FTC Proposes Changes To Health Breach Notification Rule Clarifying Application To Health And Wellness Apps

In May, the Federal Trade Commission ("FTC") proposed amendments to the Health Breach Notification Rules (the "Proposed Rules") [1] that would, among other things, apply to mobile security. Applications and Related Devices Technologies that Use or Collect Consumer Health Information. [2] Although the FTC's position on this issue is not entirely new, the industry has differing interpretations of the rules.

The purpose of the regulations is to ensure that providers of personal health records and certain affiliates ("providers") who maintain the confidentiality of patient information but are not subject to certain HIPAA breach reporting requirements. Requiring providers to notify consumers and the Federal Trade Commission of unexpected health data breaches. If the Provider does not comply with these rules, the Provider may face severe civil penalties.

Proposed changes in the scope of the rules

The FTC expressed concern that some providers of health-related programs may not understand compliance with the rules and obligations. This concern is probably due to the popularity of vendor applications in the business arena. Specifically, the FTC said the rules would apply to developers of mobile health applications and technologies, including those marketed as health products rather than health products. The proposed regulations aim to eliminate confusion by clarifying the application of the regulations to service providers and updating related definitions.

First, the proposed rules amend the definition of “identifying information PHR” [7] to include the following information:

1. Submitted by or on behalf of individuals;

2. identifies the individual or is reasonably believed to be capable of identifying the individual;

3. It refers to a person's past, present, or future state of health.

4. Regarding the provision of past, present or future medical care to a person; Or

5. Prepared or obtained by a health care provider, health insurance plan, employer, or health care clearinghouse [8].

Second, the proposed regulations add a new definition to the term "health care provider" to cover: (i) providers of medical or other health care services; (ii) businesses that provide medical supplies or services; or (3) a hospital, critical access hospital, rural acute care hospital, specialty care facility, general outpatient rehabilitation facility, home health facility, or hospice program [9].

Third, the proposed rules add a new definition of “healthcare services or provision” that now includes “websites, mobile applications, or Internet-connected devices that help track diseases, health conditions, or diagnoses.” or “Diagnostic tests involve drugs. 10] The new interpretations of the proposed rules cover many common applications and devices, facilitating their primary goal of clarifying the scope of the rules.

Fourth, the proposed regulations revise the definition of 'personal health records' to include 'electronic records of personal health information, also known as PHRs, that have the technical ability to receive, manage, share and verify information from multiple sources. Administered. "Censored". or private to individuals.” [11] This amendment aims to clarify what it means for personal health records to receive identifiable health information from multiple sources.

Fifth, the proposed rules revise the definition of "security breach" to clarify whether it includes a data breach or unauthorized disclosure. The purpose of this amendment is to clarify that breaches are not limited to cyber security breaches or other breaches, but can also occur when unauthorized disclosure of protected information occurs.

Sixth, the proposed regulations amend the definition of "PHR-related entity" to include entities that offer products and services through the provider's website and services available online, such as mobile applications [13] . In addition, the proposed rules include a definition that includes secure health information identified through a PHR only for personal health records, and not entities that access or transmit secure information in personal medical records.

Proposed changes in notification requirements

The FTC also raised concerns about the applicability of mail regulatory notice requirements because mail notices are inconsistent with the way consumers receive notices about Internet technologies. Conversely, the FTC has proposed expanding email and other electronic communication methods to notify consumers of violations [14].

The proposed regulations also seek to include additional sections in the breach notifications required by the regulations. Specifically, the proposed rules encourage sellers to report violations of:

1. Include a brief description of the potential damage from the identified fault [15].

2. Provide the full name, website, and address of the third party that obtained non-PHR health information as a result of the breach, if known to the provider [16].

3. describe health information that may be identified by unprotected public health practitioners involved in a specific crime [17].

4. Explain what the parties involved in the breach will do to protect the parties involved. [18]

5. Provide two or more of the following ways to contact the Notifier: (a) a toll-free number; (b) email address; (c) the website; (d) in-app media; or (e) postal address. [19]

Comments on the proposed regulations are due August 8, 2023. We will continue to monitor the proposed regulations, including any new developments.

---

Margin

[1] 16 CFR § 318.1ff.

[2] Proposed Regulations, p. 12.

[3] See Committee Statement of September 15, 2021.

[4] Rules suggested on pages 2-3.

[5] Ibid. , theme. 12.

[6] Ibid. Page 5, 15.

[7] "PHR" stands for "Personal Health Record". 16 CFR § 318.2(h).

[8] Code of Federal Regulations 16 CFR §318.2 (i).

[9] Code of Federal Regulations 16 CFR § 318.2(f).

[10] 16 CFR § 318.2(e).

[11] 16 CFR § 318.2(h).

[12] Code of Federal Regulations 16 CFR § 318.2 (a).

[13] 16 CFR §318.2(j).

[14] Code of Federal Regulations 16 CFR §318.5.

[15] Code of Federal Regulations 16 CFR § 318.6(a).

[16] Code of Federal Regulations 16 CFR § 318.6(a).

[17] Code of Federal Regulations 16 CFR § 318.6(b).

[18] Code of Federal Regulations 16 CFR § 318.6(d).

[19] Code of Federal Regulations 16 CFR § 318.6(e).

Copyright © 2023 Sheppard Mullin Richter & Hampton LLP. National Law Review, Volume XIII, Number 181

The FTC's Changing Role in PHI Search - Better Care, GoodRx and Flo Discussion