In May 2023, the Federal Trade Commission (FTC) proposed changes to the Health Breach Notification Rule following a 10-year review of the rule. The proposed changes are intended to modernize the rule and make it fit for purpose in the digital age. A lot has changed since the Health Breach Notification Rule was introduced. Huge amounts of health data are now collected and shared by direct-to-consumer technologies such as health apps and wearable devices. These apps and devices can collect highly sensitive health data, yet the information collected is generally not protected by the HIPAA Rules.
The proposed update to the Health Breach Notification Rule includes changes to definitions to make it clear that vendors of personal health records (PHRs) and related entities that are not covered by HIPAA are required to issue notifications after an impermissible disclosure of their health data. The definition of a ‘breach of security’ has been changed to make it clear that a breach includes the unauthorized acquisition of identifiable health information, either by a security breach or an unauthorized disclosure. Changes have also been made to standardize consumer notifications and ensure sufficient information is provided to consumers to allow them to assess risk and require consumers to be advised about the potential for harm from a data breach.
Timely notifications must be issued to the FTC, the affected individuals, and in some cases, the media. Third-party service providers to vendors of PHRs and PHR-related entities must also issue notifications to the vendor in the event of a data breach. The deadline for providing notifications is 60 calendar days following the discovery of a data breach, although, like the HIPAA Breach Notification Rule, notifications should be issued without undue delay.
While the FTC’s Health Breach Notification Rule has been in effect for more than a decade, the FTC has only recently started enforcing the rule. The first enforcement action came in February this year against the digital health company, GoodRx Holdings, Inc, which was found to have disclosed uses’ health data to third-party advertising platforms such as Facebook (Meta) and Google. The FTC also took action against Easy Healthcare Corporation, which provides an ovulation and period tracking mobile application (Premom). In the case of Premom, health data was transferred to third parties such as Google and AppsFlyer. GoodRx agreed to settle the case and pay a $1.5 million civil monetary penalty and Easy Healthcare paid a $100,000 civil penalty.
Feedback on the Proposed Rule
The FTC provided 60 days from the date of publication in the Federal Register for the public to submit comments on the proposed changes to the Health Breach Notification Rule and the final date for submitting comments was August 8, 2023. 117 individuals and organizations submitted comments on the proposed changes, with the FTC broadly praised for updating the rule. Some of the key points from the submitted comments are detailed below.
User Consent and Transparency
Mozilla, the developer of the Firefox Internet browser, broadly supports the proposed changes. Mozilla expressed concern about the extent to which users are tracked online and how personally identifiable health information is already being transferred to third parties, often without the users’ knowledge or consent. Mozilla’s “Privacy Not Included” research team recently reviewed the practices of popular mental health and reproductive apps and found many indiscriminately collect and share intimate information for advertising purposes yet provide limited opportunities for consumers to object to those uses. The researchers found apps frequently made deceptive claims about data sharing, combined app user data with data collected from other sources such as social media profiles and data brokers, and oftentimes, the sensitive data collected by these apps was not appropriately secured.
Mozilla points out that its survey data revealed 55% of users said they did not understand when they had given their consent for apps to share their data, indicating either deceptive practices when obtaining consent or app developers are using unclear language when obtaining consent. Mozilla called for the FTC to clearly define authorization in the rule and to include the language that the FTC considered but did not include in the proposed rule and calls for the FTC to require user consent to be obtained before any personal information is collected.
Mozilla also suggested the FTC require companies to abide by browser-based opt-out signals when determining whether they have authorization to share data under the rule, such as the Global Privacy Control (GPC) as individuals are likely to want to make a simple and clear decision about the sharing of their health data. Mozilla, like several other commenters, suggested the need for a definition of acquisition, which Mozilla believes should involve any use or access by a third party of information derived from the health data, not just wholesale transfer, aligning the definition with the California Privacy Rights Act, although this appears to be something of a contentious point, not supported by the Consumer Technology Association, for example (see below).
Unintended Consequences of Electronic Breach Notifications
The Identity Theft Resource Center (ITRC), a national nonprofit organization established to minimize identity risk and mitigate the impact of identity compromise and crime, broadly praised the FTC’s efforts to update the rule but warned that allowing increased use of electronic notifications about data breaches could have a negative effect due to the potential for significant data breaches to escape public scrutiny. The ITRC suggested a change in the language of the rule to make it clear that organizations subject to the rule must comply with applicable state laws that require broader public notice.
As can be seen in data breach reporting by ITRC and The HIPAA Journal, consumers are often not provided with much information about the nature and root cause of a breach, such as if data was obtained by a ransomware group and posted on a dark net data leak site. Consumers are often told that an unauthorized third party may have viewed or obtained a user’s data when data theft and dark web publication have been confirmed. ITRC noticed this growing trend starting in late 2021 and the data breach notifications required under HIPAA increasingly see consumers provided with little or no actionable information. The FTC was praised for expanding the content requirements for notifications, which require consumers to be advised, in plain language, about the potential harms from a data breach.
Clearer Requirements for Sexual and Reproductive Health Information
The Planned Parenthood Federation of America is a trusted voice for sexual and reproductive health and a leading advocate for policies advancing access to sexual and reproductive health care. Planned Parenthood is a strong believer that data related to accessing health care should not be used by government entities or others hostile to sexual and reproductive health care. Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, this has become an even more pressing concern as there are genuine fears that health data will be sought to punish individuals for seeking or obtaining reproductive health care.
Planned Parenthood expressed concern that consumers may avoid using health apps out of fear that their privacy may be at risk, given the criminalization of abortion, gender-affirming care, and contraception in some states. This could create a culture of fear around using health applications when technology should be able to be used safely without fear that sensitive data is being moved or sold without knowledge or consent.
The efforts of the FTC to improve health information privacy were praised by Planned Parenthood, which made several recommendations to further improve privacy, specifically the privacy of reproductive health information. In addition to the FTC’s definitions for ‘healthcare provider’ and ‘health care services or supplies’ in the proposed rule, Planned Parenthood recommends the FTC include explicit language that protects people’s sexual and reproductive health care data.
Planned Parenthood suggests the FTC’s definition of ‘PHR identifiable information’ should include a more explicit reference to sexual and reproductive health due to the sensitivity of that information, such as “…relates to the past, present, or future physical, sexual, reproductive, or mental health or condition of an individual,” and also include broad definitions for “sexual” and “reproductive” health. By including these definitions, the FTC Health Breach Notification Rule would be consistent with OCR’s proposed changes to the HIPAA Privacy Rule for improving reproductive health information privacy relating to data collected by HIPAA-regulated entities.
Ensure Data Brokers are Covered by the Rule
The U.S. Public Interest Research Group, a public interest research and advocacy organization, has included a 9,659-signature petition from its members and the general public calling for stronger rules to protect digital health information.
U.S. PIRG broadly supports the proposed changes and believes it is appropriate for the rule to apply to the type of information that entities may process, regardless of whether they brand themselves as health-related companies or not. U.S. PIRG has called for the FTC to ensure that data brokers are included in the rule, as they can pull in large amounts of data about consumers and can aggregate health signals. The data broker and AdTech firm Tremor was offered as an example. Tremor offers over 400 standard health segments that may be used by its clients to deliver targeted advertising. U.S. PIRG also believes the definition of ‘breach of security’ should also include an entity that collects more information than necessary to serve the purpose for which it was collected.
Personal Health Record Should Align with Protected Health Information Definition
The Healthcare Information and Management Systems Society (HIMSS) praised the FTC for the update and clarification on how the rule applies to today’s technologies but points out that privacy and security is not only about avoiding breaches but also about ensuring information is private and secure in the first place. HIMSS encourages the FTC to explore and encourage proactive, rather than reactive, privacy and security practices in future rulemaking cycles.
HIMSS recommends the FTC align the proposed definition of PHR with the definition of protected health information in HIPAA. This would help to ensure that all health data is covered by the rule, regardless of how that information is transmitted. To make it easier for breaches to be reported without unnecessary delay, HIMSS suggests the FTC create an easily accessible, user-friendly, interactive form on its website for directly reporting breaches and other suspected violations of the Rule to the FTC.
Expansion of PHR and Breach of Security Definitions
The American Medical Informatics Association (AMIA) recommends the explicit inclusion of usernames/passwords maintained by non-HIPAA-regulated entities as being PHR identifiable health information, and for a breach of security to be presumed when a PHR or PHR-related entity failed to adequately disclose to individuals how their data will be accessed, processed, used, reused, or disclosed. AMIA also points out that for the rule to act as a deterrent to poor data management, it must be rigorously enforced, and enforcement must be sufficiently stringent and appropriate to compel the secure and responsible management of health data.
Abandon Health Care Provider Definition
While the FTC has been broadly praised for the proposed update, the FTC has been warned about some of the unintended consequences of some of the proposed changes. Multiple commenters, including the American Medical Association (AMA), take issue with the definition of ‘health care provider’ in the rule. The rule does not apply to HIPAA-covered entities, and to include a definition of ‘health care provider’ could easily result in confusion, since a health care provider is widely regarded by the public as an entity that provides medical care or health care. This issue was also raised by the Texas Medical Association (TMA) in its comments.
“The AMA strongly urges the Commission to abandon this highly ambiguous and potentially harmful definition. To lump together apps such as FitBit and Flo, in the same regulatory definition as physicians, is a disservice to consumers of public health and the industry as a whole.” The AMA suggests creating a more appropriate definition for apps, tracking devices, and other covered technologies, removing ‘health care provider’ and instead using a more appropriate descriptive term such as “health apps and diagnostic tool services.” Both the AMA and TMA also recommend removing ‘health care provider’ from the PHR identifiable health information definition, and instead using the term HIPAA-covered entity.
The AMA also makes a good point about the definition of a PHR which includes the phrase, “has the technical capacity to draw information from multiple sources.” The AMA suggests the definition be broadened to also include “when an app only draws health information from one place but extracts non-health information drawn from other sources, as well as when a PHR only draws identifiable health information from one place with non-identifiable health information coming from others.”
Such a change would give individuals more confidence in using PHRs and health apps without having to worry about making a change in the settings that could cause the app to no longer qualify as a PHR, which would remove protections under the rule.
The option of electronic notifications was praised as the aim should be to ensure notification as fast as possible. The AMA suggests that PHR users should be required to choose two methods of notification, in addition to postal notices, that best suit their lifestyle, as that will ensure notifications reach them quickly.
Proposed Rule Goes Too Far
The Consumer Technology Association (CTA) believes the proposed rule should be narrowed considerably and suggests the scope of the parties subject to the rule is not consistent with the HITECH Act. The CTA recommends that covered entities should be limited and should not include “merchants that may sell a variety of products that include health-related products, focusing on apps that actually gather health-related information from multiple sources, and excluding service providers such as cloud computing providers, analytics providers, and advertising providers, particularly when they do not target or are unaware of receiving covered health data.”
The CTA also recommends narrowing the scope of a ‘breach of security’ to the acquisition of covered health data, and not including inadvertent or good faith unauthorized access or disclosure when no data was actually obtained by a third party. The CTA also takes issue with the timescales and content of notifications. Rather than a notification period of 60 days from the date of discovery of a breach, the CTA recommends requiring a company to report the breach and issue notifications when it has been reasonably determined that a breach of security has occurred. This will help companies devote all their resources to investigating breaches and would harmonize the rule with state breach reporting laws.
The CTA also recommends simplifying consumer notice content and focusing on providing consumers with actionable information. Companies should not be required to speculate about the harms that could potentially result from a breach, nor should they be required to provide a list of entities that obtained health data. “Requiring an explanation of potential, speculative harm will create consumer confusion, further misinformation, and encourage unnecessary litigation,” wrote the CTA. Having to list companies that obtained a consumer’s PHR identifiable health information may interfere with investigatory efforts, including law enforcement inquiries or other internal investigations, and could also invite litigation against those entities. Since not all of the proposed content for notifications is actionable, including ‘speculative’ information may only serve to alarm and confuse consumers.
Viewpoints from The HIPAA Journal
The HIPAA Journal supports the FTC’s efforts to update the Health Breach Notification Rule to plug notification gaps and ensure that consumers are provided with timely notifications whenever their health data has been impermissibly disclosed. As various studies have demonstrated, companies not covered by HIPAA have not been adequately protecting health data and have been disclosing health information without the knowledge of the subjects of that data.
Once established, the updated rule – and the FTC Act – should be rigorously enforced to ensure they serve as a deterrent against the improper sharing of sensitive health data, whether deliberate or accidental. The FTC should also work closely with OCR to ensure that there are no regulatory gaps and that all health data is protected, no matter who collects the information. In the event of an impermissible disclosure of health information of any kind, consumers need to be informed as quickly as possible.
There has been a growing trend in breach notifications from HIPAA-regulated entities where the date of discovery of a breach is taken as the date when the forensic investigation confirms protected health information has been breached, which may be several months after the date that a security breach was discovered. The deadline for reporting should align with the HIPAA Breach Notification Rule, and allowing electronic notifications should speed up the notification process and help to ensure that timely notifications are issued. The FTC should ensure that that reporting deadline is enforced. The HIPAA Journal shares the view of the ITRC regarding the potential for serious data breaches to escape public scrutiny with electronic notifications. Maintaining a public record of data breaches as the Office for Civil Rights does with data breaches at HIPAA-regulated entities would solve this problem. The proposed rule rightly includes content requirements for notifications.
It is important to provide consumers with actionable information about a data breach and to clearly explain how risk can be reduced. In order for consumers to be able to make accurate decisions about the actions they should take in response to a breach, they should be advised about the potential harms. If companies are concerned about the potential for litigation from explaining the harms that can be caused by a data breach, they may be more inclined to implement appropriate data security measures to prevent data breaches from occurring in the first place.
Steve Alder, Editor-in-Chief, HIPAA Journal
The post Views on FTC’s Proposed Health Breach Notification Rule Update appeared first on HIPAA Journal.