Specifically, the FTC’s proposed changes clarify the Rule’s applicability to health apps, fitness trackers, and other similar technologies, potentially expanding its requirements to entities that previously believed they were out of scope. Our prior post noted that the FTC had recently started to revitalize the longstanding yet rarely enforced HBNR, which sets out notification obligations for covered businesses for breaches of consumer health information not covered by the Health Insurance Portability and Accountability Act (“HIPAA”). Now, the FTC is seeking to modernize the HBNR to accommodate the explosive growth of direct-to-consumer health and wellness technologies that increase the amount of health data collected from consumers and incentives for companies to use such data for marketing purposes. Public comments are currently being accepted.
Recently, the proposed changes to the Rule have garnered strong backing from members of Congress. In a letter to the FTC shared on July 24, those members expressed support for the Rule, emphasizing that apps seeking to provide health care services “must be held to a higher standard,” that they are “glad to see the FTC take an important step in strengthening protections for consumers’ health data,” and they “strongly encourage the FTC to finalize this proposed rule.” The members referenced the recent FTC settlements in GoodRx and BetterHelp noting that these apps were advertised as safe and secure, but then disclosed consumer data without notifying consumers.
Past HBNR Enforcement
Initially issued in 2009, the HBNR requires specific businesses—vendors of personal health records (“PHR”), PHR-related entities, and third-party service providers—to comply with notification requirements in the event of an unauthorized acquisition of unsecured personally identifiable health information in a PHR.
Since its September 2021 Policy Statement, FTC has prioritized and sought to enforce the privacy and security of personal health data, particularly given the proliferation of applications and connected devices, including health mobile apps, wearable devices, and other similar products, that collect and disclose consumers’ health information. Notably, the FTC pursued two enforcement actions that alleged HBNR violations this year. In February 2023, the FTC announced its first enforcement action under the HBNR against telehealth and prescription drug discount provider GoodRx Holdings Inc., which resulted in a $1.5 million civil penalty. More recently, in May 2023, the FTC announced a proposed order seeking to settle allegations that the ovulation tracker app, Premom, violated the HBNR by sharing users’ sensitive personal health information with third parties through third-party trackers, contrary to its privacy promises and failing to notify consumers of these unauthorized disclosures. Under the proposed settlement, the operator of Premom would be required to pay a $100,000 civil penalty in addition to implementing privacy-enhancing programs. Prior to these cases, the HBNR was largely not enforced, which, in part was likely because the HBNR applies to only smaller subset of businesses.
Key Elements of the Proposed Changes
Through this rulemaking, the FTC expands the scope of businesses subject to the HBNR and broadens the scope of data incidents that need to be reported.
Expands scope of “PHRs”
The FTC seeks to expand the HBNR’s scope by revising the definition for PHR to “an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” This is a significant change from the existing language of “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” With this change, an app would be considered a PHR if it is possible to draw information from multiple sources (e.g., by syncing to a wearable device), even if the consumer chooses, through settings, to limit information sent to the app to only a single source or the functionality is not otherwise enabled.
This definition also signifies that a product that can draw any information from multiple sources would be covered by the Rule, even if in practice, it draws PHR identifiable health information from only one source. This means that consumer-facing technologies that have any type of integration capacity would need to consider its obligations under the Rule.
Expands types of data and entities covered by the Rule
With proposed clarifications to the definition of PHR identifiable health information, the entities and types of technology covered by the Rule are expanded. By importing language from the Social Security Act and defining the previously undefined terms, “health care provider” and “health care services or supplies,” the FTC could now target developers of health apps and similar technologies that track a wide range of information related to individual health and wellness. Under these proposed changes, online services and apps that help track general wellness data, including fitness, sleep, and diet would be covered by the Rule as “health care providers,” in addition to those apps that track medical data such as diseases, diagnoses, vital signs, symptoms, fertility, and medications. Therefore, services that are positioned as “wellness” products, rather than “health” products could potentially be covered by the Rule, as “health care providers.”
Expands PHR-related entities who are subject to the Rule
The FTC seeks to expand the scope of PHR-related entities by defining the term to include those entities offering products and services through any online service of a PHR vendor (e.g., entities offering products and services through a PHR vendor’s app). Under this iteration of the Rule, more businesses would likely fall into PHR-related entities bucket if they use PHR vendor websites or apps to offer their products and services to consumers.
Additionally, the proposed change clarifies that PHR-related entities are those entities that access or send unsecured PHR identifiable health information to a PHR, rather than those that access or send any information to a PHR. These entities that use PHR vendor services to access or send unsecured PHR identifiable information could potentially include remote blood pressure cuffs, connected blood glucose monitors, and fitness trackers when individuals sync them with a mobile health application (the potential PHR vendor). This change means that health and wellness devices may need to give more attention to the types of information they allow individuals to share with mobile health applications.
Enlarging the Definition of “Breach”
The proposed changes refine the definition of a “breach of security,” by explicitly including unauthorized acquisitions of identifiable health information resulting from “a data security breach or an unauthorized disclosure.” This revision would obligate businesses to report a broader range of incidents, including disclosures of consumers’ PHR identifiable health information to third party companies without individual consent.
Expanding the Methods of Notice
Recognizing that the best means of contacting individuals has changed, the proposed Rule would authorize the expanded use of electronic communications (i.e., emails in combination with text messages, in-app messages, or web banners) to provide consumers with “clear and conspicuous” breach notifications, as newly defined in the proposed changes. The FTC notes that these additional forms of electronic communication are more likely to be read by an individual who is using an application and are more cost effective. The FTC has also provided example notices for businesses to use.
Enhancing the Content of Required Notice
The content of the notice to consumers would be expanded to include: (a) a comprehensive description of the potential harm resulting from the breach; (b) the identity of any known third parties who may have acquired the PHR identifiable health information; (c) the entity’s protection efforts made to affected consumers, such as credit monitoring services; and (d) the entity’s contact information. These changes serve to provide individuals with clarity as to what harms may flow from the breach of their information so that they can assess what steps to take following a breach.
Action Items for Proposed Revisions
The proposed changes to the HBNR could potentially impact businesses, such as health and wellness apps, that do not typically gather data traditionally considered health information within scope of these requirements. These changes could also introduce additional compliance obligations for businesses that are already subject to the provisions of the HBNR. In light of the enforcement priorities established by the FTC, its recent implementation of enforcement actions, and additional guidance on these topics, companies offering connected health and wellness devices, or mobile health applications may consider:
submitting comments to shape the final version of the HBNR, and
evaluating their compliance obligations under the proposed changes, for example, by assessing if they are subject to the Rule and update incident response plans, policies, and procedures as appropriate.
Thanks to Yue-Zhen Li, a summer associate in the Washington, D.C. office of Hogan Lovells, for his assistance drafting this post.
Authored by Scott Loughlin, Alyssa Golay, and Fleur Oké.