Enforced by the Federal Trade Commission (FTC), the Health Breach Notification Rule (HBNR) is undergoing a major update from a new final rule released earlier this year. The HBNR mandates that vendors of identifiable health information that falls outside HIPAA’s scope notify “individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.” The rule also requires that third-party services to vendors notify the vendors following a breach.

The final rule makes several important changes to the HBNR including:

  • Broadening the HBNR to include digital products and services, including mobile apps. This change, in turn, covers health information that is not currently governed by HIPAA.
  • Clarifying that a “breach of security” includes any unauthorized acquisition of identifiable health data that occurs due to a data security breach or unauthorized data disclosure of any kind.
  • Expanding consumer notification requirements by allowing using email to alert consumers of a data breach in many instances. In those alerts, the rule now requires the name of any unauthorized third parties that gained access to identifiable health information as a result of a breach of security.
  • Updating the timeline for alerting the FTC of a breach of security. When breaches affect 500 or more individuals, covered entities must now alert the FTC of the breach of security at the same time they alert consumers without an “unreasonable delay” and within 60 calendar days following a data breach.

Beginning with the enforcement action against BetterHelp in early 2023, the FTC has used the HBNR as a way of governing health data that falls outside of HIPAA’s scope. This Final Rule will take the next step in holding health data that is technically considered health data under the law accountable for sufficiently securing identifiable health data.

However, many stakeholders believed that the FTC overstepped in making this decision and promised to challenge the Final Rule in Court. These proponents contend that passing federal privacy legislation would be a more effective and legally sound method of advancing this objective.

This follows a broader debate about the absence of federal privacy legislation and who should be responsible for governing health data privacy and security; it oftentimes falls into a multi-jurisdictional and gray area of the law.

This Final Rule will go into effect 60 days after it is published in the Federal Register.

ADVOCATE will share additional information with clients and friends as it becomes available on this and other Federal Health Policies.

Kirk Reinitz, President