On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

Over the past several months, the FTC followed through with its policy statement, bringing, and publicly settling, cases against prescription drug price tracking app GoodRx, and most recently, ovulation tracking app Premom. While these cases arguably did not constitute what most would consider a typical “data breach” involving access or acquisition by a hacker, the FTC alleged (among other things) violations of the HBNR where identifiable consumer health data (referred to as “PHR identifiable health information” under the HBNR) was shared with advertising technology (“AdTech”) solution providers, through the use of web beacons, cookies, and click trackers on company websites or apps. This is consistent with the FTC’s policy position that a breach under the HBNR “is not limited to cybersecurity intrusions or nefarious behavior.” Because these cases settled, no court has yet opined on the propriety of FTC’s interpretation that unauthorized disclosure of PHR identifiable health information to AdTech companies is a “breach of security” under the HBNR.

The FTC’s proposed amendments to the HBNR attempt to codify this broad interpretation.  Notably, the amendments would, among other things, include “unauthorized disclosure” in the definition of “breach of security,” and bring “websites” and “mobile applications” into the scope of the law, consistent with the FTC’s recent enforcement actions. 

The FTC also proposes that electronic banners (i.e., cookie banners) can be used to notify individuals of a “breach of security.” As it is currently written, the HBNR requires notice by postal mail by default. This proposed amendment highlights one of the unspoken assumptions of the FTC’s interpretation of “breach of security”—a website operator might comply with the HBNR by sending, via physical mail, a notice to its users that it is using AdTech. If the amendments are approved, a website or mobile health application could comply with the HBNR by using a cookie banner instead.

It is yet to be seen if the FTC will continue its enforcement in this area, or if it will wait until the amendments are approved before bringing similar actions. In its blog post accompanying the NPRM, the FTC summarized the proposed amendments to the HBNR as follows:

  • Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies”; 
  • Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
  • Revising the definition of “PHR related entity” in two ways that pertain to the rule’s scope. For example, it makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
  • Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;
  • Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;
  • Expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information; and
  • Adding changes to improve the rule’s readability and promote compliance.

Public comments can be submitted for 60 days after the NPRM is published in the Federal Register. Epstein Becker Green will be closely following these developments. For additional information about the issues discussed above, or if you have any other questions or concerns regarding the FTC, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post. Read more about our expansive capabilities and offerings here.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.