On April 26, 2024, the Federal Trade Commission (FTC) announced a Final Rule that amends the Health Breach Notification Rule (HBNR or Rule) to significantly broaden the FTC’s enforcement power in the area of digital health. Under the Final Rule, many developers of everyday health and wellness apps (Developers) will now constitute “health care providers” subject to the HBNR. The consequences of failing to comply with the HBNR could be steep—failure to comply with the Rule could subject a company to civil penalties of $51,744 per violation. Below, we provide a summary of the Final Rule and highlight some of the key challenges it presents.
The Final Rule
At a high level, the Rule requires “vendors of personal health records” (PHRs) and “PHR related entit[ies]” to notify affected customers, the FTC, and sometimes the media, of breaches involving “unsecured PHR identifiable health information” (IHI) or face civil penalties of $51,744 per violation. Until September 15, 2021, it was widely understood that the Rule was limited to vendors of PHRs and related entities that allowed consumers to port their sensitive health information from different healthcare providers into a single health record that individuals could use to view, manage, and share their own health information. Through a policy statement in 2021, the FTC signaled a much more expansive interpretation of the Rule that it has codified through the Final Rule. The key changes are as follows:
Key Takeaways
Here are some key takeaways:
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning privacy compliance, please contact Maneesha Mithal, Tracy Shapiro, Hale Melnick, Laura Ahmed, or any member of the firm's privacy and cybersecurity practice.
[1] Fed. Trade Comm’n, Complying with the FTC’s Health Breach Notification Rule (Apr. 2010), https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule.
[2] Health Breach Notification Rule at 32 (April 26, 2024) (to be codified at 16 C.F.R. § 318) (hereinafter “Final Rule”), https://www.ftc.gov/system/files/ftc_gov/pdf/hbnr_final_rule_04_25.pdf (emphasis in original).
[4] Specifically, the Final Rule expanded the definition of “covered health care provider” by defining “health care services or supplies” within the Rule to mean “any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” Final Rule at 98.
[5] 16 C.F.R. § 318.2(a) (2009).
[7] Fed. Trade Comm’n, Statement of the Commission on Breaches by Health Apps and Other Connected Devices (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf (hereinafter “2021 Policy Statement”).