FTC Health Breach Notification Rule Update: 6 Things You Should Know


5 minute read | July.29.2024

The Federal Trade Commission (FTC) has updated its Health Breach Notification Rule that applies to non-HIPAA, consumer health data. Among the revisions, the FTC expanded or introduced key definitions and modified the information companies must disclose after a breach.

The updated rule applies to vendors of personal health records, related entities, and third-party service providers. It took effect July 29.

Companies offering direct-to-consumer health products and services should determine if the rule applies to them. They also should consider whether to update their compliance programs.

While the rule has been in effect since 2009, it received little attention from the FTC and business community until recently. To date, only nine entities have reported breaches to the FTC, and the FTC itself only began to bring enforcement actions under it last year. 

Additionally, the FTC has been criticized for the broad interpretation it has taken of the rule in its 2021 Policy Statement and in enforcement actions. Now that the Supreme Court has overturned Chevron USA v. Natural Resources Defense Council, we can expect court challenges to the FTC’s interpretation.

Here are answers to six key questions about the updated rule:

1.  Who is covered? 

The rule applies to vendors of personal health records (PHR Vendors), PHR-related entities and third-party service providers. 

PHR Vendors

Under the rule, a PHR vendor is any entity, other than a HIPAA-covered entity or business associate, that offers or maintains a “personal health record” (the scope of which is discussed below).  To be a PHR vendor, “an app, website, or online service must provide an offering that relates more than tangentially to health.” For example, companies offering remote blood pressure cuffs, connected blood glucose monitors and fitness trackers that sync to their proprietary health apps may be PHR vendors.  

In contrast, a retailer that offers an app enabling consumers to purchase health care products (e.g., pregnancy tests, over the counter medication or health-related items) is not, without more, covered by the rule because the app is “only tangentially related to health.” A retailer may become a PHR vendor under the rule if it offers an app with features or functionalities that are “sold, marketed, or promoted as more than tangentially related to health.”

PHR Related Entities

The FTC has clarified that “PHR-related entity” applies to entities “that offer products and services through online services, including mobile applications, of” PHR vendors.   

A PHR-related entity, other than a HIPAA-covered entity or business associate, is one that:

  • Offers products or services through the website, including any online service, of a PHR vendor.
  • Offers products or services through the websites, including any online service, of HIPAA-covered entities that offer individuals personal health records.
  • Accesses unsecured PHR identifiable health information in a personal health record or sends unsecured PHR identifiable health information to a personal health record.  

For example, consider again companies that offer remote blood pressure cuffs, connected blood glucose monitors and fitness trackers. If those devices sync to their proprietary health app and to the health apps of third parties, they may be simultaneously PHR vendors and PHR-related entities. 

Third-Party Service Providers

The rule does not change the definition of a third-party service provider. They remain entities that:

  • Provide services to a PHR vendor in the offering or maintenance of a PHR or to a PHR-related entity in connection with a product or service offered by that entity.
  • Accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured PHR identifiable health information as a result of such services. 

Examples of third-party service providers include cloud computing companies and advertising and analytics organizations that provide services to PHR vendors.  

2.  What is “PHR identifiable health information”?

The definition of PHR identifiable health information was updated to mean information that:

  1. Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual; and
  2. Is created or received by a covered health care provider, health plan, employer or health care clearinghouse; and
  3. With respect to an individual, includes information that is provided by or on behalf of the individual.

The FTC said it expanded the definition to cover:

  • Traditional health information (such as diagnosis or medications).
  • Health information derived from a consumer’s interaction with apps or other online services, “such as health information generated from tracking technologies employed on websites or mobile applications.”
  • “Emergent health data, such as health information inferred from non-health-related data points, such as location and recent purchases.” 

Notably, the FTC clarified that unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information, constitute PHR-identifiable health information, if the identifiers can be used to identify or re-identify an individual.

To trigger the breach notification obligations, the PHR identifiable health information must be “unsecured,” meaning it is not protected using a technology or methodology specified by guidance from the Secretary of Health and Human Services. 

3.  What is a personal health record? 

A personal health record is an electronic record of PHR identifiable health information regarding an individual that has the technical capacity to draw information from multiple sources and is managed, shared, and controlled by or primarily for the individual. 

If a personal health record has the capacity to draw information from multiple sources, it is covered by the rule, even if the consumer elects to limit information to only a single source. For example, an app that is purely informational and does not provide any mechanism for the user to track or record health or wellness information is not a personal health record because it does not have the technical capacity to draw information from multiple sources.  

In contrast, an app that would enable a consumer to input health information themselves and sync with a third-party device, even if the consumer does not enable the feature, would be a personal health record because it has the “technical means (e.g., the application programming interface or API) to draw information from multiple sources.” The FTC clarified that PHR identifiable information must be drawn from at least one source “to count as a personal health record” and noted that even an app or service “undergoing product or beta testing. . . not yet in [its] final form” would fall under this definition because “they are drawing information from multiple sources.”

4.  What is a “breach of security”?

In line with the FTC’s 2021 Policy Statement, the rule expands the definition of “breach of security” to mean “an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.” The FTC said this change was intended to clarify that a voluntary disclosure made by a PHR vendor or PHR-related entity constitutes a breach of security if the consumer did not authorize the disclosure.

The FTC noted in the preamble that a breach of security could even include “unauthorized uses,” such as when an entity “exceeds authorized access to use PHR identifiable health information.” That could happen when an entity “obtains the data for one legitimate purpose, but later uses the data for a secondary purpose that was not originally authorized by the individual.” 

The definition still includes a rebuttable presumption that when there is unauthorized access to PHR identifiable health information, unauthorized acquisition will be presumed unless the entity that experienced the breach “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” 

5.  What are "health care services or supplies"?

The rule introduces the definition of “health care services or supplies,” which includes “any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” 

The FTC said its new definition clarifies that the rule applies generally to online services that relate to medical issues (e.g., diseases, diagnoses, treatment and medications) as well as wellness issues, such as fitness, sleep and diet. 

The FTC noted that it added this new definition because it clarifies that “developers of health apps and similar technologies providing ‘health care services or supplies’ qualify as ‘health care providers,’ such that any individually identifiable health information these products collect or use would constitute ‘PHR identifiable health information.” As a result, the FTC also introduced an expansive definition of “covered healthcare provider” to encompass a provider of services, a provider of medical or other health services or any other entity furnishing health care services or supplies.  While broad, the FTC noted the definition does not “bear on the meaning of ‘health care provider’ as used in other regulations.” 

6.  What are the breach notification obligations?

The FTC says the rule is intended to address “breach notification, not omnibus privacy protections.”  To that end, once a breach has occurred involving   unsecured PHR identifiable health information in a personal health record, the PHR vendor or PHR-related entity must notify:

  • Each individual whose information was acquired by an unauthorized person.
  • The FTC.
  • Prominent media outlets in a state or jurisdiction if the breach involved unauthorized acquisition of the PHR identifiable health information of at least 500 people in that state or location – or if it is reasonable to believe that happened.

If the breach involves the unsecured PHR identifiable health information of fewer than 500 individuals, the PHR vendor or the PHR-related entity may submit a log of all such breaches from the preceding year annually to the FTC.

The rule also updates the timing for such notices to align with the HIPAA Breach Notification Rule. Companies should now notify individuals and the FTC contemporaneously, no more than 60 calendar days after the discovery of the breach of security. The FTC agreed that the previous 10 business day notice requirement resulted in insufficient or incomplete breach notifications and that in large, complex breaches, entities were largely unable to immediately determine the scope of a breach. 

The updated rule includes additional requirements for the content of notices. It requires notifying entities to provide:

  • A description of what happened, including the date of the breach, the date of discovery of the breach, and the full name, identity, or a description of any third parties that acquired the PHR identifiable health information as a result of the breach, if known.
  • A description of the specific types of unsecured PHR identifiable health information involved.
  • Steps individuals should take to protect themselves from potential harm resulting from the breach.
  • A description of what the entity is doing to investigate, mitigate harm, protect against further breaches and to protect affected individuals, such as offering credit monitoring or other services.
  • At least two ways people can contact the organization to ask questions or learn more. 

The rule further outlines “clear and conspicuous” formatting requirements for written notices sent by e-mail. 

***

The Orrick Team is ready and available to help your organization identify and assess the impact of the updated FTC Health Breach Notification Rule, update your breach notification procedures, and assist in the event of an incident. We are closely monitoring current trends to help companies identify developments across the cybersecurity threat landscape, regulatory trends, and areas of compliance risk. If you have any questions, please contact the authors (Thora Johnson, Alyssa Wolfington, and Michaela Frai) or another Orrick Team member if you have questions.