FTC seeks to broaden breach notification rule to include apps, connected devices

The Federal Trade Commission proposes including more vendors of personal health records that access, or send unsecured PHR-identifiable data, in its rule governing health data sharing and unauthorized protected health information disclosure notifications.
By Andrea Fox
11:20 AM

Photo by Andrea Piacquadio via Pexels

The Federal Trade Commission is seeking to amend and expand its Health Breach Notification Rule, or HBNR, to cover entities not previously covered by HIPAA, allow them to use email and other electronic data breach notification methods and require that they include the names of any third parties who might have acquired any unsecured identifiable health information.

WHY IT MATTERS

On the heels of filing a complaint in federal court against the Illinois-based Easy Healthcare Corporation for sharing its free fertility app users' health data and fining the health tech company $200,000, the FTC announced a formal revision of the HBNR.

Chief among the proposed amendments, FTC would define "breach of security" to include an acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.

FTC said that since its rule was first issued in 2009, health apps and other direct-to-consumer health technologies have increased the amount of consumer health data collection, and so have the incentives to use or disclose that data for marketing and other purposes. 

"The proposed amendments to the rule will allow it to keep up with marketplace trends and respond to developments and changes in technology," said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. 

Health app and connected device companies that are subject to the FTC's breach notification requirements would need to explain to consumers the potential harm that can come from third parties that have acquired their personally identifiable health information.

The proposed amendments would also:

  • Revise several definitions to ensure the rule is applicable to non-HIPAA-covered health technologies that collect an individual's health information.
  • Add two new definitions for healthcare providers and healthcare services or supplies.
  • Clarify what it means for a PHR to draw personal health data from multiple sources.

FTC highlighted that the scope of the rule would qualify PHR-related entities only as those "that access or send unsecured PHR identifiable health information to a personal health record."

In the federal complaint alleging that users' personal health data in the Premom app was shared with third parties for advertising without their consent, the FTC was seeking to require Easy Healthcare Corp. "to obtain users’ consent before sharing health data for any other purpose" and specify for users how their fertility and personal data will be used. 

The matter was settled out of court last week, according to a statement on the company's website.

HBNR requires covered entities to provide consumer notifications within 60 days after the discovery of a breach. But if more than 500 individuals are affected covered entities must notify the FTC within 10 business days. 

FTC is accepting comments on proposed changes to HBNR for 60 days after the publication of its notice of proposed rulemaking Thursday. 

THE LARGER TREND

After a periodic review of HBNR in 2020, when the agency asked the public if the rules should be modified and accepted public comments, the U.S. trade commission issued a policy statement in September 2021 stating that connected devices and health apps that use or collect consumers' health information must also notify users and others when their data is involved in a security breach.

However, beyond data safety, the FCC said it was concerned about the "commodification of sensitive health information" for advertising and analytics.

"Given the growing prevalence of surveillance-based advertising, the commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk," said FTC Chair Lina M. Khan at the time.

Protecting the privacy and security of personal health data is proving to be a high priority for the FTC as the agency noted it has also taken enforcement action against GoodRx and others in recent months for sharing data without users' knowledge or consent.

ON THE RECORD

"We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information," said Levine.

"When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.