FTC Finalizes Expansion of Health Breach Notification Rule’s Broad Applicability to Unauthorized App Disclosures

by Adam H. Greene and Apurva Dharia

Photos of the authors

Adam H. Greene and Apurva Dharia (photos courtesy of Davis Wright Tremaine LLP)

The FTC issued a final rule to lock in changes to the Health Breach Notification Rule (HBNR) that it proposed in May 2023. While the HBNR began as a breach notification rule seemingly focused on a narrow set of applications that store medical records on behalf of consumers, the final rule continues the FTC’s path toward turning the rule into a means of imposing privacy and breach notification restrictions on virtually all health and wellness apps. Consistent with the FTC’s September 2021 policy statement and recent enforcement actions, the final rule further revises the HBNR to apply to most health and wellness apps and to require breach notification in almost any instance in which a consumer’s identifiable health data is disclosed without their authorization (including unauthorized disclosures to advertising platforms).

The HBNR requires vendors of personal health records (PHRs) and PHR related entities to notify individuals, the FTC, and, in some cases, the media, of a breach of unsecured PHR identifiable health information.[1] It also requires third-party service providers to vendors of PHRs and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. The rule applies to foreign and domestic non-HIPAA covered vendors of “personal health records that contain individually identifiable health information created or received by health care providers.” The HBNR specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. The final rule will go into effect 60 days after its publication in the Federal Register.

Intensified Health App Privacy Enforcement

The final rule follows a series of recent enforcement actions that the FTC has brought against health technology companies such as GoodRx and BetterHelp for the unauthorized sharing of user health data through tracking pixels for marketing and advertising. These pixels enabled both platforms to collect, analyze, and infer information about user activity, facilitating targeted advertising.

In 2023, the FTC also announced a settlement with Easy Healthcare, which developed and distributed the Premom app for period and fertility tracking. The FTC’s complaint alleged that the app broke its privacy promises by disclosing users’ sensitive health data to Google and AppsFlyer, and by sharing other personal information with two firms in China. As it did with respect to GoodRx, the FTC alleged that Premom violated the HBNR by failing to notify users about the company’s unauthorized disclosure of users’ personally identifiable health information to third parties and that it engaged in deceptive practices by using software development kits (SDKs) that allowed the unauthorized disclosure of user health data to third parties in violation of Premom’s privacy policy. The FTC’s settlement with Premom prohibits Premom from sharing personal health data for advertising purposes and requires it to obtain consent prior to sharing health data for any other purposes.

Summary of Changes

The final rule follows a 2021 policy statement clarifying that makers of health and wellness apps holding consumers’ health information generated by consumers and connected devices must comply with the rule, as well as the publication of a Health Privacy resource page to help companies with their compliance efforts. The final rule solidifies last year’s proposed amendments to the HBNR, with minimal revisions, to:

  • Clarify the rules scope, including its coverage of developers of many health and wellness apps by revising definitions such as “PHR identifiable health information” to make clear that the rule applies to health apps and similar technologies not covered by HIPAA, and adding two new definitions for “covered health care provider” and “health care services or supplies.” The expanded definition of “health care services or supplies” would apply to “any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”
  • Amend the definition of breach of security” to clarify that a breach of security includes an unauthorized acquisition of PHR identifiable health information in a personal health record that occurs as a result of a data security breach and/or unauthorized disclosure. The FTC’s intent is to make clear that the HBNR is not limited to external cybersecurity breaches, but also encompasses any disclosure of a consumer’s PHR identifiable health information without the consumer’s authorization. In this respect, the FTC is essentially turning the HBNR into a privacy rule in addition to a breach notification rule since the FTC is using it to limit the disclosure of PHR identifiable health information.
  • Revise the definition of PHR related entity to make clear that the rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. The revised definition clarifies that entities that access or send unsecured PHR identifiable health information to a personal health record are PHR related entities, rather than entities that access or send any information to a personal health record.
  • Explain what it means for a vendor of personal health records to draw PHR identifiable health information from multiple sources by adding language to clarify that whether an app qualifies as a personal health record would not depend on the prevalence of consumers’ use of a particular app feature, but instead would hinge on whether the app has the technical means (e.g., the application programming interface or API) to draw information from multiple sources, or not. The changes solidify the FTC’s expanded interpretation beyond the traditional notion of a PHR by clarifying that it considers a product to be a personal health record if it can draw any information from multiple sources, even if it only draws health information from one source. For example, a fitness tracking app that is capable of accepting a user’s input (such as the user putting in a name) and input from a connected device would be treated as a PHR. This interpretation seems far removed from the original perception of a PHR as an app that stores medical information from multiple health care providers or health plans on behalf of a consumer.
  • Modernize the method of notice by authorizing the expanded use of email and other electronic means to provide consumers with clear and effective notice of a breach. Companies should take note that “electronic mail” would not be synonymous with email, as breach notification through “electronic mail” would require notice through both email and text message, within-application messaging, or electronic banner.
  • Expand the content of the notice to consumers and revise timing of notice to the FTC by requiring that consumers whose unsecured PHR identifiable information has been breached receive additional important information, including the full name or identity or a description of any third parties that acquired the unsecured PHR identifiable information and the protections that the notifying entity is making available to affected consumers. The final rule removes the proposed rule’s requirement to include information regarding the potential for harm from the breach (such as medical or identity theft) and includes model or exemplar notices, which entities subject to the rule could use to notify consumers in terms that are easy to understand. Additionally, whereas the HBNR previously required notice to the FTC for breaches involving 500 or more individuals as soon as possible and in no case later than 10 business days following the date of discovery of the breach, the final rule now requires notifications to be made contemporaneously with the notices to individuals, the media, or as required by third-party service providers as required by § 318.4(a), which requires that required notifications shall be sent without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.
  • Improve the rules readability by clarifying cross-references and adding statutory citations, consolidating notice and timing requirements, and plainly articulating the penalties for non-compliance.

What’s Next

The final rule and recent enforcement trends by the FTC signal an increased priority on protecting the privacy of consumers’ sensitive health information. As health and wellness apps that are not subject to HIPAA continue to proliferate, app developers and third-party service providers that support such apps should continue to evaluate whether they fall under the expanded scope of the HBNR to determine their risks when dealing with a data breach or other unauthorized disclosure.

Footnotes

[1]  “PHR identifiable health information” means “individually identifiable health information,” as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information: (1) That is provided by or on behalf of the individual; and (2) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Individually identifiable health information means any information, including demographic information collected from an individual, that — (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and — (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. 16 C.F.R. § 318.2 and 42 U.S.C. § 1320(d)(6).

Adam H. Greene is a Partner and Apurva Dharia is an Associate at Davis Wright Tremaine LLP. This post first appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).