On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates.  We previously covered the proposed rule, which was issued on May 18, 2023.

In the FTC’s announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC” and that the “updated HBNR will ensure [the HBNR] keeps pace with changes in the health marketplace.”  Key provisions of the final rule include:

  • Revised definitions:  The final rule includes changes to current definitions in the HBNR that codify the FTC’s recent position on the expansiveness of the HBNR.  Specifically, among other definition changes, the HBNR contains key updates to the definitions of:
    • “Personal health records (‘PHR’) identifiable information.”  In the final rule, the FTC adopts changes to the definition of PHR identifiable information that were included in the proposed rule to clarify that the HBNR applies to health apps and other similar technologies not covered by the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”).  In the final rule, the FTC discusses the scope of the definition, noting that “unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information constitute ‘PHR identifiable health information’ if these identifiers can be used to identify or re-identify an individual.”
    • “Covered health care provider.”  In the proposed rule, the FTC proposed adding a definition of “health care provider” to include providers of medical or other health services, or any other entity furnishing “health care services or supplies” (i.e., websites, apps, and Internet-connected devices that provide mechanisms to track health conditions, medications, fitness, sleep, etc.).  The final rule does not make substantive changes to this proposed definition but does contain a slight terminology change to “covered health care provider” to distinguish that term from the definition of “health care provider” in other regulations. 

In the final rule, the FTC notes that the concern (expressed by some commenters) that the scope of these definitions could impermissibly cause the HBNR to cover retailers of general purpose items like shampoo or vitamins is unwarranted—rather, the FTC explains, the threshold inquiry is whether an entity is a vendor of PHR, which is “an entity that offers or maintains a [PHR].”  The final rule notes that to be a vendor of PHR covered by the HBNR, an app, website, or online service “must provide an offering that relates more than tangentially to health” and that a PHR must be “an electronic record of PHR identifiable health information on an individual, must have the technical capacity to draw information from multiple sources, and must be managed, shared, and controlled by or primarily for the individual.” 

  • “Breach of security.”  In the final rule, the FTC adopts the proposed changes to the meaning of “breach of security” to capture a company’s intentional but unauthorized disclosures of consumers’ PHR identifiable health information to third party companies, as well as traditional cybersecurity incidents.  Notably, the FTC emphasizes in the final rule that the meaning of “breach of security” includes more than just unauthorized disclosures to third parties—the FTC takes the position that the term also includes unauthorized uses, i.e., “where an entity exceeds an authorized access to PHR identifiable health information, such as where it obtains data for one legitimate purpose, but later uses that data for a secondary purpose that was not originally authorized by the individual.”

The final rule notes that the FTC has not added a definition of “authorization,” but provides several examples of what may constitute an “unauthorized” disclosures of PHR identifiable health information, including (i) affirmative privacy misrepresentations to users such that disclosures of PHR identifiable health information are inconsistent with consumer expectations and (ii) “deceptive omissions,” where a company does not disclose, or obtain affirmative express consent from users for, the sharing of their PHR identifiable health information for targeted advertising.

  • “PHR Related Entity.”  The FTC adopts in the final rule the proposed changes to the definition of “PHR related entity” to affirm that (i) PHR related entities include entities offering products and services through any online service, including mobile applications, (ii) PHR related entities encompass only entities that access or send unsecured PHR identifiable health information to a PHR, and (iii) a third party service provider that accesses PHR identifiable health information in the course of providing services is not automatically rendered a PHR related entity.  However, the final rule states that, to the extent a third party service provider uses PHR identifiable health information that it receives in its capacity as a service provider for its own purposes (e.g., its own research and development), this entity is a PHR related entity “to the extent that that it offers its services . . . for its own purposes rather than to provide services.” 

The final rule also requires that vendors of PHR and PHR related entities notify their third party service providers that the vendor of PHR/PHR related entity is subject to the HBNR.  According to the final rule, the purpose of this notice is to ensure that the third party service providers are aware of the content of the data transmissions received by the third party service providers and that the third party service providers provide timely notice to the vendor of PHR/PHR related entity of any breach under the HBNR. 

The final rule states that vendors of PHR and PHR related entities may facilitate compliance with this notice requirement by stipulating via contract whether the transmissions to third party service providers will contain PHR identifiable health information.  The final rule suggests that both the vendor of PHR/PHR related entity and third party service provider should monitor for compliance with such contractual provisions taking into consideration the size and sophistication of the entity and the sensitivity of the data.  Further, the final rule suggests that certain entities that may act as third party service providers, such as “a large advertising platform,” may have heightened obligations to monitor the data it receives (even where partners promise not to send PHR identifiable health information to it), particularly if the entity has in the past routinely received unsecured PHR identifiable health information notwithstanding vendors’ of PHR/PHR related entities’ commitments to the contrary.  The final rule distinguishes these heightened monitoring obligations from those of “small firms that do not engage in high-risk activities where the contract precludes sending such data and there is no history of such transmissions.”

  • Clarification of the meaning of a PHR “draw[ing] information from multiple sources:”  In the final rule, the FTC adopts the proposed changes to what it means for a PHR to draw information from multiple sources.  Specifically, a PHR will now be defined to include an electronic record of PHR identifiable health information that has the technical capacity to draw information from multiple sources.  For example, according to the final rule, because a fitness app has the technical capacity to draw identifiable health information from both the user and the fitness tracker, it is a PHR, even if some users elect not to connect the fitness tracker. 
  • Provision of electronic notice and included content:  The final rule adopts the proposal that notice of a breach sent by electronic mail must also be provided by one or more of a text message, within-app message, or electronic banner, which must be clear and conspicuous.  The final rule also requires that a notice of breach include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description), website, and contact information of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security.
  • Timing changes for notices of breaches:  Previously, the HBNR required notice “as soon as possible and in no case later than ten business days following the date of discovery of the breach” for breaches involving 500 or more individuals.  For breaches involving less than 500 individuals, the HBNR requires notice within 60 calendar days following the end of the calendar year.  The final rule modifies the timing for the notice of a breach of security involving 500 or more individuals to “without unreasonable day and in no case later than 60 calendar days after the discovery of a breach of security.”  The notice to the FTC must be sent at the same time as the notice to individuals.

As noted above, this final rule was not issued unanimously—the FTC Commissioners voted 3-2 to finalize the changes, with recently confirmed Commissioners Holyoak and Ferguson opposing the final rule.  Among other reasons outlined in their dissenting statement, Commissioners Holyoak and Ferguson argued that the final rule “exceeds the Commission’s statutory authority, puts companies at risk of perpetual non-compliance, and opens the Commission to legal challenge that could undermine its institutional integrity.” While the finalization of these changes to the HBNR is notable, many of these changes reflect the codification of the position already taken by the FTC in recent years in prior guidance and enforcement actions.  In 2021, the FTC adopted by a 3-2 vote a policy statement “Statement of the Commission on Breaches by Health Apps and Other Connected Devices,” which took a similarly broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR.  Then Commissioners Phillips and Wilson opposed the policy statement based on concerns about the expansion of the HBNR beyond the FTC’s statutory authority, among other concerns.  Since the 2021 policy statement, the FTC has brought its first two enforcement actions under the HBNR against GoodRx (issued 4-0) and Easy Healthcare (issued 3-0), leveraging its broad interpretation of the meaning of “breach.”

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.