On May 18, 2023, the day after the Federal Trade Commission (FTC) announced only its second enforcement action under the Health Breach Notification Rule (HBNR) in 13 years, it released proposed changes to “strengthen and modernize” the rule. Those proposed changes will substantially expand the scope of the HBNR. Congress, however, never intended that the HBNR be so far reaching. Undeterred by the lack of authority from Congress, the FTC appears to be intent on revising the HBNR to create a broadly applicable consumer health data privacy rule.
Moreover, given the FTC’s two recent (and only) enforcement actions under the HBNR, the FTC is operating as if its proposed changes are already effective. In fact, the proposed changes related to scope and applicability read like additional guidance from the FTC on how it interprets its existing regulations – not proposed regulatory changes.
While the lack of a federal data privacy law certainly leaves a gap when it comes to consumer health data that is not protected under HIPAA, the FTC cannot grant itself the regulatory authority to act. That’s Congress’ job. And with respect to the HBNR, Congress gave the FTC only limited authority.
History
In February 2009, Congress passed the American Recovery and Reinvestment Act, which contained the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Along with HITECH Act provisions directing the regulation of electronic protected health information under HIPAA, Congress added provisions addressing electronic personal health records maintained for individuals by vendors that are not regulated under HIPAA.
To that end, Congress defined a personal health record as an “electronic record of identifiable health information [as defined under HIPAA] on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual” (PHR).[i] The intent was to protect health information that the patient uploaded or a health care provider uploaded at the patient’s instruction to an electronic database under the patient’s control.
Congress directed the FTC to create regulations requiring notification in the event of a breach of a PHR. Effective in September 2009, the HBNR requires vendors of PHR or related entities that suffer a breach of unsecured personal health information to notify affected consumers within 60 days of the discovery of the breach. For breaches involving fewer than 500 individuals, the FTC must be notified within 60 days of the end of the year. For breaches involving 500 or more individuals, the HBNR requires media notification as well as notice to the FTC within 10 business days. Other HBNR notification requirements are similar, but not identical, to HIPAA’s breach notification rules.
In 2020, the FTC issued a notice requesting public comment on whether any changes to the HBNR were warranted, which prompted my article encouraging the agency to scrap the rule altogether because its narrow scope offered limited utility.
Next, in September 2021 guidance, the FTC advised that direct-to-consumer health technologies that use or collect consumer health data, which is very broadly defined, must comply with the HBNR (September 2021 Guidance). By a 3-2 vote, the FTC commissioners sought to expand the scope of the HBNR through creative interpretation in the September 2021 Guidance. Two commissioners filed statements of dissent.[ii]
The Proposed Changes
The FTC’s proposed changes related to scope largely follow its September 2021 Guidance. Specifically, the proposed changes would expand the HBNR’s scope substantially through definition and other changes; make clear that a breach includes unauthorized sharing as well as cyber incidents; offer more notification delivery options and expand the content of the notice; and reorganize and restate the rule for improved readability. This article focuses on the proposed changes that will impact the scope of the HBNR.
Expanded Scope Through Proposed Changes to Definitions
Definitions of Health Care Provider and Health Care Services or Supplies
First, the FTC proposed to define “health care provider” as a provider of services (as defined under federal law), a provider of medical or other health services (as defined under federal law), or any other entity furnishing health care services or supplies (not defined under federal law), which seems to be in line with the applicable federal statute. The wheels come off, however, when the FTC proposed to define “health care services or supplies” as follows:
any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.
In other words, on-line retailers of health care supplies such as first-aid cream would qualify as health care providers under this definition. It also explicitly includes mobile apps and connected devices. Finally, this definition is much broader than the definition of health care under HIPAA, which is notable.
Definition of Personal Health Record
The FTC proposes to revise the definition of “personal health record” slightly and then offers an interpretation of that definition that seems to be far broader than the federal statute authorizing the HBNR. A “personal health record” would be defined as “an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” (Emphasis added to proposed revision).
The agency claims that the proposed change “clarifies the application of the statutory definition.” First, according to the FTC, “it clarifies that a product is a personal health record if it can draw information from multiple sources, even if the consumer elects to limit information from a single source only, in a particular instance.” Second, the FTC notes that “adding the phrase ‘technical capacity to draw information’ would clarify that a product is a personal health record if it can draw any information from multiple sources, even if it only draws health information from one source.”
By way of example, the FTC explains that a diet and fitness app that collects user information (height, weight, age. etc.) and can connect to the user’s fitness tracker or even to the user’s calendar to suggest personalized health eating options would qualify as a personal health record.
Again, this interpretation is a far cry from the original intent of regulating health record vendors engaged by patients to maintain health records from various health care providers.
Expansion of a Breach under the HBNR
The FTC proposes to make clear, as it stated in its September 2021 guidance, that “[i]ncidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule,” and that a breach “is not limited to cybersecurity intrusions or nefarious behavior.” It points to the recent GoodRx and Premom enforcement actions as examples.
In each action, the company collected health information from consumers and then used tracking technologies that released information about the consumers for advertising purposes, which the FTC alleges was contrary to promises made to consumers. The FTC alleged that the disclosure of such information, including health and contact information as well as unique advertising and persistent identifiers, triggered the HBNR and both companies had an obligation to notify affected consumers about the unauthorized disclosures.
These actions evidence the FTC’s intent to use the HBNR like a federal data privacy law. Although there is no federal statutory authority granted to the FTC to create privacy rules for consumer health data, the FTC intends to use the HBNR to do so.
Interestingly, enforcement of the HBNR was non-existent for the first 13 years after its effective date. Then, on the heels of the HHS’s effort to crackdown on the use of tracking technologies by HIPAA regulated entities, the FTC jumped into the enforcement game relying on its September 2021 Guidance for its authority.
Practical Implications
As is evident from the two recent enforcement actions, the FTC already is operating as if the scope changes it proposes were applicable. As a result, the practical implications listed below should be considered now, even before the FTC issues a final rule.
- Any website, mobile app or connected device that offers health care services or supplies as defined above and that collects information from a consumer likely will be considered subject to the HBNR.
- Exercise extreme caution in using any advertising technology on websites, apps or devices.
- Provide a clear and accurate description of how the website, app or device will collect and use information.
- Vet third party providers and ensure that they use data only as permitted.
- Consider de-identifying information when possible.
- Encrypt identifiable data when sending it to third parties.
Commenting on the Proposed Changes
Interested organizations should submit comments to the FTC on these proposed changes and the impact of the overreach. It is especially important here where the FTC has begun acting as if the proposed changes are already in effect. The comment period ends 60 days after the proposed changes are officially released in the Federal Register, which has not yet occurred. [Update – the proposed rule was published in the Federal Register on June 9, 2023. The comment period ends August 8, 2023]. The agency is obligated to consider all comments submitted. Participating in the comment process is a critically important part of the rulemaking process and could help the agency craft more appropriate rules.
[i] 42 U.S.C.S. § 17921(11).
[ii] https://www.ftc.gov/system/files/documents/public_statements/1596328/hbnr_dissent_final_formatted.pdf; https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf