On April 26, 2024, the Federal Trade Commission (FTC) announced that it had finalized changes to the Health Breach Notification Rule (HBNR).

What does the HBNR require?

The FTC highlighted that the HBNR requires vendors of personal health records (PHR) and related entities not covered by the Health Insurance Portability and Accountability Act 1996 (HIPAA) to notify individuals, and in cases of the media, of a breach of unsecured personally identifiable health data. Third-party service providers are also required to notify vendors of PHR and PHR-related entities following the discovery of a data breach.

What are the changes to the HBNR?

The FTC provided that changes to the HBNR include:

• extending the definition of 'PHR identifiable health information' to include 'covered health care provider' and 'health care services or supplies;'
• clarifying that 'breach of security' includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
• extending the definition of a 'PHR related entity' to include entities that offer products and services through online services, including mobile apps, of vendors of PHR, and include entities that access or send unsecured PHR identifiable health information to a PHR;
• authorizing the use of email and other electronic means to provide clear and effective notice to consumers of a data breach;
• expanding the required content that must be required in a notice to a consumer, including the name or identity of any third parties that acquired unsecured PHR identifiable health information as a result of the breach; and
• providing that the FTC must be notified of a breach no later than 60 calendar days after the discovery, where the breach involves 500 or more individuals.

In addition, the FTC clarified what it means for a PHR to draw information from multiple sources, and is managed, shared, and controlled by or primarily for the individual. The amendments to the HBNR stipulate that PHR may be defined as a record of PHR identifiable health information on an individual that has 'the technical capacity' to draw information from multiple sources.

Regarding changes to the definition of a 'PHR related entity,' the FTC affirmed that it includes:

• entities offering products and services not only through the websites of vendors of PHR but also through any online service, including mobile apps; and
• entities that access or send unsecured PHR identifiable health information to a personal health record.

Notably, the FTC outlined enforcement actions taken against GoodRx and Easy Healthcare (Premom) for violations of the HBNR.

When does the final HBNR go into effect?

The FTC noted that the final HBNR will enter into effect 60 days after its publication in the Federal Register.

You can read the press release here and the HBNR here.