May 28, 2023

Volume XIII, Number 148


May 26, 2023

Subscribe to Latest Legal News and Analysis

May 25, 2023

Subscribe to Latest Legal News and Analysis

Health Apps and Consumer Privacy Update: Federal Trade Commission Proposes Amendments to the Health Breach Notification Rule

On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

Over the past several months, the FTC followed through with its policy statement, bringing, and publicly settling, cases against prescription drug price tracking app GoodRx, online counseling service BetterHelp, and, most recently, ovulation tracking app Premom. While these cases arguably did not constitute what most would consider a typical “data breach” involving access or acquisition by a hacker, the FTC alleged (among other things) violations of the HBNR where identifiable consumer health data (referred to as “PHR identifiable health information” under the HBNR) was shared with advertising technology (“AdTech”) solution providers, through the use of web beacons, cookies, and click trackers on company websites or apps. This is consistent with the FTC’s policy position that a breach under the HBNR “is not limited to cybersecurity intrusions or nefarious behavior.” Because these cases settled, no court has yet opined on the propriety of FTC’s interpretation that unauthorized disclosure of PHR identifiable health information to AdTech companies is a “breach of security” under the HBNR.

The FTC’s proposed amendments to the HBNR attempt to codify this broad interpretation.  Notably, the amendments would, among other things, include “unauthorized disclosure” in the definition of “breach of security,” and bring “websites” and “mobile applications” into the scope of the law, consistent with the FTC’s recent enforcement actions. 

The FTC also proposes that electronic banners (i.e., cookie banners) can be used to notify individuals of a “breach of security.” As it is currently written, the HBNR requires notice by postal mail by default. This proposed amendment highlights one of the unspoken assumptions of the FTC’s interpretation of “breach of security”—a website operator might comply with the HBNR by sending, via physical mail, a notice to its users that it is using AdTech. If the amendments are approved, a website or mobile health application could comply with the HBNR by using a cookie banner instead.

It is yet to be seen if the FTC will continue its enforcement in this area, or if it will wait until the amendments are approved before bringing similar actions. In its blog post accompanying the NPRM, the FTC summarized the proposed amendments to the HBNR as follows:

  • Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies”; 

  • Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;

  • Revising the definition of “PHR related entity” in two ways that pertain to the rule’s scope. For example, it makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;

  • Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;

  • Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;

  • Expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information; and

  • Adding changes to improve the rule’s readability and promote compliance.

Public comments can be submitted for 60 days after the NPRM is published in the Federal Register. 

©2023 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XIII, Number 146

About this Author

Alaap Shah Attorney Healthcare Life Sciences

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

Alexander Franchilli, Epstein Becker Law Firm, Labor and Employment Litigation Attorney

Alexander Franchilli is an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green. 

Mr. Franchilli’s experience includes:

  • Representing employers in labor and employment law litigation involving breach of employment agreements, promissory notes, wage and hour violations, wrongful termination, and WARN Act violations

  • Litigating cases concerning unfair competition and breaches of non-competition agreements

  • Providing representation to employers in federal...