05/02/2024 | News release | Distributed by Public on 05/02/2024 18:33
On Friday, April 26, 2024, the Federal Trade Commission ("FTC") voted 3-2 to issue a final rule (the "final rule") that expands the scope of the Health Breach Notification Rule ("HBNR") to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates. We previously covered the proposed rule, which was issued on May 18, 2023.
In the FTC's announcement of the final rule, the FTC emphasized that "protecting consumers' sensitive health data is a high priority for the FTC" and that the "updated HBNR will ensure [the HBNR] keeps pace with changes in the health marketplace." Key provisions of the final rule include:
In the final rule, the FTC notes that the concern (expressed by some commenters) that the scope of these definitions could impermissibly cause the HBNR to cover retailers of general purpose items like shampoo or vitamins is unwarranted-rather, the FTC explains, the threshold inquiry is whether an entity is a vendor of PHR, which is "an entity that offers or maintains a [PHR]." The final rule notes that to be a vendor of PHR covered by the HBNR, an app, website, or online service "must provide an offering that relates more than tangentially to health" and that a PHR must be "an electronic record of PHR identifiable health information on an individual, must have the technical capacity to draw information from multiple sources, and must be managed, shared, and controlled by or primarily for the individual."
The final rule notes that the FTC has not added a definition of "authorization," but provides several examples of what may constitute an "unauthorized" disclosures of PHR identifiable health information, including (i) affirmative privacy misrepresentations to users such that disclosures of PHR identifiable health information are inconsistent with consumer expectations and (ii) "deceptive omissions," where a company does not disclose, or obtain affirmative express consent from users for, the sharing of their PHR identifiable health information for targeted advertising.
The final rule also requires that vendors of PHR and PHR related entities notify their third party service providers that the vendor of PHR/PHR related entity is subject to the HBNR. According to the final rule, the purpose of this notice is to ensure that the third party service providers are aware of the content of the data transmissions received by the third party service providers and that the third party service providers provide timely notice to the vendor of PHR/PHR related entity of any breach under the HBNR.
The final rule states that vendors of PHR and PHR related entities may facilitate compliance with this notice requirement by stipulating via contract whether the transmissions to third party service providers will contain PHR identifiable health information. The final rule suggests that both the vendor of PHR/PHR related entity and third party service provider should monitor for compliance with such contractual provisions taking into consideration the size and sophistication of the entity and the sensitivity of the data. Further, the final rule suggests that certain entities that may act as third party service providers, such as "a large advertising platform," may have heightened obligations to monitor the data it receives (even where partners promise not to send PHR identifiable health information to it), particularly if the entity has in the past routinely received unsecured PHR identifiable health information notwithstanding vendors' of PHR/PHR related entities' commitments to the contrary. The final rule distinguishes these heightened monitoring obligations from those of "small firms that do not engage in high-risk activities where the contract precludes sending such data and there is no history of such transmissions."
As noted above, this final rule was not issued unanimously-the FTC Commissioners voted 3-2 to finalize the changes, with recently confirmed Commissioners Holyoak and Ferguson opposing the final rule. Among other reasons outlined in their dissenting statement, Commissioners Holyoak and Ferguson argued that the final rule "exceeds the Commission's statutory authority, puts companies at risk of perpetual non-compliance, and opens the Commission to legal challenge that could undermine its institutional integrity." While the finalization of these changes to the HBNR is notable, many of these changes reflect the codification of the position already taken by the FTC in recent years in prior guidance and enforcement actions. In 2021, the FTC adopted by a 3-2 vote a policy statement "Statement of the Commission on Breaches by Health Apps and Other Connected Devices," which took a similarly broad approach to when health apps and connected devices are covered by the HBNR and when there is a "breach" for purposes of the HBNR. Then Commissioners Phillips and Wilson opposed the policy statement based on concerns about the expansion of the HBNR beyond the FTC's statutory authority, among other concerns. Since the 2021 policy statement, the FTC has brought its first two enforcement actions under the HBNR against GoodRx (issued 4-0) and Easy Healthcare (issued 3-0), leveraging its broad interpretation of the meaning of "breach."