Tag Icon

Don’t Call It a Breach Rule: FTC Health Breach Notification Rule Has Been Here for Years, Now Updated to Serve as a Backdoor Privacy Regulation

As our loyal Practical Privacy readers may remember, back in December of 2021, the Federal Trade Commission (the “FTC” or “Commission”) began a rulemaking process to update the Commission’s Health Breach Notification Rule (the “HBNR” or the “Rule”). The Rule, originally issued in 2009, requires “vendors of personal health records” and “PHR Related Entities,” to provide notice to affected individuals, the FTC, and (for larger breaches) prominent media outlets following the discovery of a “breach of security of unsecured PHR identifiable health information.”[1]

As our previous post explained, the 2021 rulemaking process sought to implement a 2021 Commission Policy Statement that adopted a surprisingly broad interpretation of the Rule. Under that interpretation, a “breach of security” that requires notification under the Rule can include not only incidents that arise from “cybersecurity intrusions or nefarious behavior,” but also intentional disclosures of information that haven’t been authorized by the individual.

The FTC did not enforce the HBNR prior to issuing the 2021 Policy Statement. Since then, the agency has enforced the Rule several times, including against GoodRx and Easy Healthcare. In these enforcement actions, the FTC relied on broad interpretations of the Rule reflected in the 2021 Policy Statement.

Late last month, a divided Commission announced that it had finalized updates to the HBNR and released a final Rule that incorporates the controversial positions taken in the 2021 Policy Statement—and more.

The updated HBNR makes significant changes to the Rule and will enable the Commission to further ramp up enforcement against a broad swath of healthcare-related entities. In this post, we explore some of the most impactful changes.

“Breaches of security” under the Rule now include uses and disclosures of PHR identifiable health information that exceed the individual’s authorization.

Like the old Rule, the updated Rule defines “breach of security” to mean, “with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.” While the core definition is the same, the updated rule includes the following additional language that expands on the definition: “A breach of security includes an unauthorized acquisition of unsecured PHR identifiable health information in a personal health record that occurs as a result of a data breach or an unauthorized disclosure.” (Emphasis added.) As the commentary to the new Rule makes clear, the term “unauthorized disclosure” is intended to refer to a “voluntary disclosure . . . where such disclosure was not authorized by the consumer.”

Unfortunately, the Commission didn’t stop there. In the commentary to the new Rule, the Commission states that, “depending on the facts and scope of the authorizations, such as in the company’s promises and disclosures to consumers, a ‘breach of security’ could include unauthorized uses.” (Emphasis added.) “There may be a ‘breach of security,’” the Commission continues, “where an entity exceeds authorized access to use PHR identifiable health information, such as where it obtains the data for one legitimate purpose, but later uses that data for a secondary purpose that was not originally authorized by the individual.”

Despite the heightened need to obtain “authorization” to use and disclose PHR identifiable health information, the Commission rejected calls from commenters to define that term. It did, however, conclude that the agency’s “affirmative express consent” standard would not be “appropriate or warranted in all cases.” In part, that is a win for business due to the burden of meeting the affirmative express consent standard—and uncertainty over what the standard requires in all contexts.

The meaning of “authorization by the individual,” therefore, remains somewhat of a mystery.  As the Commission’s commentary to the update rule explains, whether a disclosure is authorized “is a fact-specific inquiry that will depend on the context of the interactions between the consumer and the company; the nature, recipients, and purposes of those disclosures; the company’s representatives to consumers; and other applicable laws.”

In other words, the FTC knows “authorization” when it sees it. And when it doesn’t see it… well, the FTC will let you know.

“Personal health records” and “PHR identifiable health information” are much broader than you might think.  

Under the old Rule, a “personal health record” covered by the Rule was defined as an “electronic record of PHR identifiable health information . . . on an individual that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.” The updated Rule revises that definition such that the record need only have the “technical capacity to draw information from multiple sources” (and be managed, shared, and controlled by or primarily for the individual).

Thus, under the updated Rule, the record does not actually need to draw information from multiple sources. Furthermore, the “information” does not itself need to qualify as PHR identifiable health information. As a result, many websites and apps (or their associated data repositories) could qualify as “personal health records” under the updated Rule because they have the “technical ability” to draw information from other sources of data.

The updated Rule also modifies the definition of “PHR identifiable health information” and adds definitions for two additional terms: “health care provider” and “health care services and supplies.” These updates to the HBNR expand the scope of data subject to the Rule even further.

Under the updated Rule, “PHR identifiable health information” refers to identifiable health information that is created or received by a “covered health care provider,” health plan, employer, or health care clearinghouse. The new Rule defines “covered health care provider” to cover, among other things, “any . . . entity furnishing health care services or supplies” (emphasis added). The term “health care services or supplies,” in turn, has been assigned what the dissenting commissioners describe as a “capacious definition.” That term covers “any online services, such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” Accordingly, “covered health care provider” can cover any entity providing health-related services through a website, app, or other online services. The Commission also noted in its commentary that “PHR identifiable health information” includes health information “inferred from non-health data points,” like location data and purchase history.

The impact of these changes is that far more data and online services will be in scope for the Rule.

An organization can become subject to the Rule as a “PHR related entity” by offering products or services through a website or other online service operated by a vendor of personal health records.

The new Rule includes updates to the definition of “PHR related entity” to clarify that an entity can be covered by the definition, and therefore subject to the Rule, in three scenarios. First, the definition covers entities that offer products and services through websites and other online services of vendors of personal health records. Second, the definition covers entities that offer products and services through online services of “HIPAA-covered entities that offer individuals personal health records.” Third, the definition of PHR related entity applies to entities that access unsecured PHR identifiable health information in a personal health record or send unsecured PHR identifiable health information to a personal health record.

The Commission updated the requirements for method and content of notice.

The new Rule includes several updates in this area. For example, the content that must be included in consumer notice has been expanded. Now, it is generally necessary to disclose the “full name or identity” of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security. There have been changes to the circumstances in which notice may be provided via email. The Commission made additional changes in this area, including with respect to when the FTC must be notified of a breach.

*              *              *

Entities operating in or adjacent to the healthcare industry should evaluate whether they are subject to the HBNR in light of the significantly expanded scope of the law and the FTC’s recent enforcement track record. Entities that determine they are a vendor of personal health records or a PHR-related entity are required to notify their service providers of their status.

Unfortunately, while styled as a “breach notification” regulation, the FTC has converted the Rule into what is, essentially, a backdoor privacy regulation. Entities subject to the Rule will need to comply with the de facto requirement to obtain consumer “authorization” for disclosures of PHR identifiable health information to avoid causing “breaches” through their voluntary uses and disclosures of that information. They will also need to align their approach to the HBNR with the FTC’s affirmative express consent doctrine, as well as consent requirements under state laws like the Washington My Health My Data Act. And of course, the HBNR imposes time-sensitive notice requirements in the event of a conventional data breach.

The final Rule will go into effect 60 days after its publication in the Federal Register. Violations of the Rule can result in civil penalties of $51,744 per violation.

Please contact the Wyrick Privacy and Data Security Team if you need help determining whether your organization is subject to the HBNR or complying with the updated Rule.

[1] Similar to other breach notification requirements, service providers must notify vendors of personal health records and PHR-related entities under certain circumstances. Vendors of personal health records and PHR-related entities have an affirmative obligation under the Rule to inform service providers of their status as vendors of personal health records and PHR-related entities.