Federal Trade Commission Proposes New Rule for Personal Health Record Vendors

On June 9, 2023, the Federal Trade Commission (“FTC”) proposed amendments to a regulation applicable to vendors of personal health records (“PHRs”) and related entities who store data about U.S. citizens or residents. The Health Breach Notification Rule (“HBN rule” or “the rule”) defines a “personal health record” as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” See 16 C.F.R. 318.2(d). According to the FTC’s proposal, the purpose of amending the rule is to clarify its scope in a health care landscape increasingly proliferated by mobile applications and related technologies.

The HBN Rule applies to direct-to-consumer health technologies from entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”). However, the HBN rule may also be of interest to HIPAA-covered entities who use or recommend electronic health care applications and devices to patients. For most hospitals, doctors’ offices, and insurance companies, HIPAA governs the privacy and security of health records stored online. However, many companies that collect people’s health information are not covered by HIPAA. The FTC’s HBN rule applies to a broad range of health technologies offered by those companies, primarily smartphone or smartwatch applications and their connected devices. For example, smart device fitness apps, connected glucose meters, and prescription ordering applications are all governed by the rule. The makers of these apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.

FTC’s Proposed Changes

  1. The Scope of the HBN Rule

The FTC proposes to clarify the rule's application to health apps and other non-HIPAA governed technologies. The rule mandates PHR vendors notify individuals, the FTC, and sometimes the media of unprotected "PHR identifiable health information" breaches. It also compels third-party service providers to notify PHR vendors and PHR-related entities of breaches.

The amended HBN rule would redefine "PHR identifiable health information" and include two new definitions ("health care provider" and "health care services or supplies") to clarify its scope. Currently, the rule defines “PHR identifiable health information” as “individually identifiable health information . . . [t]hat is provided by or on behalf of the individual . . . and that identifies the individual with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” The modified definition adds two factors. First, the information must relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Second, the information must be created or received by a: (i) health care provider; (ii) health plan (as defined in 42 U.S.C. 1320d(5)); (iii) employer; or (iv) health care clearinghouse (as defined in 42 U.S.C. 1320d(2)).

These additional details help distinguish PHR identifiable health information, such as full name, Social Security number, date of birth, home address, account number, or disability code, from other data that health care applications may collect.

  1. Redefining “Breach of Security”

The FTC proposes clarifying that a "breach of security" includes access to a PHR of identifiable health information due to unauthorized disclosure. Under the current HBN rule, unauthorized access to an individual's personally identifiable health information is a security breach. Section 3.182(a) currently defines a “breach of security” as “acquisition of [PHR identifiable health information] without the authorization of the individual . . . to include unauthorized access to unsecured PHR identifiable health information . . . .” However, the current provision is unclear whether disclosures are included with prototypical data breaches where the PHR provider or related entity does not intentionally or accidentally disclose the information.

The amended rule would clarify the meaning of “unauthorized access” by providing that “[a] breach of security includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.” The amended language clarifies that disclosure of PHR identifiable information does amount to a security breach, like the definition of a breach in HIPAA’s Health Breach Notification rule.

  1. Redefining PHR Related Entities

The FTC proposes revising the definition of a PHR-related entity to include entities that sell items and services through PHR suppliers' online services, including mobile apps. PHR-related entities will also be defined as entities that access or provide unsecured PHR identifiable health information to a personal health record. The current HBN rule defines “PHR-related entities” broadly. The definition covers any entity not governed by HIPAA “to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that . . . [o]ffers products or services through the Web site of a vendor of personal health records . . . [o]ffers products or services through the Web sites of HIPAA-covered entities that offer individuals personal health records; or . . . [a]ccesses information in a personal health record or sends information to a personal health record.” The FTC’s amended definition would include “any online service” to account for the modernization and expansion of mediums for digital health care. The updated definition would also clarify that a PHR-related entity accesses or sends "PHR identifiable health information" as discussed above, not any PHR data.

  1. Clarifying the Meaning of “Multiple Sources”

The FTC proposes to clarify what it means for a personal health record to draw PHR identifiable health information from multiple sources. Currently, the rule defines a “personal health record” as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” The amended rule would clarify that “drawn from multiple sources” means the record has the technical capacity to draw information from multiple sources and is managed, shared, and controlled by or primarily for the individual. The new definition more clearly applies to applications that can, for instance, extract or cross-reference information from other health care applications.

  1. Authorizing Electronic Notice

Instead of mailing security breach notifications, the FTC proposes permitting electronic notice in some cases. PHR vendors and connected entities must notify security breach victims immediately. Security breaches must be reported within 60 days. If first-class mail fails to reach affected individuals, the PHR vendor or PHR-related entity might send mass notifications instead. Thus, a PHR vendor or PHR-related business can post a prominent notification on its website's home page for 90 days or notify major print or broadcast media in areas where breach victims are likely to live. A media or web publication must contain a toll-free phone number valid for at least 90 days so individuals can find out if their unsecured PHR information was breached.

The FTC's proposal would allow PHR vendors and related entities to contact impacted individuals by email due to the expense and logistical challenges of first-class mail. The amended rule would provide that “written notice may be sent by electronic mail, if the individual has specified electronic mail as the primary method of communication.” Electronic mail includes a variety of communications, including standard email in combination with one or more “text messages, within-application messaging, or electronic banner.

  1. Expanding Required Content of Notices

When a security breach takes place, the rule imposes notice and reporting requirements on PHR vendors and PHR related entities. Like HIPAA’s Breach Notification Rule, the FTC’s rule provides a three-tiered notification process for entities who experienced a security breach. These notification requirements vary with the magnitude of the security breach. The FTC proposes to expand the required content of the notice to individuals to require that consumers whose unsecured PHR identifiable information has been breached receive additional important information, including information regarding the potential for harm from the breach and protections that the notifying entity is making available to affected consumers.

Under the HBN rule, the required content of a notice differs from the requirements of a notice for HIPAA-covered entities. HIPAA notices must include: (a) the nature and extent of the personal health information involved, (b) the unauthorized person who accessed the personal health information, (c) whether the personal health information was acquired or viewed, and (d) the extent to which the risk to the PHI has been mitigated.

In contrast, the HBN rule imposes a few more consumer-protection focused requirements than HIPAA’s rule. The HBN rule requires that a notice specify: (a) the nature and time of the security breach; (b) the nature and extent of personal health information involved in the breach; (c) steps individuals should take to protect themselves from potential harm resulting from the breach; (d) steps the entity that suffered the breach has taken to investigate the breach, to mitigate harm, and to protect against any further breaches; and (e) contact procedures for individuals to ask questions or learn additional information.

The FTC’s proposed amendments add more details to the pre-existing requirements, which provide clearer guidance about what information must be in a notice. For instance, Section 318.6 (b) currently states that a notice must provide: “A description of the types of unsecured PHR identifiable health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).” The amended version of the same section would require: “A description of the types of unsecured PHR identifiable health information that were involved in the breach (such as but not limited to full name, Social Security number, date of birth, home address, account number, health diagnosis or condition, lab results, medications, other treatment information, the individual’s use of a health-related mobile application, or device identifier (in combination with another data element)).” These extra details should help PHR suppliers and connected entities ensure their notice material is sufficient.

  1. Technical Revisions for Readability

The FTC proposes several technical edits to the HBN rule that will enhance comprehension. The most important of these changes is that the FTC will add a new section that plainly states the penalties for non-compliance. Under the current rule, the penalties for non-compliance are incorporated by reference to the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices. The amended rule will do away with this reference, expressly clarifying that violators are “subject to civil penalties . . . in the same manner, by the same means, and with the same jurisdiction, powers, and duties . . . pursuant to the Federal Trade Commission Act.”

Conclusion

The FTC’s HBN rule amendments will substantially clarify the scope and substance of notice and reporting requirements for PHR vendors and PHR-related entities who are not already covered by HIPAA’s Health Breach Notification Rule. For more information on the proposed amendments, see the FTC’s full proposal here. The FTC is soliciting comments on the amendments until August 8, 2023.

If you or your organization have questions about the FTC’s HBN rule or forthcoming amendments thereto, please contact Peter Mellette, Harrison Gibbs, Elizabeth Coleman, or Trace Hall at Mellette P.C.

Mellette PC appreciates the assistance of Alex Owens ‘24, William & Mary School of Law, in the preparation of this advisory.

This Client Advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice.