FTC Clarifies Health Breach Notification Rule (HBNR) with Significant Proposed Changes: What Telehealth Companies and App Developers Need to Know



In the rapidly evolving landscape of health and wellness apps, protecting consumer health information is crucial. The Federal Trade Commission (FTC) recently proposed changes to the Health Breach Notification Rule (HBNR) that could have significant implications. If these changes are finalized, the HBNR would apply to a wide range of health and wellness apps and would clarify that a breach of security includes not just data security incidents, but also unauthorized disclosures of personal health information. This article highlights the implications of these proposed changes and provides essential information for telehealth companies and health app developers to navigate the evolving privacy landscape.

Health Breach Notification Rule Background

The Health Breach Notification Rule (HBNR) was introduced in 2009 to address the rise of online personal health record (PHR) services that stored users’ digital medical records. These services, like Microsoft HealthVault, operated outside the coverage of HIPAA and its breach reporting requirements, leaving a gap in consumer protection. Over the years, the FTC has shown a renewed commitment to safeguarding digital health information, evident in enforcement actions against companies like GoodRx, BetterHelp, and Easy Healthcare for sharing consumer health information without permission for advertising purposes. However, applying the HBNR to newer digital health platforms, often accessed through smartphones and utilizing advanced user tracking technologies, has been challenging for the agency due to the evolving landscape. In September 2021, the FTC issued a policy statement emphasizing that health apps and connected devices collecting or using consumer health information must adhere to the HBNR. 

What’s the FTC Proposing?

Defining Who Is Subject by the HBNR:
  • The FTC wants to clarify and broaden the types of entities subject to the HBNR. They aim to include not only medical service providers but also any other organization offering health services or supplies. This definition would cover online services like websites, mobile apps, and Internet-connected devices that track diseases, health conditions, treatments, fitness, etc. These changes would encompass a significant portion of the mobile app market, and the definitional framework would avoid the need to fit app developers into HIPAA’s healthcare provider definition.
Clarifying the Protected Information:
  • The FTC proposes redefining “PHR identifiable health information.” The new definition would remove references to HIPAA and include additional elements. It would cover information provided by or on behalf of an individual, which identifies the individual or can reasonably be used to identify them, and relates to their health, healthcare provision, or healthcare payment. This broader definition, combined with the inclusion of “health care services or supplies,” would make the HBNR applicable to consumer-facing health apps not regulated by HIPAA.
Revised Definitions:
  • The FTC suggests revising the definition of a “breach of security” to encompass unauthorized disclosures of PHR identifiable health information, not just traditional security breaches. This change would address instances where vendors and entities disclose health information without permission for advertising or other purposes.
  • The FTC wants to clarify that a “PHR related entity” includes entities offering products or services through any online platform of a PHR vendor, including mobile applications. They also propose limiting the scope of the definition to entities that access or send unsecured PHR identifiable health information to a PHR.
  • The FTC proposes revising the definition of a “PHR” to include products with the technical capacity to draw information from multiple sources, even if some users choose not to utilize that capacity.
Updates in Breach Notifications:
  • The FTC suggests modernizing breach notification methods by allowing electronic notice under specific circumstances. This change would permit vendors or related entities to inform individuals of breaches via electronic mail, including text messages or within-application messaging.
  • The proposed revisions would require additional information in breach notices, such as potential harm resulting from the breach, measures taken to protect affected individuals, details of third parties acquiring unsecured health information, types of breached information, and multiple contact options.
Improving Rule Clarity:
  • The FTC aims to enhance the clarity of the HBNR by providing explanatory parentheticals, consolidating notice and timing requirements, and introducing a section outlining penalties for non-compliance.

Why the Proposed Changes Matter:

The proposed changes to the HBNR demonstrate the FTC’s commitment to enforcing stricter privacy guidelines for health apps. By defining and redefining important terms, the FTC aims to create a clearer framework for protecting non-HIPAA regulated digital health information. This shift toward enhanced privacy regulations requires telehealth companies and app developers to prioritize privacy to comply with these emerging standards and maintain users’ trust.

Enhanced Consumer Protection:

The FTC’s proposed changes aim to bolster consumer protection in the digital health space. By establishing clearer definitions for terms like “health care provider” and “health care services,” the FTC intends to close any loopholes that allowed certain health and wellness apps to operate outside existing privacy regulations. Additionally, a modernization of breach notifications will ensure consumer’s are informed about their data security. These changes empower consumers to make informed choices about the apps they use, fostering trust and accountability in the industry.

Preemptive Measures for Telehealth Companies and App Owners:

Telehealth companies and app developers must be proactive to ensure compliance with evolving privacy standards. To meet these guidelines, it is crucial to implement robust security measures, obtain explicit user consent for data collection and sharing, and communicate transparently about the handling of health-related information. By taking these preemptive measures, companies can align themselves with privacy expectations and avoid potential legal and reputational consequences.

Collaboration and Compliance:

To navigate the changing privacy landscape effectively, telehealth companies and app developers should collaborate with legal experts, privacy professionals, and regulatory bodies. Engaging with these stakeholders will provide insights into the intricacies of the proposed changes and help establish compliance strategies to protect consumer health information. Prioritizing privacy by design and incorporating privacy frameworks into the development lifecycle of health and wellness apps is essential.

Useful Information for Telehealth Companies and App Owners:

For telehealth companies and app developers, understanding telehealth regulations and complying with health app guidelines is vital. Here are some key considerations:

  • Telehealth Regulations: Familiarize yourself with the specific telehealth regulations that apply to your jurisdiction. Ensure compliance with legal requirements related to privacy, data protection, and patient consent.
  • Data Security: Implement robust security measures to protect user data from breaches or unauthorized access. Regularly update security protocols to stay ahead of potential threats.
  • Consent and Transparency: Obtain explicit consent from users for data collection, storage, and sharing. Clearly communicate your data handling practices, including how user health information is used and protected.
  • Compliance Audits: Regularly conduct internal audits to assess compliance with privacy guidelines and telehealth regulations. Identify and address any potential privacy vulnerabilities promptly.
  • Privacy Policies and Terms of Service: Ensure that your privacy policies and terms of service are comprehensive, easy to understand, and accessible to users. Regularly review and update these documents as privacy regulations evolve.

The FTC’s proposed changes to the Health Breach Notification Rule highlight the growing importance of privacy in health and wellness apps. Telehealth companies and app developers must stay informed about telehealth regulations and adhere to health app guidelines to protect consumer health information. By prioritizing privacy measures and collaborating with relevant stakeholders, companies can not only ensure compliance but also ensure transparency with consumers.

Via: FTC Clarifies Health Breach Notification Rule with Significant Proposed Changes, Akerman LLP, Jordan T. Cohen, Lauren Gandle, Elizabeth Hodge

Alondra Cruz
Alondra Cruz