FTC Seeks to Clarify Health Breach Notification Rule's Broad Applicability to Unauthorized App Disclosures

The FTC released a Notice of Proposed Rulemaking (NPRM) to introduce changes to the Health Breach Notification Rule (HBNR). While the HBNR began as a breach notification rule seemingly focused on a narrow set of applications that store medical records on behalf of consumers, the NPRM continues the FTC's path toward turning the rule into a means of imposing privacy and breach notification restrictions on virtually all health and wellness apps. Consistent with the FTC's September 2021 policy statement and recent enforcement actions, the proposed changes would revise the HBNR to apply to most health and wellness apps and to require breach notification in almost any instance in which a consumer's identifiable health data is disclosed without their authorization (such as unauthorized disclosures to advertising platforms).

The HBNR requires vendors of personal health records (PHRs) and PHR-related entities to notify individuals, the FTC and, in some cases, the media of a breach of unsecured PHR identifiable health information.[1] It also requires third-party service providers to vendors of PHRs and PHR-related entities to provide notification to such vendors and PHR-related entities following the discovery of a breach. The rule applies to foreign and domestic non-HIPAA covered vendors of "personal health records that contain individually identifiable health information created or received by health care providers." The HBNR specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media.

Intensified Health App Privacy Enforcement

The NPRM follows a series of recent enforcement actions that the FTC has brought against health technology companies such as GoodRx and BetterHelp for the unauthorized sharing of user health data through tracking pixels for marketing and advertising. These pixels enabled both platforms to collect, analyze, and infer information about user activity, facilitating targeted advertising.

The FTC also recently announced an action against Easy Healthcare, which develops the Premom app used for period and fertility tracking. The complaint alleges that the app broke its privacy promises by disclosing users' sensitive health data to Google and AppsFlyer and by sharing other personal information with two firms in China. As it did with respect to GoodRx, the FTC alleged that Premom violated the HBNR by failing to notify users about the company's unauthorized disclosure of users' personally identifiable health information to third parties and that it engaged in deceptive practices by using software development kits (SDKs) that allowed the unauthorized disclosure of user health data to third parties in violation of Premom's privacy policy. The FTC's proposed order will bar Premom from sharing health data for advertising purposes.

Summary of Proposed Changes

The proposed rulemaking follows a 2021 policy statement clarifying that makers of health and wellness apps holding consumers' health information generated by consumers and connected devices must comply with the rule, as well as the publication of a Health Privacy resource page to help companies with their compliance efforts. The proposed amendments to the HBNR would:

• Clarify the rule's scope, including its coverage of developers of many health and wellness apps by revising definitions such as "PHR identifiable health information" to make clear that the rule applies to health apps and similar technologies not covered by HIPAA, and adding two new definitions for "health care provider" and "health care services or supplies." The expanded definition of "health care services or supplies" would apply to "any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools."
• Amend the definition of "breach of security" to clarify that a breach of security includes an unauthorized acquisition of PHR-identifiable health information in a personal health record that occurs as a result of a data security breach and/or unauthorized disclosure. The FTC's intent is to make clear that the HBNR is not limited to external cybersecurity breaches but also encompasses any disclosure of a consumer's PHR-identifiable health information without the consumer's authorization. In this respect, the FTC is essentially turning the HBNR into a privacy rule in addition to a breach notification rule, since the FTC is using it to limit the disclosure of PHR-identifiable health information.
• Revise the definition of PHR-related entity to make clear that the rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. The revised definition clarifies that entities that access or send unsecured PHR-identifiable health information to a personal health record are PHR-related entities rather than entities that access or send any information to a personal health record.
• Explain what it means for a vendor of personal health records to draw PHR identifiable health information from multiple sources by adding language to clarify that whether an app qualifies as a personal health record would not depend on the prevalence of consumers' use of a particular app feature but, instead, would hinge on whether the app has the technical means (e.g., the application programming interface or API) to draw information from multiple sources or not. The changes solidify the FTC's expanded interpretation beyond the traditional notion of a PHR by clarifying that it considers a product to be a personal health record if it can draw any information from multiple sources, even if it only draws health information from one source. For example, a fitness tracking app that is capable of accepting a user's input (such as the user putting in a name) and input from a connected device would be treated as a PHR. This interpretation seems far removed from the original perception of a PHR as an app that stores medical information from multiple health care providers or health plans on behalf of a consumer.
• Modernize the method of notice by authorizing the expanded use of email and other electronic means to provide consumers with clear and effective notice of a breach. Companies should take note that "electronic mail" would not be synonymous with email, as breach notification through "electronic mail" would require notice through both email and text message, within-application messaging, or electronic banner.
• Expand the content of the notice to consumers by requiring that consumers whose unsecured PHR identifiable information has been breached receive additional important information, including information regarding the potential for harm from the breach and protections that the notifying entity is making available to affected consumers. The text of the NPRM references a model or exemplar notice, subject to comment, which entities subject to the rule could use to notify consumers in terms that are easy to understand.
• Improve the rule's readability by clarifying cross-references and adding statutory citations, consolidating notice and timing requirements, and plainly articulating the penalties for non-compliance.

What's Next

The proposed rule and recent enforcement trends by the FTC signal an increased priority on protecting the privacy of consumers' sensitive health information. As health and wellness apps that are not subject to HIPAA continue to proliferate, app developers and third-party vendors that support such apps should continue to evaluate whether they fall under the expanding scope of the HBNR to determine their risks when dealing with a data breach or other unauthorized disclosure.

Comments on the proposed rule are due 60 days after the notice is published in the Federal Register.