Direct-to-consumer health and wellness applications are forewarned: the Federal Trade Commission (FTC) is proposing changes to the Health Breach Notification Rule (HBNR), 16 C.F.R. part 318, that, if finalized, would cement the HBNR’s applicability to a broad swath of direct-to-consumer health and wellness applications (apps) and confirm that a breach of security includes not only data security incidents, but also unauthorized disclosures of personal health information. The FTC issued the Notice of Proposed Rulemaking on May 18, 2023, and comments are due 60 days after publication in the Federal Register. We have prepared a comparison document illustrating the proposed changes, which can be found here.
Background
The HBNR was first implemented in 2009 in response to the anticipated proliferation of online personal health record (PHR) services — many of which are now defunct (e.g., Microsoft HealthVault) — that offered to store a user’s digital medical records. Since such services are not typically covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its breach reporting obligations, the HBNR was meant to fill this void. Fast forward nearly 15 years and the FTC is demonstrating a renewed commitment to protecting consumers’ digital health information, as illustrated by the enforcement actions against GoodRx, BetterHelp, and Easy Healthcare for impermissibly sharing consumer health information to assist with advertising and marketing practices. But the agency has struggled to apply the HBNR to ne ..
Support the originator by clicking the read the rest link below.
