptive trading practices.
The company and its former CEO, Kyle Robertson, were accused of breaching privacy promises and disclosing protected health information (PHI) to third parties for advertising.
According to an FTC press release, Cerebral shared the sensitive data of nearly 3.2 million consumers with third parties like Snapchat, TikTok, and LinkedIn. Cerebral is fined $5.1 million for consumer refunds and a $10 million civil penalty, partially suspended to $2 million due to the company's financial constraints.
See more: FTC fines Cerebral $7.1 million for privacy violations and deceptive practices
The HIPAA breach notification rule (2009) makes it mandatory for healthcare providers to report all data breaches of unsecured protected health information (PHI).
Identifying a HIPAA breach involves recognizing any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Monitoring access logs, conducting regular security assessments, and promptly investigating any suspicious incidents are steps in identifying potential breaches. Early detection enables prompt action to mitigate harm and fulfill reporting requirements under HIPAA regulations.
A HIPAA breach involves the unauthorized disclosure of PHI, triggering notification requirements, while a HIPAA violation encompasses any failure to comply with HIPAA regulations, whether or not it leads to a breach. Both breaches and violations can result in penalties, but the severity of the consequences may vary depending on the nature and extent of the non-compliance.
Learn more: HIPAA Compliant Email: The Definitive Guide