Brief Overview of the Rule and Policy Statement
The Rule, originally issued in 2009, requires that covered businesses notify consumers, the FTC, and sometimes the media of a breach involving health information that identifies someone or could reasonably be used to identify someone. To date, the FTC has made public only five total reported breaches involving 500+ individuals; contrast this with five such breaches involving 500+ individuals reported under HIPAA’s Breach Notification Rule in the last week of January 2022 alone.
The September 2021 Policy Statement marked a shift in the FTC’s enforcement priorities, highlighting the agency’s intent to address the proliferation of applications and connected devices, including health applications, wearables, and other similar products, that collect and disclose consumers’ health information. The Policy Statement suggested a more committed effort to hold companies accountable for the ways in which they handle consumers’ health information, particularly through technology that has dramatically evolved since the original Rule was issued. See our prior post for a more detailed summary of the Rule and Policy Statement.
Clarified Framework for the Rule
The new resources now provide clarifications and guidance regarding the Rule’s requirements and applicability. Whereas the Health Breach Notification Rule: The Basics for Business provides a brief overview of the Rule, Complying with FTC’s Health Breach Notification Rule offers detailed insights, including FAQs regarding compliance. These resources are featured on a Health Privacy webpage, along with other guidance, resources, and articles.
The new resources provide examples of the types of entities subject to the Rule, including vendors of personal health records (PHRs), PHR related entities, and third party service providers:
- Vendor of PHRs. A health application which collects information from consumers (e.g., height, weight, age, and other metrics) that has the ability to sync with a fitness tracker may be a vendor of PHRs, because the application draws identifiable health information from multiple sources that can be managed, shared, or controlled by or for the consumer. This conclusion may hold even if some users do not utilize the syncing feature.
- PHR related entity. A company providing a tool such as a fitness tracker may be a PHR related entity if it sends information to health applications, insofar as those health applications are vendors of PHRs.
- Third party service provider. A company hired by a vendor of PHRs or PHR related entity to perform billing, debt collection, or data storage services related to health information may be a third party service provider if it offers services involving the use, maintenance, disclosure, or disposal of health information to vendors of PHRs or PHR related entities.
While businesses acting solely as a HIPAA-regulated entity (covered entity or business associate) are not subject to the Rule, the FTC clarified that a business associate might be subject to both HIPAA and the Rule in the event that the company provides PHR services to the public, separate from the services it provides to HIPAA covered entities. For example, a business associate that maintains electronic health records for a HIPAA-covered insurance company and also develops an application that consumers can download from the app store to upload and manage their health information, may be subject to both HIPAA and the Rule.
The FTC also shared its views on whether breaches of certain types of information trigger notification under the Rule. For instance, a user’s medical information and mobile identifiers shared with an ad network without consent for the purpose of targeted marketing is PHR identifiable health information since it could be used to identify that user. Alternatively, information in a hacked database that reveals ten anonymous individuals in New York City were prescribed a common drug likely would not be considered PHR identifiable health information as it could not reasonably be used to identify specific people.
The FTC described types of incidents that potentially constitute a reportable breach:
A thief stealing an employee’s laptop which contains unsecured PHRs and an employee downloading PHRs without approval are “probably unauthorized acquisitions” that trigger the Rule’s notification requirements.
Additionally, if a company accidentally sent users’ health information to a social media platform, and someone accessed the database without consent, the FTC would view this as two separate incidents that potentially trigger notification.
The FTC emphasized that a breach is not limited to cybersecurity intrusions or nefarious behavior and includes disclosures of unsecured PHR identifiable health information without a person’s authorization, even if accidental. The FTC advised that if it is not clear whether the data has been downloaded or copied (or otherwise acquired), the company must overcome the rebuttable presumption that a breach has occurred. This roughly parallels the HIPAA breach notification regulation, which set out specific factors to consider when attempting to overcome a presumption of breach. Under the Rule, if an employee accessed a database without consent and the company has implemented a policy that requires employees who inadvertently access a PHR to not read or share the information, log out immediately, and quickly report the access to a supervisor, and the company verifies that the policy was followed, the company may be able to overcome the presumption. Similarly, if a company loses a laptop that contains unsecured PHRs, the company may rebut the presumption if the laptop is recovered and forensic analysis shows that the files were not opened, altered, transferred, or compromised.
Where an entity subject to the Rule has determined that notice is required, the new Health Privacy webpage has a tab that directly links to a breach reporting form that can be used to notify the FTC. In addition to notifying the FTC, vendors of PHR and PHR related entities must notify each affected consumer, and sometimes, the media (if 500 or more people are affected). Service providers must notify the vendor of PHR or PHR related entity involved.
Action Items for Compliance
Failure to comply can have meaningful consequences given the Rule’s penalties of up to $46,517 per violation, per day. In order to manage risk, companies offering, or advertising on, connected health and wellness devices or mobile health applications are advised to:
Assess if they are subject to the Rule and update incident/breach response plans, policies, and procedures as appropriate;
Review notices and consents to ensure that data practices align with statements made to consumers and do not run afoul of the FTC’s unfair and deceptive practices standards; and
Take active steps (e.g., tabletop exercises) to help ensure preparedness and compliance with the Rule.
Authored by Marcy Wilder, Melissa Bianchi, Paul Otto and Donald DePass.
Amanda Pervine, a Law Clerk in our Washington, D.C. office, contributed to this post.