Health-ISAC Hacking Healthcare 6-1-2023 -

This week, Hacking Healthcare takes a look at an upcoming Federal Trade Commission proposed rulemaking that would clarify and strengthen its Health Breach Notification Rule. We examine what the rule is, how it relates to the Health Insurance Portability and Accountability Act (HIPAA), and why it might matter to healthcare organizations not covered by it.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version:
TLP WHITE - 6.1.2023 -- Hacking Healthcare

Text Version:

Welcome back to Hacking Healthcare.

Federal Trade Commission Proposes Revising Its Health Breach Notification Rule

The Federal Trade Commission (FTC) published a press release on May 18th to announce its intention to assess “amendments to strengthen and modernize the Health Breach Notification Rule (HBNR).”^[i]While not a regulatory measure that directly affects those entities covered by HIPAA, the Rule has been drawing attention as a response to “health apps and other direct-to-consumer health technologies, such as fitness trackers, [having become] commonplace.”[ii] The proposed Rule changes, and FTC Commissioner Rebecca Kelly Slaughter’s recent comments on the Rule, raise questions about the increasing regulatory attention given to data privacy and protection of sensitive health data.

For those unfamiliar with the FTC’s HBNR, it “requires vendors of personal health records (“PHRs”) and related entities that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify individuals, the FTC, and in some cases, the media of a breach of unsecured personally identifiable health data.”[iii] The Rule fits within the FTC’s broader priorities to protect sensitive consumer data. While the Rule has been in force since 2010, it wasn’t until this year that any enforcement actions were taken.

The notice of proposed rulemaking and request for comment come after a 2020 review of the Rule received widespread stakeholder support to “clarify that the Rule applies to apps and similar technologies” and for the FTC to “take additional steps to protect unsecured PHR identifiable health information that is not covered by HIPAA, both to prevent harm to consumers.”[iv]

Additionally, stakeholders commented that the FTC should step up enforcement and that clarification would help “level the competitive playing field among companies dealing with the same health information.”[v]

While the FTC did provide updated guidance along these lines in 2021, the agency appears ready to formalize changes to the HBNR.[vi] Those proposed changes seek to:

(1) clarify the Rule’s scope, including its coverage of developers of many health applications (“apps”);

(2) amend the definition of breach of security to clarify that a breach of security includes data security breaches and unauthorized disclosures;

(3) revise the definition of a PHR-related entity;

(4) clarify what it means for a vendor of personal health records to draw PHR identifiable health information from multiple sources;

(5) modernize the method of notice;

(6) expand the content of the notice; and

(7) improve the Rule’s readability by clarifying cross-references and adding statutory citations, consolidating notice and timing requirements, and articulating the penalties for non-compliance.

The FTC is open to receiving public comments from interested stakeholders on these issues for 60 days once it has been formally published within the Federal Register, which has not taken place at the time of writing.

Action & Analysis
**Included with Health-ISAC Membership**

Recommendations

For those members directly affected by the FTC rule, there is likely value in reviewing the proposed changes and submitting comments on any issues you may have or any clarifications you may want. This may be the only formal opportunity to help shape future FTC action on this issue.

For members who are not as directly impacted by this rule, perhaps because you are covered by HIPAA, it’s worth noting that there continues to be a legal and regulatory focus on the privacy and protection of health data. Furthermore, it may be interesting to see how some of the FTC’s proposed changes to notification may be received.

While the FTC and the Department of Health and Human Services (HHS) do not have exactly the same goals, authority, or expertise, the FTC’s openness to expanding the amount and type of information required in its HBNR notices signals a desire to better inform, educate, and provide relief to affected individuals for violations to their health data beyond what is expressly required by healthcare regulations like HIPAA. While HHS is under no obligation to follow the FTC’s lead, and other differences and considerations are present that may preclude simply copying its approach, it may incentivize HHS to consider if this is an area worth updating. It may also spark interest in HHS to update HIPAA more broadly, which is long overdue and a subject we cover routinely here.

Conclusion

The FTC’s publication of an RFC on this issue helps illustrate another avenue by which sensitive personal health-related data is permeating areas beyond traditional healthcare. Tangible regulatory efforts outside the HHS to better protect health data at large within the United States is broadly a good thing, but it does raise the issue of potential divergences between the kinds of privacy and security protections and incident notices that each regulator believes are appropriate. We don’t yet know how many of these proposed changes will be pursued by the FTC, but it will be worth watching. It’s also worth noting that the current administration is very interested in achieving regulatory harmonization, both within the United States and internationally. Whether the FTC is keeping this in mind is unclear, but is something we should all encourage it to consider.