Overview of the Rule

The final version of the updated HBNR requires foreign and domestic vendors of personal health records (“PHRs”), PHR-related entities, and third-party service providers that maintain information about U.S. citizens or residents to notify individuals, the FTC, and (in some cases) the media of a breach of unsecured PHR identifiable health information of an individual. The HBNR sets out specific notification triggers, timelines, content/form requirements, and enforcement penalties. Among other updates, the FTC expanded the HBNR’s application to health apps and other similar technologies and information. Many of the changes introduced by the final Rule were previewed in the FTC’s Notice of Proposed Rulemaking (NRPM), as outlined in our prior post.

Key Changes

While many of the changes merely improve readability (e.g., by clarifying cross-references and streamlining descriptions), other edits in the final Rule expand the scope of companies subject to the HBNR and types of data incidents that need to be reported.

• Increased scope. The Rule’s new definitions for PHR and PHR identifiable health information now cover a broader swath of health and wellness apps and technologies, calling out websites, mobile apps, and internet-connected devices not traditionally considered in scope such as apps that only track vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, or diet.
• Expanded definition of breach. The Rule’s revised definition for breach includes unauthorized disclosures of health information in addition to the traditional breach definition of unauthorized access or acquisition of information.
• New methods of notice. The Rule permits use of email in combination with other electronic methods of notice, such as text, in-app messaging, and electronic banners, as acceptable means of providing individual notice of a breach.
• New notice content and form requirements. The Rule requires additional incident details and design details be included in the individual breach notice, such as the full name or identity of any third parties that acquired individual information and use of short, explanatory sentences or bullet lists whenever possible.
• Extended timeline for notice to FTC. The Rule extends the timeline for notifying the FTC of an incident involving over 500 individuals from ten business days to 60 days, aligning notice to the FTC with notice to individuals and the media. 

Next Steps

In response to the FTC’s updates and in preparation of an incident that may trigger these obligations, companies offering connected health and wellness devices, or mobile health applications may consider:

• Confirming the scope of potentially covered offerings and data;
• Updating incident response processes; and
• Assessing whether notification procedures may need to be updated.

Authored by Melissa Bianchi, Alyssa Golay, and Fleur Oke.