On July 29, 2024, the FTC’s revised Health Breach Notification Rule (HBNR) takes effect. The Rule requires vendors of personal health records (PHRs) and related entities not covered by HIPAA to notify individuals, the FTC, and in some cases, the media in the event of a breach of unsecured personal health data. Businesses operating a wide array of services, including health, diet, and fitness apps should take care to review the revised HBNR and assess its applicability to their practices.

Background

Since the original Rule was issued in 2009, the use of health-related apps and other direct-to-consumer technologies collecting health information (e.g., fitness trackers and wearable blood pressure monitors) has proliferated. In September 2021, the FTC issued a Policy Statement” reinterpreting the scope of the HBNR and signaling the FTC’s intent to treat these new products and technologies as covered by the Rule. The updated HBNR, finalized on April 24, 2024, formalizes this expansion of the HBNR as envisioned in the Policy Statement.

Who Is Subject to the HBNR?

The HBNR applies to entities offering or maintaining personal health records not covered by HIPAA. It covers vendors of PHRs, PHR-related entities, and third parties providing services to these entities. However, distinguishing among these categories can be challenging. Here are a few examples:

  • Vendors of PHR. Companies providing online platforms or mobile apps that allow consumers to create comprehensive health records by storing and managing their health information from multiple sources are likely vendors of PHR. Examples include fitness tracking apps, diet and nutrition apps, and mental health apps that integrate data from the user and other sources, such as wearable devices or purchase histories stored with retailers.
  • PHR-Related Entities. Businesses offering devices like remote blood pressure cuffs or internet-connected glucose monitors may qualify as PHR-related entities when users sync this health information with another health app.
  • Third Party Service Providers. Third party service providers are roughly equivalent to processors or service providers. Businesses offering data security, advertising, or analytics services, for example, to a PHR vendor or a PHR-related entity with access to unsecured PHR data are considered third party service providers under the HBNR.

Businesses should be aware that where they fall under these categories depends heavily on the specific practices at hand, and they may move from one category to another. For instance, a third party may be considered a PHR-related entity if it offers services to a health app for its own purposes, such as research and development or product improvement. Similarly, a device manufacturer may be a PHR-related entity if it syncs health information with a third-party health app, but a vendor of PHR if it syncs health information with its own app (while integrating data from multiple sources).

What’s New

  • Covered Health Care Providers. Covered health care providers” constitute one category of the sources of PHR individually identifiable information (other categories of sources are employers and HIPAA-covered entities). The Rule expansively defines covered health care providers to include any online service such as a website, mobile application, or internet-connected device” that supports the tracking of consumer health indicators, like fitness, sleep, mental health, and vital signs. Under the revised Rule, mobile apps are now considered covered PHR-related entities when they integrate with other devices or services, such as geolocation functions, calendars, or third party data, linking them to the user’s PHR. Crucially, the Rule only applies to services with the capacity to draw information from multiple sources. For example, businesses that integrate fitness data into third-party sleep apps could now be considered PHR-related entities under the Rule.
  • Breaches” Subject to the Rule. The revised Rule expands the scope of a breach of security” to include any disclosures, including sharing or selling, of unsecured PHR that are not authorized by the individual. Covered providers should be mindful that this updated definition goes well beyond a traditional cybersecurity incident. For example, businesses that collect PHR for a legitimate purpose and subsequently share or use that information in a way not expressly authorized by the individual may have committed a breach” under the new definition.
  • Timing of Notice to the FTC. Businesses covered by the HBNR that experience a breach involving the unsecured data of more than 500 individuals now have sixty days to notify individuals and the FTC of the incident. This change will be helpful to businesses, particularly larger entities, as the previous Rule required notifications to be sent within ten days, regardless of the size of the data breach.
  • Expanded Use of Electronic Notice. PHR vendors and related entities that discover a breach of security must provide written notice to individuals. Updates to the Rule now allow for the use of email and other electronic means to notify consumers of a breach, including text messages, in-app messages, and website banner messages. Additionally, breach notices must now include a brief description of the measures businesses are taking to protect affected individuals.

Why It’s Important

App developers and other companies providing health, wellness, fitness, and related apps should consider these updates to the HBNR, assess its applicability to their business, and comprehensively review their notification obligations in the event of an unauthorized disclosure. Firms offering data security, cloud computing, advertising, or analytics services to health apps should also review their potential obligations as third party service providers.

Summer Associate Joe Cahill contributed to this post.