Update Applicable to:	Effective date
All covered entities	July 29, 2024 – Immediately

What happened?

On July 29, 2024, the amended Health Breach Notification Rule by the Federal Trade Commission (FTC) took effect.

Quick Summary:

The FTC’s amendments to the Health Breach Notification Rule (HBNR) enhance consumer privacy protections for users of online health platforms and wellness apps.

Key changes include:

1. Expanded Scope: Now applies to entities not covered by HIPAA, including online platforms and mobile apps.

2. Notice and Consent: Businesses must review their programs to ensure they obtain user consent for sharing PHR identifiable health information.

3. Incident Response: Companies must align their incident response plans with FTC requirements for reporting data breaches.

4. Broadened Rule: Clarifies breaches, expands notification methods, adds content requirements for notifications, and changes the notification timeframe to the FTC.

5. Compliance for Non-HIPAA Entities: Entities maintaining health information must ensure HBNR compliance, including those not regulated by HIPAA.

What are the details?

The Federal Trade Commission (FTC) has issued a final rule to amend its Health Breach Notification Rule (HBNR), which mandates that entities managing unsecured personally identifiable health data must notify individuals, the FTC, and sometimes the media, in the event of a security breach. The amendments aim to clarify and update the HBNR in response to technological and market changes, as well as public feedback.

Key Points:

• Clarifying Scope: The rule expands the scope of the HBNR to include foreign and domestic vendors of PHR, PHR-related entities, and third-party service providers not covered by HIPAA.
  • It clarifies definitions for these entities, ensuring the rule applies to health apps, connected devices, and other online services managing unsecured PHR identifiable health information.

• Vendor Definition: defines a vendor of personal health records (PHRs) as an entity that offers or maintains electronic health records capable of drawing information from multiple sources, excluding HIPAA-covered entities and their business associates.
  • It clarifies that the PHR must have the technical capacity to integrate data from various sources, such as health care providers, health plans, employers, wearable devices, or phone calendars, even if it currently draws information from only one source.

• Breach Definition: If a breach of security occurs, businesses must notify affected individuals, the FTC, and media outlets if over 500 individuals are affected. Third-party service providers must notify the health records vendor or PHR-related entity they serve, who must then acknowledge receipt and identify all affected individuals.

• Notification Timing: Businesses must notify affected individuals and the media of a security breach without unreasonable delay and no later than 60 days after discovery.
  • For breaches affecting over 500 individuals, the FTC must be notified simultaneously.
  • For fewer than 500, notification to the FTC is required within 60 days after the calendar year ends.
  • Notifications can be made via email, mail, phone, website, media, or next of kin, and the FTC can be notified online.

5. PHR-related Entities: A business is considered a PHR-related entity if it interacts with a vendor of personal health records by offering products or services through the vendor’s website or by accessing or sending identifiable health information to a personal health record. However, companies already covered by HIPAA are not classified as PHR-related entities.

• Modernized Notices: The final rule requires entities to notify individuals and the FTC of breaches involving unsecured PHR identifiable health information in a timely, clear, and conspicuous manner as specified in 16 CFR § 318.5.
  • Notices must be promptly provided via electronic mail, first-class mail, or substitute methods if contact information is insufficient, with additional urgent notifications as needed.

• Expanded Notice Content: The expanded content of the notice requires that breach notifications include detailed information about the breach, such as the date, affected data types, and steps individuals should take to protect themselves.
  • It also mandates clear communication methods, timely delivery, and comprehensive contact information for further inquiries.

Business Considerations

• Employers should assess whether the expanded reach of the rule applies to them, determining if they qualify as a vendor of PHR or a PHR-related entity under the new definitions.
• Employers should review and update their notice and consent programs to ensure all PHR identifiable health information is shared with user consent, in line with public-facing privacy policies. Also, update policies and procedures to ensure Apps and technologies can draw information from multiple sources and are managed primarily for the individual.
• Employers should revise their incident response plans to reflect updated notification timelines and ensure processes are in place to meet content and timing requirements for reporting incidents to affected individuals and the FTC.
• Employers should ensure compliance with the HBNR, especially if they are not regulated by HIPAA but maintain health information.

Source References

• FTC Finalizes Changes to the Health Breach Notification Rule
• FTC Health Breach Notification Rule Amendments
• FTC Health Breach Notification Rule

Resources

• Complying with FTC’s Health Breach Notification Rule

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.