Health Breach Notification Rule

<RULE> FEDERAL TRADE COMMISSION <CFR>16 CFR Part 318</CFR> <RIN>RIN 3084-AB56</RIN> <SUBJECT>Health Breach Notification Rule</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Trade Commission. <HD SOURCE="HED">ACTION:</HD> Final rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Federal Trade Commission (“FTC” or “Commission”) is amending the Commission's Health Breach Notification Rule (the “HBN Rule” or the “Rule”). The HBN Rule requires vendors of personal health records (“PHRs”) and related entities that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> The amendments are effective July 29, 2024. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Relevant portions of the record of this proceeding, including this document, are available at <E T="03">https://www.ftc.gov</E> and <E T="03">https://www.regulations.gov.</E> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Ryan Mehm, (202) 326-2918, <E T="03">rmehm@ftc.gov,</E> and Ronnie Solomon, (202) 326-2098, <E T="03">rsolomon@ftc.gov,</E> Bureau of Consumer Protection, Federal Trade Commission. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> The amendments: (1) clarify the Rule's scope, including its coverage of developers of many health applications (“apps”); (2) clarify what it means for a vendor of personal health records to draw PHR identifiable health information from multiple sources; (3) revise the definition of breach of security to clarify that a breach of security includes data security breaches and unauthorized disclosures; (4) revise the definition of PHR related entity; (5) modernize the method of notice; (6) expand the content of the notice; (7) alter the Rule's timing requirement for notifying the FTC of a breach of security; and (8) improve the Rule's readability by clarifying cross-references and adding statutory citations, consolidating notice and timing requirements, articulating the penalties for non-compliance, and incorporating a small number of non-substantive changes. <HD SOURCE="HD1">I. Background</HD> Congress enacted the American Recovery and Reinvestment Act of 2009 (“Recovery Act” or “the Act”), <SU>1</SU> <FTREF/> in part to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. Recognizing that certain entities that hold or interact with consumers' personal health records were not subject to the privacy and security requirements of HIPAA, <SU>2</SU> <FTREF/> Congress created requirements for such entities to notify individuals, the Commission, and, in some cases, the media of the breach of unsecured identifiable health information from those records. <FTNT> <SU>1</SU>  Am. Recovery and Reinvestment Act of 2009, Public Law 111-5, 123 Stat. 115 (2009). </FTNT> <FTNT> <SU>2</SU>  Health Ins. Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936 (1996). </FTNT> Specifically, section 13407 of the Recovery Act created certain protections for “personal health records” or “PHRs,”  <SU>3</SU> <FTREF/> electronic records of PHR identifiable health information on an individual that can be drawn from multiple sources and that are managed, shared, and controlled by or primarily for the individual. <SU>4</SU> <FTREF/> Congress recognized that vendors of personal health records and PHR related entities ( <E T="03">i.e.,</E> companies that offer products and services through PHR websites or access information in or send information to personal health records) were collecting consumers' health information but were not subject to the privacy and security requirements of HIPAA. Accordingly, the Recovery Act directed the FTC to issue a rule requiring these non-HIPAA covered entities, and their third party service providers, to provide notification of any breach of unsecured PHR identifiable health information. The Commission issued its Rule implementing these provisions in 2009. <SU>5</SU> <FTREF/> FTC enforcement of the Rule began on February 22, 2010. <FTNT> <SU>3</SU>  42 U.S.C. 17937. </FTNT> <FTNT> <SU>4</SU>  42 U.S.C. 17921(11). </FTNT> <FTNT> <SU>5</SU>  74 FR 42962 (Aug. 25, 2009) (“2009 Final Rule”). </FTNT> The Rule the Commission issued in 2009 (“2009 Rule”) requires vendors of personal health records and PHR related entities to provide: (1) notice to consumers whose unsecured PHR identifiable health information has been breached; (2) notice to the Commission; and (3) notice to prominent media outlets  <SU>6</SU> <FTREF/> serving a State or jurisdiction, in cases where 500 or more residents are confirmed or reasonably believed to have been affected by a breach. <SU>7</SU> <FTREF/> The Rule also requires third party service providers ( <E T="03">i.e.,</E> those companies that provide services such as billing, data storage, attribution, or analytics) to vendors of personal health records and PHR related entities to provide notification to such vendors and entities following the discovery of a breach. <SU>8</SU> <FTREF/> <FTNT> <SU>6</SU>  The Recovery Act does not limit this notice to particular types of media. Thus, an entity can satisfy the requirement to notify “prominent media outlets” by, for example, disseminating press releases to a number of media outlets, including internet media in appropriate circumstances, where most of the residents of the relevant State or jurisdiction get their news. This will be a fact-specific inquiry that will depend on what media outlets are “prominent” in the relevant jurisdiction. 74 FR 42974. </FTNT> <FTNT> <SU>7</SU>  16 CFR 318.3, 318.5. </FTNT> <FTNT> <SU>8</SU>   <E T="03">Id.</E> § 318.3(b). </FTNT> The 2009 Rule requires notice to individuals “without unreasonable delay and in no case later than 60 calendar days” after discovery of a data breach. <SU>9</SU> <FTREF/> If the breach affects 500 or more individuals, notice to the FTC must be provided “as soon as possible and in no case later than ten business days” after discovery of the breach. <SU>10</SU> <FTREF/> The FTC makes available a standard form for companies to use to notify the Commission of a breach, <SU>11</SU> <FTREF/> and posts a list of breaches involving 500 or more individuals on its website. <SU>12</SU> <FTREF/> <FTNT> <SU>9</SU>   <E T="03">Id.</E> § 318.4(a). </FTNT> <FTNT> <SU>10</SU>   <E T="03">Id.</E> § 318.5(c). </FTNT> <FTNT> <SU>11</SU>  Fed. Trade Comm'n, Notice of Breach of Health Information, <E T="03">https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/health_breach_form.pdf.</E> </FTNT> <FTNT> <SU>12</SU>  Fed. Trade Comm'n, Notices Received by the FTC Pursuant to the Health Breach Notification Rule, <E T="03">https://www.ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20by%20the%20FTC.pdf</E> (last visited Dec. 2, 2022). </FTNT> The 2009 Rule applies only to breaches of “unsecured” health information, which the Rule defines as health information that is not secured through technologies or methodologies specified by the Department of Health and Human Services (“HHS”). The Rule does not apply to businesses or organizations covered by HIPAA. <SU>13</SU> <FTREF/> HIPAA-covered entities and their “business associates” must instead comply with HHS's breach notification rule. <SU>14</SU> <FTREF/> <FTNT> <SU>13</SU>  Per HHS guidance, electronic health information is “secured” if it has been encrypted according to certain specifications set forth by HHS, or if the media on which electronic health information has been stored or recorded is destroyed according to HHS specifications. <E T="03">See</E> 74 FR 19006; <E T="03">see also</E> U.S. Dep't of Health & Human Servs., <E T="03">Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals</E> (July 26, 2013), <E T="03">https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.</E> PHR identifiable health information would be considered “secured” if such information is disclosed by, for example, a vendor of personal health records, to a PHR related entity or a third party service provider, in an encrypted format meeting HHS specifications, and the PHR related entity or third party service provider stores the data in an encrypted format that meets HHS specifications and also stores the encryption and/or decryption tools on a device or at a location separate from the data. </FTNT> <FTNT> <SU>14</SU>  45 CFR 164.400 through 164.414. </FTNT> Since the Rule's issuance, apps and other direct-to-consumer health technologies, such as fitness trackers and wearable blood pressure monitors, have become commonplace. <SU>15</SU> <FTREF/> Further, as an outgrowth of the COVID-19 pandemic, consumer use of such health-related technologies has increased significantly. <SU>16</SU> <FTREF/> <FTNT> <SU>15</SU>   <E T="03">See, e.g.,</E> Kokou Adzo, <E T="03">App Development in Healthcare: 12 Exciting Facts,</E> TechnoChops (Jan. 3, 2023), <E T="03">https://www.technochops.com/programming/4329/app-development-in-healthcare/;</E> Emily Olsen, <E T="03">Digital health apps balloon to more than 350,000 available on the market, according to IQVIA report,</E> MobiHealthNews (Aug. 4, 2021), <E T="03">https://www.mobihealthnews.com/news/digital-health-apps-balloon-more-350000-available-market-according-iqvia-report;</E> Elad Natanson, <E T="03">Healthcare Apps: A Boon, Today and Tomorrow,</E> Forbes (July 21, 2020), <E T="03">https ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 321k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━