FTC Appears Ready to Begin Enforcing Its Health Breach Notification Rule

More than a decade ago, the Federal Trade Commission (FTC) promulgated a Health Breach Notification Rule (the Rule). The Rule requires certain businesses that access or collect consumers’ identifying health information to notify affected consumers, the FTC and, in some cases, the media, in the event that there is a data security breach leading to the unauthorized access or sharing of consumer health information. See https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-318. Although the Rule has long been available to the FTC, the FTC has not actively enforced it.

The FTC, however, appears to be poised to changing its approach. It has signaled renewed interest in the Rule, largely in recognition of the evolution of technology and healthcare since the Rule’s passage – most particularly regarding healthcare portals and wearable health devices – that has caused an explosive expansion of the amount of health data collected by organizations and entities that are not otherwise governed by the heightened privacy and security protections set forth in the Health Information Portability and Accountability Act (HIPAA) and its progeny.

First, on September 15, 2021, the FTC issued a policy statement giving notice that the FTC interprets the Rule to apply to data breaches that occur in connection with most health apps, connected devices and similar products and technologies. See https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf.

Then, on January 21, 2022, the FTC released two new publications that it said were intended to help explain to whom the Rule applies and the steps covered businesses need to take in the event a breach occurs. See “Health Breach Notification Rule: The Basics for Business,” https://www.ftc.gov/business-guidance/resources/health-breach-notification-rule-basics-business and “Complying with FTC’s Health Breach Notification Rule,” https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0 (the FTC Notification Publication).

The FTC has collected these and other resources concerning the Rule on a “Health Privacy” web page the content of which is designed to help companies meet their privacy and data security obligations. The Health Privacy page warns that when a company “makes privacy promises – either expressly or by implication – the FTC Act requires [the company] to live up to those claims” and that even businesses that do not make specific privacy promises still have obligations to maintain security that is appropriate to the nature of the data at issue. See https://www.ftc.gov/tips-advice/business-center/privacy-and-security/health-privacy. Included on the Health Privacy page is a link to the FTC’s breach notification form, which is intended to make it easier for companies to report a breach and comply with the Rule.

Who Is Covered by the Rule

The FTC’s Notification Publication provides valuable guidance on the Rule’s particulars. (Additional insight may be available for companies that offer mobile health applications through the FTC’s “Mobile Health Apps Interactive Tool.” See https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool.)

As explained in the FTC’s Notification Publication, the Rule applies to:

• A vendor of personal health records (PHRs);
• A PHR related entity; and
• A third party service provider for a vendor of PHRs or a PHR related entity.

Importantly, the Rule does not apply to businesses or organizations such as hospitals, doctors’ offices and insurance companies covered by HIPAA. Those entities must comply instead with the Breach Notification Rule promulgated by the U.S. Department of Health & Human Services (HHS). See https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.

According to the FTC’s Notification Publication, a business is a vendor of a PHR if it “offers or maintains a personal health record,” defined as an electronic record of “identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”

The FTC’s Notification Publication next defines a “PHR related entity” as one that interacts with a vendor of PHRs either by offering products or services through the vendor’s website – even if the vendor’s website is covered by HIPAA – or by accessing information in a PHR or sending information to a PHR.

Another important definition is of a “third party service provider.” A business fits that definition if it offers services involving the use, maintenance, disclosure or disposal of health information to PHR vendors or PHR related entities. For example, if a PHR vendor hires a company to provide billing, debt collection or data storage services related to health information, the company is a third party service provider and, therefore, is covered by the Rule.

Triggering the Notification Requirement

Under the Rule, a covered business must provide notice when there has been an unauthorized acquisition of unsecured PHR identifiable health information. The term “unauthorized acquisition” is not limited to a cybersecurity intrusion or a “hack.” Any incident of unauthorized access, including a company’s disclosure of covered information without a person’s authorization, triggers notification obligations under the Rule.

The FTC provides two examples of likely unauthorized acquisitions that trigger the Rule’s notification requirement:

• If a thief steals an employee’s laptop containing unsecured PHRs; and
• If an employee downloads PHRs without approval.

The notification requirement applies only when a company has experienced a breach of PHR identifiable health information, which the Rule defines as health information that identifies someone or that could reasonably be used to identify someone.

The FTC provides two examples for this definition. First, suppose a company shares a user’s medical information and mobile identifiers with an ad network for the purpose of targeted marketing without previously obtaining the person’s consent. Alternatively, suppose an intruder hacks into a company’s database that contains an individual’s email address, date of birth and medication information. In neither example was the name of the affected individual accessed. Nevertheless, because the information disclosed could still readily identify individual consumers, the FTC considers that the information counts as PHR identifiable health information.

Another significant issue to keep in mind is that the Rule applies only to unsecured health information, as defined by HHS at https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html to include any information that is not encrypted or destroyed. Accordingly, if an employee loses a laptop containing only encrypted PHRs, the employer would not be required to notify people.

Finally, a PHR is an electronic health record. Therefore, if a business experiences a breach involving only paper health records, rather than electronic records, the Rule does not require any notification, although other state and federal breach notifications may. On the other hand, if a product draws from multiple sources, such as an app and API that obtains information from outside sources, it is likely to be covered by the Rule.

Notification

A business that experiences a covered breach must notify each affected person “without unreasonable delay” and in any event no later than 60 calendar days after the business discovers the breach. The countdown begins the day the breach becomes known or should have reasonably been known to someone in the company. Notably, the 60-day window does not mean that a business that is required to provide notification can always wait 60 days; if it discovers a breach and gathers the necessary information in fewer than 60 days, it could be unreasonable to wait until the 60th day to provide notification to the affected consumers.

When a business must notify the FTC depends on the number of people affected. If a breach involves the information of 500 people or more, the company must notify the FTC as soon as possible and within 10 business days after discovering the breach. Where a breach involves the information of fewer than 500 people, the business may notify the FTC within 60 calendar days following the end of the calendar year.

Additionally, there is a requirement that media must be notified, without unreasonable delay and within 60 calendar days of discovery, if a breach affects at least 500 residents of a particular state, the District of Columbia or a U.S. territory or possession. In that situation, notice must be given to “prominent media outlets serving the relevant location.” The FTC emphasizes that this media notice does not substitute for individual notices that must be provided to the affected individuals.

A company that is a third party service provider to a PHR vendor or a PHR related entity also has notice requirements under the Rule. If a third party service provider experiences a breach, it must notify an official designated in its contract with its client or a senior official of the client if there is no designee, without unreasonable delay and within 60 calendar days of discovering the breach. The third party service provider must identify for its client each person whose information may be involved in the breach and must get an acknowledgment that the client received the notice. (The client, in turn, then must fulfill its notification obligations.)

The FTC’s Notification Publication also summarizes how people must be notified. It states that the best practice is for a business to find out from its customers in advance (such as when they sign up for its service) if they would prefer to hear about a security breach by email or by first-class mail. If a company collects only email addresses from its customers, it can send them a message that it intends to contact them by email about any security breaches. Notwithstanding a company’s plan to use email as the default method, the company must give its customers the opportunity to choose first-class mail notification instead and that option must be “clear and conspicuous.”

A company that has made reasonable efforts to reach people affected by a breach but that has not been able to contact 10 or more of them because of insufficient or out-of-date contact information must provide substitute notice through either a clear and conspicuous posting for 90 days on the home page of the company’s website or a notice in major print or broadcast media where those people likely live. In either case, the notice must include a toll-free phone number that must be active for at least 90 days so people can call to learn if their information was affected by the breach.

The FTC requires that the notice to individuals must be easy to understand and must include the following information:

• A brief description of what happened, including the date of the breach (if known) and the date the business discovered the breach;
• The kind of PHR identifiable health information involved in the breach;
• If the breach puts people at risk for identity theft or other possible harm, suggested steps they can take to protect themselves;
• A brief description of the steps the business is taking to investigate the breach, protect against future breaches and mitigate the harm from the breach; and
• How people can contact the business for more information through a toll-free telephone number, email address, website or mailing address.

The Rule preempts contradictory state breach notification laws, but not those that impose additional breach notification requirements. The plethora of breach notification rules, which vary state by state, can impose significant, and sometimes conflicting, burdens on companies.

Conclusion

The FTC’s renewed interest in the Rule’s enforcement appears consistent with recent statements by FTC Chair Lina Khan in which she emphasized the interconnectedness of privacy and data security and the need for the FTC to act aggressively on data security practices, including its use of available remedies to “reflect the latest best practices in security and privacy.” See https://iapp.org/news/a/ftc-chair-touts-interdisciplinary-approach-to-data-privacy-security/. Consumer reliance on health apps and connected devices such as fitness trackers, diet apps and connected blood pressure cuffs results in more and more information about consumers’ health being collected and shared online. It appears likely that the FTC may be gearing up to begin vigorous enforcement of the Rule to address this growing risk.

Reprinted with permission from the April 18, 2022, issue of the New York Law Journal^©, ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.