On May 30, 2024, the Federal Trade Commission (FTC) published its amended final rule covering health breach notifications (HBNs) in the Federal Register. The HBN rule requires vendors of personal health records (PHRs) and related entities that are not covered by HIPAA to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.
The amendment brings developers of health applications (apps) and other direct-to-consumer health technologies, such as fitness trackers and wearable blood pressure monitors, into the rule’s scope. Under the HBN rule, a PHR is an electronic record of identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual. Apps or websites that use PHR to provide medical information are now subject to the rule, as are providers offering products and services through these apps or websites.
These entities may not be subject to HIPAA, but the agency believes they should be subject to procedures like those under HIPAA for breaches of PHR. A breach is defined as any unauthorized acquisition of unsecured PHR identifiable health information of an individual in a personal health record. Accordingly, the rule now requires these entities to notify affected victims of a PHR breach within 60 days of the entities’ discovery of a breach. If 500 or more records are exposed in a breach, the targeted provider must also notify the FTC. The notices must include a brief description of what happened, including 1) the date of the breach and the date of the discovery of the breach, if known, and 2) the full name or identity of any third parties that acquired unsecured PHR identifiable health information because of a breach of security if this information is known. The notice must also include steps that individuals should take to protect themselves from potential harm resulting from the breach, as well as contact information that affected individuals can use to ask questions or learn additional information.
Employers with group health plans that use these apps or services should be aware of the added protections against disclosure of participants’ health information that this rule now provides.
Health Breach Notification Rule »
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up