FTC seeks to broaden breach notification rule to include apps, connected devices

The Federal Trade Commission is seeking to amend and expand its Health Breach Notification Rule, or HBNR, to cover entities not already covered by HIPAA, allowing them to use email and other electronic data breach notification methods. may be permitted and require that they include the names of any third parties. Parties who may have received unprotected Identifiable Health Information.

why it matters

Shortly after filing a complaint in federal court against Illinois-based Easy Healthcare Corporation for sharing the health data of its free fertility app users and fining the health tech company $200,000, the FTC announced a formal revision of the HBNR.

Key among the proposed amendments, the FTC would define a “breach of security” to include the acquisition of identifiable health information resulting from a data security breach or unauthorized disclosure.

The FTC said that since its rule was first issued in 2009, health apps and other direct-to-consumer health technologies have increased the amount of consumer health data collection, and so has the use of that data for marketing and other purposes. encouraged to use or disclose

“The proposed amendment to the rule will allow it to keep up with market trends and respond to developments and changes in technology,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.

Health app and connected device companies that are subject to the FTC’s breach notification requirements must tell consumers about the potential harms that could come from third parties that have obtained their personally identifiable health information.

The proposed amendments would also be:

• Revise several definitions to ensure that the rule applies to non-HIPAA-covered health technologies that collect an individual’s health information.
• Add two new definitions for healthcare providers and healthcare services or supplies.
• Explain what it means for a PHR to have personal health data from multiple sources.

The FTC highlighted that the rule’s scope would only qualify PHR-related entities as “those that access or send unprotected PHR identifiable health information to personal health records.”

The federal complaint alleges that the Premom app shared users’ personal health data with third parties for advertising without their consent, with the FTC seeking users’ consent before sharing health data for any other purpose. EZ Healthcare Corp. was needed for. and specify for users how their fertility and personal data will be used.

The matter was settled out of court last week, according to a statement on the company’s website.

The HBNR requires covered entities to provide consumer notifications within 60 days after the discovery of a violation. But covered entities must notify the FTC within 10 business days if more than 500 individuals are affected.

The FTC is accepting comments on the proposed changes to the HBNR for 60 days following the publication of the notice of proposed rulemaking on Thursday.

big trend

Following a periodic review of the HBNR in 2020, when the agency asked the public whether the rules should be revised and accepted public comments, the US Trade Commission issued a policy statement in September 2021 stating Connected devices and health apps that consumers use or collect. Health Information must also notify users and others when their data is involved in a security breach.

However, beyond data protection, the FCC said it was concerned about “modification of sensitive health information” for advertising and analytics.

FTC Chair Leena M. Khan said, “Given the growing prevalence of surveillance-based advertising, the Commission should examine what data is being collected and whether particular types of business models create such incentives.” that necessarily put users at risk.” Time.

Protecting the privacy and security of personal health data is proving to be a high priority for the FTC as the agency notes that it has brought enforcement actions against GoodRx and others in recent months for sharing data without users’ knowledge or consent. Action has also been taken.

On the record

“We are seeing an explosion of health apps and connected devices, many not covered by HIPAA, that are collecting vast amounts of sensitive consumer health information,” Levine said.

“When this information is breached, it is more important than ever to provide timely notice of what happened to mobile health app developers and other consumers covered by the Health Breach Notification Rule, and to the FTC.”

Andrea Fox is a senior editor for Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.