On January 21, the Federal Trade Commission (“FTC”) announced new resources to help companies determine their obligations under the Health Breach Notification Rule (the “Rule”): the Health Breach Notification Rule: Basics for Business, which provides a quick introduction to the Rule, and Complying with FTC’s Health Breach Notification Rule (“Compliance Guidance”), a more in-depth compliance guidance.  These resources follow the FTC’s September 2021 Policy Statement, which expanded the Rule’s application to the developers of health apps, connected devices, and similar products, and similarly emphasize the FTC’s continued scrutiny of health technology.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  16 C.F.R. §§ 318.3, 318.5.  Third-party service providers also are required to notify covered vendors of any breach.  16 C.F.R. § 318.3.  The Compliance Guidance addresses who is covered under the Rule, what triggers the Rule, and what to do when a breach occurs (i.e., notification requirements).

Notably, the Compliance Guidance contains an FAQ section, which, among other things, highlights the FTC’s desire to apply the Rule to certain “apps, wearables, and other technologies for health advice, information, and tracking.”  According to the FAQs, a fitness app that collects users’ height, weight, and age and can sync with users’ wearable fitness trackers (even if not all users use this feature) would “likely [be] a vendor of personal health records” under the Rule.  This example underscores the FTC’s broad interpretation of the Rule’s applicability set forth in the September 2021 Policy Statement.

The Compliance Guidance does not address any of the questions raised by Commissioners Noah Philips and Christine Wilson in their dissents to the Commission’s recent Policy Statement about the FTC’s authority to expand the application of its Rule through a Policy Statement.

The Compliance Guidance FAQs also offer examples of how the notification and breach aspects of the Rule would apply in various situations, including when (1) a health app accidentally shares health information with a social media platform, and (2) an individual accesses health records without authorization.  With respect to cases involving unauthorized access, the FAQs note that the Rule contains a rebuttable presumption—in other words, the FTC will presume unauthorized access unless the vendor of personal health records can prove that the access has not, or could not reasonably have, taken place.  Thus, in the case of an employee’s unauthorized access of health information, a vendor of personal health records can potentially “overcome that presumption by establishing and enforcing a company policy that requires an employee who inadvertently accesses a health record not to read it or share it, to log out immediately, and to report the access to a supervisor right away.”

The FTC has linked these resources in its new Health Privacy webpage, which also contains cases, blog posts, and other materials to assist companies in complying with their legal obligations.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.