FTC Proposed Health Breach Notification Rule Changes Target the Online Collection of Health Data

Client Alert

The Federal Trade Commission (FTC) continues to expand its regulation of health care data to ensure the data remains protected when shared with consumer-facing applications.

On June 9, 2023, the FTC published a Notice of Proposed Rulemaking in the Federal Register that would substantially revise the Commission’s Health Breach Notification Rule (the Rule). The Rule implements Section 13407 of the American Recovery and Reinvestment Act of 2009, requiring companies related to the health care industry to notify consumers when they disclose consumers’ personal information without the consumers’ authorization. The Health Insurance Portability and Accountability Act only governs health care providers, health plans and health care clearing houses, and does not govern or protect data collected by consumer-facing apps or all digital health providers.

While the Health Breach Notification Rule had long been dormant, in 2021, the FTC issued a Policy Statement asserting its position that the Rule’s provisions extend not just to vendors of personal health records (PHRs) but also to related entities and service providers of those entities. Since the issuance of its Policy Statement on the Rule, the Commission has put its money where its mouth is, settling two enforcement actions this year, the first against GoodRx, a digital health care platform, and the second against Easy Healthcare Corporation regarding its Premom app, an ovulation tracker. In both cases, the FTC alleged that the companies had shared their customers’ sensitive health data for advertising purposes, in violation of promises they would not do so. Both settlements required the companies to alert their customers to the alleged unauthorized disclosures and imposed significant compliance obligations and other restrictions. The companies were also assessed civil penalties—in GoodRx’s case, the penalty was $1.5 million.

The newly proposed Rule would codify much of the Policy Statement’s pronouncements and specifically would:

  • Revise the definition of “PHR identifiable health information” to include “health care provider” and “health care service or supplies,” thereby further expanding the FTC’s reach into the health care space. The expanded definition would cover:
    • Traditional health information, such as diagnoses or medications;
    • Health information derived from consumers’ interactions with apps and other online services, such as health information generated from tracking technologies employed on websites or mobile applications or from customized records of website or mobile application interactions; and
    • Emergent health data, such as health information inferred from non-health-related data points such as location and recent purchases
  • Revise the definition of “breach of security” by adding a clarifying example at the end of the existing definition, which would confirm that a “breach of security” includes an unauthorized acquisition of identifiable health information in a PHR that occurs as a result of a data security breach or an unauthorized disclosure.
    • Consistent with the Rule’s current text, the new text seeks to clarify that the definition is broader than comparable definitions used in traditional security breach notification statutes, which generally require a third party to have access to the data in a manner that is unauthorized by the business that controls the data, rather than by the consumer. The new definition includes clarifying examples of breaches where a company “breaches” its own security through the sale or other nonauthorized use of personal health data in breach of customer assurances that the data would not be shared but where the customer’s data is not actually at risk of being used to harm the customer. The proposed text would further state that the definition “is not limited to cybersecurity intrusions or nefarious behavior.”
  • Revise the definition of “PHR-related entity” to clarify that PHR-related entities include (1) entities that offer products and services online, such as mobile apps; and (2) entities that access or send unsecured PHR identifiable health information.
    • With this definition, the Commission has stated that it intends to incentivize PHR vendors to select and retain service providers capable of treating data responsibly, and to oversee them to ensure responsible data stewardship. It further intends to create incentives for PHR vendors to avoid service-provider breaches by deidentifying health information before sharing it with service providers, as doing so would render the data no longer “PHR identifiable health information,” and thus not subject to the Rule.
  • Clarify the meaning of a PHR drawing identifiable health information from multiple sources.
    • The PHR definition applies to products with the ability to obtain data from multiple sources, even if a consumer only uses one of those sources when using an app. For example, the Commission states that a depression management app accepting consumer inputs of mental health status with the technical capacity to sync with a wearable sleep monitor would be considered a PHR regardless of whether the customer actually syncs a sleep monitor with the app.
  • Authorize electronic notice in the event of a breach.
    • The newly proposed authorization would allow companies experiencing a data breach to inform their customers via email. The Commission also includes a model notice of breach to consumers with the proposed Rule.
  • Expand the required consumer notice to include information regarding potential harm from the data breach and protections being made available to affected customers.
    • The expansion would require companies experiencing a data breach to notify consumers not just of the breach but also, to the extent known, of the third parties that acquired the unsecured PHR identifiable health information, including the third party’s full name, website and contact information.

What’s Next

If adopted, the amendments would confirm the FTC’s significant expansion of the scope and breadth of the Health Breach Notification Rule in an era of rapid innovation in health-and-wellness-related technology, as well as confirm the FTC’s current broad interpretation of the Rule as reflected by its recent actions against GoodRx and Easy Healthcare. Such an expansion could signal more aggressive enforcement of the Rule against companies, including those only tangentially related to the health space.

These recent developments, along with the FTC’s 2021 Policy Statement, emphasize that the Rule should not be viewed solely as a “data breach” law as the term is commonly understood. Instead, the Rule must be properly accounted for in the privacy programs of regulated businesses. Among other things, regulated businesses should continue to closely scrutinize their consumer-facing disclosures in privacy policies and elsewhere to ensure that any third-party sharing of personal data would not be considered by the FTC to be an unauthorized disclosure.

Comments on the amendments will be accepted until August 8, 2023.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved