In a significant move to keep pace with the rapidly advancing digital health industry, the Federal Trade Commission (FTC) has taken bold strides toward updating the Health Breach Notification Rule (HBNR). As health applications and fitness trackers increasingly weave themselves into the fabric of our everyday lives, the FTC’s proposed amendments reflect an urgent need to adapt the HBNR to the challenges and realities of today’s dynamic digital health landscape.
Currently, the HBNR mandates that suppliers of personal health records (PHR) and associated parties, not covered by the Health Insurance Portability and Accountability Act (HIPAA), are required to report breaches of unsecured personally identifiable health data to the individuals affected, the FTC, and at times, to the media. The rule also mandates that third-party service providers to PHRs notify the vendors if a breach is discovered. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, underlined the escalating concern surrounding health data breaches in the context of the rapid proliferation of health apps and connected devices. Levine emphasized the imperative for mobile health app developers and other entities covered by the HBNR to provide consumers and the FTC with timely information about such breaches.
The FTC’s proactive stance on this issue has resulted in enforcement actions against instances of personal health data misuse. Notably, fertility app Premom and digital healthcare platform GoodRx Holdings Inc. faced the FTC’s wrath for alleged HBNR violations. GoodRx, in particular, was ordered to pay a substantial civil penalty of $1.5 million following a joint complaint by the Department of Justice (DOJ) and the FTC. The healthcare platform allegedly breached both the FTC Act and the Health Breach Notification Rule by disclosing users’ personal health data without obtaining their consent. GoodRx’s misstep was in stark contrast to its public assurances of privacy protection. The information shared involved sensitive health details, such as personal identification information, medications, and health conditions.
The Court directed GoodRx to undertake corrective action, which included not only the payment of a hefty civil penalty but also preventive measures to avoid unauthorized data disclosure in the future. The company was further instructed to refrain from disclosing health information for advertising purposes, secure explicit consent before sharing health data, and notify users in the event of a future breach. Ongoing responsibilities related to recordkeeping, monitoring, and compliance were also imposed on the company.
This case serves as a stark reminder of the importance of regulatory oversight in the rapidly evolving digital health sector, punctuated by the FTC’s resolve to ensure the HBNR stays abreast of the current digital realities. This commitment was embodied in the FTC’s 2020 review and subsequent public comment period. In a policy statement in September 2021, the FTC asserted that health apps and connected devices handling consumers’ health information must adhere to the HBNR.
The proposed amendments strive to clarify several aspects of the rule. These include redefining terms such as “PHR identifiable health information” and incorporating new definitions for “health care provider” and “health care services or supplies.” They aim to clearly specify that a “breach of security” encapsulates unauthorized access to identifiable health data as a result of a data security breach or unsanctioned disclosure. The amendments also focus on refining the definition of a “PHR-related entity,” hence outlining the scope of the rule more effectively. Furthermore, they delineate the conditions that constitute a personal health record as a source of identifiable health data from multiple sources. This effort is to ensure the rule comprehensively addresses emerging data sharing practices. Moreover, the suggested amendments advocate the broader use of electronic communication, such as email, to dispatch breach notifications to consumers. They also mandate that the breach notice include additional information about the potential harm to consumers and any third parties who might have obtained the unsecured personally identifiable health data.
The Commission, unanimously, has decided to publish the proposed changes in the Federal Register, thus providing a 60-day window for public comments on the amendments. Once these comments are reviewed and processed, they will be made available on Regulations.gov. The FTC has provided detailed guidance on the process for submitting these comments in the notice.
In the face of the evolving digital health sector, the FTC is actively amending the Health Breach Notification Rule, prioritizing the safeguarding of personal health data. They have called on all stakeholders, including the public, to stay vigilant about data security matters. To this end, the FTC encourages everyone to use their resources by visiting their website and following their social media platforms for the latest information and alerts. Their efforts underscore a commitment to a secure future for digital health regulations, where public participation plays a vital role.