FTC Proposes Amendments to Health Breach Notification Rule

On May 18, 2023, the Federal Trade Commission announced it is seeking comment to proposed changes to the Health Breach Notification Rule (the “Rule”). The Rule requires  vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access. By clarifying the Rule’s scope and applicability, and by modernizing allowable methods of notice, the proposed amendments seek to update the Rule to account for technological change since the Rule’s issuance, which includes the proliferation of health apps and connected devices, and the emergence of a widespread market for health data.

Specifically, the FTC’s proposed amendments would: (1) clarify the Rule’s scope, revising several definitions to explain the Rule’s applicability to health apps and similar technologies not covered by HIPAA; (2) amend the definition of “breach of security” to clarify that it includes data security breaches and unauthorized disclosures; (3) revise the definition of “PHR-related entity” to clarify that only entities that access or send unsecured PHR-identifiable health information to a personal health record qualify as PHR-related entities; (4) clarify what it means for a vendor of personal health records to draw PHR-identifiable health information from multiple sources; (5) modernize the allowable methods of consumer notice by authorizing the expanded use of email and other electronic notices; (6) expand the required content of consumer notices; and (7) improve the Rule’s readability.

Public comments on the amendments will be due 60 days after the amendments’ publication in the Federal Register.