Final FTC Health Breach Notification Rule Indicates Agency Focus on Data Privacy

Digital health entities offering personal health records (PHR) and other health apps will need to closely examine their privacy practices and potentially update their consent policies to comply with the final health breach notification rule released by the Federal Trade Commission (FTC).

The rule—finalized April 26 by the commission—is the first update to the Health Breach Notification Rule (HBNR), which took effect in 2009.[1] The updated rule clarifies the rule’s applicability to health apps and other similar technologies, and also expands the information that entities covered by the rule must provide to consumers when notifying them of a breach of their health data, according to the FTC.

The FTC rule requires PHR vendors and related entities that are not covered by HIPAA to notify individuals, the FTC and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to notify PHR vendors after discovering a breach at the third party.

“HIPAA...HHS’ Health Insurance Portability and Accountability Act – addresses privacy and security for most doctors’ offices, hospitals, and insurance companies. But with advances in monitoring and technology, a lot of health-related information doesn’t fall within HIPAA. That’s where the FTC’s Health Breach Notification Rule comes in,” the FTC wrote in its Business Blog.[2]

This document is only available to subscribers. Please log in or purchase access.