Member Article

Effective July 29, 2024, the Federal Trade Commission (“FTC”) has issued a final rule that expands the scope of its existing Health Breach Notification Rule (“HBNR”) to include health and wellness applications (“apps”) typically associated with wearable technologies such as smart watches.  Due to the continued growth and diversification of such technologies, many businesses currently aggregate and store significant amounts of sensitive personal health information, like heart rate and fitness data, that fall outside the protections of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The FTC’s new rules seek to bolster the protection of such information and illustrates the growing regulatory scrutiny of the security and privacy practices of health-related apps and technologies.

Developers of health and wellness apps should take this final rule as a substantial change in the FTC’s oversight of data protection practices. App developers and other health companies that rely on consumer personal health records (“PHR”) should carefully consider the impacts of this final rule on internal operating structures and consumer privacy representations.

Originally, the HBNR required vendors of PHR and related entities to inform individual consumers and the FTC (and media outlets in the case of wide-scale breaches) whenever identifiable health information was inappropriately disclosed in a security breach. However, in 2021, the FTC issued a policy statement that broadly interpreted the HBNR to include any unauthorized release of such information (i.e., any disclosure made without individual authorization) and applied the HBNR to developers of health apps or connected devices. The FTC further acted on this interpretation in recent enforcement actions that were consistent with the soon-to-be-effective final rule.

The FTC has amended the rule in multiple key ways in order to ensure the HBNR applies to a wide array of health and wellness apps:

1. Modification of the definition of “PHR identifiable health information” to include any health information that identifies an individual and is created or received by a covered health care provider, health plan, employer or clearinghouse.^[1]
2. Addition of the term “covered health care provider” that expands the scope of the HBNR to include any entity that furnishes health care services or supplies.^[2] Importantly, the HBNR is expressly inapplicable to entities covered by HIPAA, including business associates. 
3. Addition of the term “health care services or supplies” that includes any online service, including mobile apps, that “provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”^[3] This broad definition fits the FTC’s goal to bring a wide range of health and wellness mobile app developers within the HBNR.
4. Imposition of notice obligations on PHR-Related Entities (i.e., those entities that provide products or services through the websites and mobile apps of PHR vendors and access or send unsecured PHR identifiable health information).^[4]
5. Clarification that the HBNR only applies to vendors of PHRs who offer a good or service that “relates more than tangentially to health.”^[5] 

While the HBNR originally applied only in circumstances involving a data breach, the final rule broadens this scope to include “unauthorized acquisition of unsecured PHR identifiable health information in a personal health record” stemming from either a “data breach” or “unauthorized disclosure.”[6] This means that even when no data breach has occurred, companies may be culpable under the HBNR if consumer health information is disclosed without authorization. Moreover, the FTC did not define “authorization” under the rule but did provide examples, such as instances involving the voluntary disclosure of PHR identifiable health information for advertising analytics could constitute an unauthorized disclosure under the rule.[7]

The final rule also changes how notifications under the HBNR should be made to the FTC. The FTC now will allow electronic notification if the consumer has provided an email address as the primary contact.[8] The content of notices must now also contain the full name of those who obtained PHR identifiable health information in a security breach and provide consumers with a description of how the notifying party is mitigating potential damage.[9]

If you have questions, please contact Kelly A. Leahy, Gregory A. Tapocsi or your Dinsmore attorney.[10]

[1] 16 C.F.R. § 318.2.

[2] § 318.2.

[3] § 318.2.

[4] § 318.3(a).

[5] 89 Fed. Reg. 47035.

[6] § 318.2; 89 Fed. Reg. 47041.

[7] 89 Fed. Reg. 47042.

[8] 89 Fed. Reg. 47045.

[9] § 318.6.

[10] The authors would like to thank Dinsmore Summer Associate, Andrew Gilmore, for his contributions to this Law Alert.