HBNR Changes for Health Apps and Tech Not Covered by HIPAA

Final changes in the Federal Trade Commission’s (FTC) Health Breach Notification Rule (HBNR) will take effect on July 29. The changes are intended to strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA).

The FTC first enacted the HBNR in 2009, when health apps were not as prevalent in health care as they are today. In 2021, the FTC issued a policy statement confirming that health apps and connected device companies are subject to the HBNR.

HBNR Enforcement History

Two years after the policy statement and 14 years after the HBNR was first enacted, the FTC found cause to enforce it. In February 2023, the Commission alleged that GoodRx, as a vendor of personal health records, disclosed more than 500 consumers’ unsecured PHR identifiable health information to third-party advertising platforms like Facebook and Google without the authorization of those consumers.

Months later, the Commission brought its second enforcement action under the rule against Easy Healthcare, a company that publishes an ovulation and period tracking mobile application called Premom. Like the conduct alleged against GoodRx, Easy Healthcare disclosed PHR identifiable health information to third-party companies such as Google and AppsFlyer.

HBNR Changes Needed as Health Apps and Technologies Increase

In May 2023, the FTC proposed changes to the HBNR to clarify the rule’s coverage of health apps and other emerging tech after receiving approximately 120 stakeholder comments.

A year later, the FTC announced the finalized HBNR changes on April 29, 2024, which were then published in the Federal Register on May 30, with an effective date set 60 days later, July 29, 2024.

HBNR Changes Revise Definitions and More

 The HBNR will require vendors of Personal Health Records (PHR) and related entities that are not covered by HIPAA to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It will also require third-party service providers to vendors of PHRs and related entities to notify such vendors and related entities following the discovery of a breach.

Here’s a look at some of the HBNR changes:

• Revises the definition of “PHR identifiable health information” and adds two new definitions for “covered health care provider” and “health care services or supplies”
• Clarifies breach of security to include an unauthorized acquisition of identifiable health information that occurs because of a data security breach or an unauthorized disclosure
• Revises the definition of a PHR-related entity to clarify that it covers entities that offer products and services through online services, including mobile applications, of vendors of personal health records
• Clarifies what it means for a personal health record to draw PHR identifiable health information from multiple sources
• Authorizes the expanded use of email and other electronic means for providing clear and effective notice to consumers of a breach
• Expands the required content that must be provided in the notice to consumers
• Changes the timing requirement by modifying when the FTC must be notified under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security

“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”