On May 18, the Federal Trade Commission (FTC) announced a notice of proposed rulemaking to amend the Health Breach Notification Rule (HBNR). According to the FTC, the proposed changes are intended to strengthen and modernize the rule, in part by clarifying its applicability to data collected by health apps and connected devices not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104-191) Privacy Rule.
Notably, the proposals would revise important defined terms under the HBNR, including “personal health record (PHR) identifiable health information” and “PHR related entity” in addition to adopting new definitions for “health care provider” and “health care services or supplies.” The revisions to the term “PHR identifiable health information” would cover traditional health information in addition to health information derived from consumers’ interactions with apps and online services as well as “emergent health data (such as health information inferred from non-health-related data points, such as location and recent purchases).” The proposed changes to the definition of “PHR related entity” are intended to narrow the definition to the accessing and sending of unsecured PHR identifiable health information to a PHR. In the proposed rule, the FTC noted that remote monitoring tools and fitness trackers are examples of devices that could qualify as a PHR related entity when individual users sync them with a PHR, like a mobile health app. The FTC further clarified that firms that perform attribution and analytics services for a health app would not be considered a PHR related entity, but rather remain solely under the definition of “third party service providers” to ensure that such entities do not have to meet two separate and distinct notice requirements in the event of a breach.
The FTC also proposed to adopt two new defined terms for the HBNR, “health care provider” and “health care services or supplies.” The term “health care provider” is proposed as similar to the common statutory definition under 42 U.S.C. 1320d(3), expanded to include “any other entity furnishing health care services or supplies,” including developers of health apps and similar technologies.” Finally, the term “health care services or supplies” would include “any online service that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”
These proposed changes come amidst FTC enforcement actions under the HBNR against the company that publishes the fertility app Premom and the telehealth and prescription drug discount provider GoodRx for failing to provide notice to users of unauthorized disclosures of users’ health information to third party advertisers.
Comments will be due 60 days following formal publication of the proposed rule in the Federal Register.