FTC Wants to Update Its Health Breach Rule to Cover Health Apps

The Federal Trade Commission (FTC) is proposing changes to its 14-year-old Health Breach Notification Rule (HBNR), clarifying that it applies to health apps and other similar technologies. The proposed amendments came as the FTC announced its third and fourth enforcement actions in four months.

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in announcing the changes. “The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.”[1]

The FTC’s health care breach notification rule, finalized in 2009, requires vendors of personal health records (PHRs) and related entities not covered by HIPAA to notify individuals, the FTC, and in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to vendors working with those health record vendors to notify them following the discovery of a breach.

Comments are due Aug. 8 on the FTC’s notice of proposed rulemaking, which was published in the Federal Register on June 9.[2]

This document is only available to subscribers. Please log in or purchase access.