by Adam H. Greene and Apurva Dharia
The FTC issued a final rule to lock in changes to the Health Breach Notification Rule (HBNR) that it proposed in May 2023. While the HBNR began as a breach notification rule seemingly focused on a narrow set of applications that store medical records on behalf of consumers, the final rule continues the FTC’s path toward turning the rule into a means of imposing privacy and breach notification restrictions on virtually all health and wellness apps. Consistent with the FTC’s September 2021 policy statement and recent enforcement actions, the final rule further revises the HBNR to apply to most health and wellness apps and to require breach notification in almost any instance in which a consumer’s identifiable health data is disclosed without their authorization (including unauthorized disclosures to advertising platforms).
The HBNR requires vendors of personal health records (PHRs) and PHR related entities to notify individuals, the FTC, and, in some cases, the media, of a breach of unsecured PHR identifiable health information.[1] It also requires third-party service providers to vendors of PHRs and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. The rule applies to foreign and domestic non-HIPAA covered vendors of “personal health records that contain individually identifiable health information created or received by health care providers.” The HBNR specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. The final rule will go into effect 60 days after its publication in the Federal Register.