On April 26, 2024, the Federal Trade Commission (FTC) announced a Final Rule that amends the Health Breach Notification Rule (HBNR or Rule) to significantly broaden the FTC’s enforcement power in the area of digital health. Under the Final Rule, many developers of everyday health and wellness apps (Developers) will now constitute “health care providers” subject to the HBNR. The consequences of failing to comply with the HBNR could be steep—failure to comply with the Rule could subject a company to civil penalties of $51,744 per violation. Below, we provide a summary of the Final Rule and highlight some of the key challenges it presents.

The Final Rule

At a high level, the Rule requires “vendors of personal health records” (PHRs) and “PHR related entit[ies]” to notify affected customers, the FTC, and sometimes the media, of breaches involving “unsecured PHR identifiable health information” (IHI) or face civil penalties of $51,744 per violation. Until September 15, 2021, it was widely understood that the Rule was limited to vendors of PHRs and related entities that allowed consumers to port their sensitive health information from different healthcare providers into a single health record that individuals could use to view, manage, and share their own health information. Through a policy statement in 2021, the FTC signaled a much more expansive interpretation of the Rule that it has codified through the Final Rule. The key changes are as follows:

• Expansion of Entities Covered by the Rule: The Rule now essentially applies to virtually all health and wellness apps because of two changes.
  • Under the old Rule, online services that could draw health information about an individual from multiple sources qualified as “vendors of PHRs” as long as the online service was managed, shared, and controlled by or primarily for the individual and the online service was not covered by HIPAA.¹ According to the FTC, the Final Rule “clarifies that a product is a personal health record if it can draw any information from multiple sources, even if it only draws health information from one source.”² The impact of this change is that Developers of many health and fitness apps will qualify as vendors of PHRs because they collect information directly from app users and they are also able to collect information from third parties through APIs. If just one of these sources provides the Developer with health information, then the Developer likely qualifies as a vendor of PHR under the Rule. For example, a diet app that allows users to input their weight (i.e., health information) and has the technical ability to draw information from the user’s calendar application, would qualify as a vendor of PHR under the amended Rule.³
  • The Final Rule expands the definition of “health care provider” (now referred to as “covered health care provider”) to include any entity furnishing “any online services such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.”⁴
• Expansion of What Is a Breach of Security: The Rule requires entities covered by the Rule to notify affected customers, the FTC, and sometimes the media in the event of a “breach of security.” The amended Rule significantly expands what qualifies as a “breach of security” that triggers PHR vendors’ notification obligations. Under the old Rule, a “breach of security” was the unauthorized acquisition of an individual’s unsecured PHR IHI.⁵ The Final Rule revises this definition to include the unauthorized acquisition of PHR IHI that is the result of an “unauthorized disclosure.”⁶ The purpose of this change is to trigger the Rule’s notice obligations when a PHR vendor shares health information with a third party without the user’s authorization.⁷ As the FTC explained in its 2021 policy statement advancing the same change, in its view, breaches are “not limited to cybersecurity intrusions or nefarious behavior.”⁸

Key Takeaways

Here are some key takeaways:

• The Final Rule is so broad and vague that many Developers will have difficulty determining whether it applies to them. The FTC’s new definition of what it means to furnish healthcare services and supplies is so broad and vague that many Developers may not know whether the Rule could apply to them. For example, the FTC stated that retailers are typically not vendors of PHR, but it also says that they may become vendors of PHRs where they offer an app with “features or functionalities that are sold, marketed, or promoted as more than tangentially relating to health.”⁹ While the FTC clarified that, to be vendors of PHR, Developers must provide an offering that “relates more than tangentially to health,” it did not clarify what it means for something to be “more than tangentially related.”
• The Final Rule does not provide a definition or clear guidance on how Developers must obtain authorization. Developers will violate the Rule if they disclose covered information “without the authorization of the individual” but the Rule does not define or provide clear guidance on the steps Developers must take in order to obtain the user’s authorization such that their disclosure will not violate the Rule.
• The Final Rule is not clear on when a PHR vendor “discovers” a breach. Developers covered by the Rule are required to provide consumers and the FTC notice within 60 days of discovering a breach.¹⁰ The breach is considered “discovered” when the breach is “known or reasonably should have been known to any person, other than the person committing the breach, who is an employee, officer, or other agent of [the Developer or its third party service providers].”¹¹ Based on this somewhat clunky language, arguably the breach is not “discovered” when one employee or group of employees discloses a user’s information without their authorization; rather it is discovered when some other employees or related entities who did not cause the unauthorized disclosure discovers it. However, due to the vagaries in the language, it isn’t clear if that is the FTC’s intent, and it seems unlikely that it is. If the FTC takes the position that, instead, the breach is “discovered” at the point the data is disclosed, Developers could face claims from the FTC that they have violated the Rule even though they were unaware that the data sharing was (from the FTC’s perspective) unauthorized.
• There is likely to be internal disagreement within the FTC over how to apply the Rule. The vote to approve the final rule was 3-2, along party lines. And in the last year or so, the FTC has brought at least five cases alleging unfair or deceptive practices by online health services, with only two of those cases alleging violations of the Health Breach Notification Rule. Given the uncertainty surrounding the election, the strong dissenting opinion, the unclear language of the Rule, and the arguably uneven application of the Rule thus far, companies may want to take a risk-based approach in determining whether they are covered, what their compliance controls should look like, and under what circumstances they should notify the FTC.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning privacy compliance, please contact Maneesha Mithal, Tracy Shapiro, Hale Melnick, Laura Ahmed, or any member of the firm's privacy and cybersecurity practice.

---

^[1] Fed. Trade Comm’n, Complying with the FTC’s Health Breach Notification Rule (Apr. 2010), https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule.

^[2] Health Breach Notification Rule at 32 (April 26, 2024) (to be codified at 16 C.F.R. § 318) (hereinafter “Final Rule”), https://www.ftc.gov/system/files/ftc_gov/pdf/hbnr_final_rule_04_25.pdf (emphasis in original).

^[3] Id.

^[4] Specifically, the Final Rule expanded the definition of “covered health care provider” by defining “health care services or supplies” within the Rule to mean “any online service such as a website, mobile application, or internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” Final Rule at 98.

^[5] 16 C.F.R. § 318.2(a) (2009).

^[6] Final Rule at p. 10, 96.

^[7] Fed. Trade Comm’n, Statement of the Commission on Breaches by Health Apps and Other Connected Devices (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf (hereinafter “2021 Policy Statement”).

^[8] Id. at 2.

^[9] Final Rule at p. 28.

^[10] Final Rule at p. 103.

^{[11 ]}Id. at p. 102.