On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

Over the past several months, the FTC followed through with its policy statement, bringing, and publicly settling, cases against prescription drug price tracking app GoodRx, online counseling service BetterHelp, and, most recently, ovulation tracking app Premom. While these cases arguably did not constitute what most would consider a typical “data breach” involving access or acquisition by a hacker, the FTC alleged (among other things) violations of the HBNR where identifiable consumer health data (referred to as “PHR identifiable health information” under the HBNR) was shared with advertising technology (“AdTech”) solution providers, through the use of web beacons, cookies, and click trackers on company websites or apps. This is consistent with the FTC’s policy position that a breach under the HBNR “is not limited to cybersecurity intrusions or nefarious behavior.” Because these cases settled, no court has yet opined on the propriety of FTC’s interpretation that unauthorized disclosure of PHR identifiable health information to AdTech companies is a “breach of security” under the HBNR.

The FTC’s proposed amendments to the HBNR attempt to codify this broad interpretation.  Notably, the amendments would, among other things, include “unauthorized disclosure” in the definition of “breach of security,” and bring “websites” and “mobile applications” into the scope of the law, consistent with the FTC’s recent enforcement actions. 

The FTC also proposes that electronic banners (i.e., cookie banners) can be used to notify individuals of a “breach of security.” As it is currently written, the HBNR requires notice by postal mail by default. This proposed amendment highlights one of the unspoken assumptions of the FTC’s interpretation of “breach of security”—a website operator might comply with the HBNR by sending, via physical mail, a notice to its users that it is using AdTech. If the amendments are approved, a website or mobile health application could comply with the HBNR by using a cookie banner instead.

It is yet to be seen if the FTC will continue its enforcement in this area, or if it will wait until the amendments are approved before bringing similar actions. In its blog post accompanying the NPRM, the FTC summarized the proposed amendments to the HBNR as follows:

• Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies”; 

• Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;

• Revising the definition of “PHR related entity” in two ways that pertain to the rule’s scope. For example, it makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;

• Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;

• Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;

• Expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information; and

• Adding changes to improve the rule’s readability and promote compliance.

Public comments can be submitted for 60 days after the NPRM is published in the Federal Register.