FTC Seeks to Expand Scope of Breach Notification Rule

The Federal Trade Commission has issued a proposal to update the Health Breach Notification Rule (HBNR) that expands the sweep of the rule to functions and products not previously within the scope of the rule. If adopted as written, a much larger number of entities would be subject to the rule, violations of which could lead to extensive fines and penalties for violations.

The American Recovery and Reinvestment Act of 2009 created protections for unsecured personal health records (PHRs) and electronic health records (EHRs), and established a requirement that entities provide notice to individuals when 500 or more individuals have been affected by a breach. This notification to the affected individuals must be provided within 60 calendar days of discovery of the breach, at which point the breached entity must also notify the FTC and, in some circumstances, the media as well. The HBNR generally applies to entities that are not within the scope of the Health Insurance Portability and Accountability Act (HIPAA).

The FTC stated that the proliferation of direct-to-consumer products such as fitness trackers prompted the agency to review whether changes should be made to the rule to account for the privacy risks associated with these technologies. The proposal is designed in part to clarify that PHR-related entities are those that offer products and services via the websites of vendors of PHRs, but also through online services, including those provided by mobile applications. The proposal is also intended to clarify that only entities that access or send unsecured PHR-identifiable health information to a personal record would qualify as PHR-related entities.

The FTC explains that the exclusion of entities that send secured information is intended to eliminate confusion about the scope of the HBNR. The agency also highlighted that the rule as currently written could be interpreted as meaning that a third party that provides analytics services to developers of PHRs are liable for unintentional breaches under the HBNR along with the developer of the PHR. The FTC said that creating a liability under the HBNR for these third parties could create duplicative notifications to the individual, potentially sowing confusion on the part of the user/consumer, thus the need for clarification.

However, the FTC is seeking comment as well on whether a third party’s sale of information to an outside entity without the consumer’s authorization should be reported to the PHR vendor rather than the user/consumer. The PHR vendor would then notify the user/consumer rather than the third party in this predicament.

Another question raised in the proposal is whether the definition of a PHR should be expanded to include an electronic record system that has the technical capacity to draw information from multiple sources, even if it ordinarily draws from only one source. Currently, the definition of an electronic record is limited to a record that is in fact drawing from more than one source. The broadening of the definition would apply regardless of whether the user/consumer has agreed to allow the PHR to draw from more than one source.

The proposal would revise the definitions of several terms but also introduces several terms, such as “health care services or supplies.” The definition of services or supplies would include online services such as a website, a mobile application or other internet-connected device that provides the ability to track diseases, vital signs and other functions. The result of this new definition is likely that developers of health apps used on mobile devices would be subject to the HBNR and thus subject to fines and penalties in the event of a violation of the rule.

There are other provisions in the draft rule that pertain to matters such as the method of notification of a breach, potentially allowing notification to be communicated electronically. This would require that notification be sent via email and at least one additional electronic means, such as a text message or a message delivered via the app. At present, any communication of a breach may require the use of traditional mail services. This new draft rule for the HBNR has a number of other features of interest for developers of these products, and thus merits the attention of developers of these apps. The FTC’s comment period ends Aug. 8.