FTC Health Breach Notification Rule


On Jun. 9, FTC proposed to amend the health breach notification rule.


  • FTC proposed amendments to the Health breach notification (HBN) rule (16 CFR 318).
  • Required Personal health records (PHRs) vendors to notify individuals, the FTC, and in some cases the media of an unsecured personally identifiable health data breach.
  • Related entities not covered by Health insurance portability and accountability act (HIPAA) (45 CFR 160) must also provide notification of breach pursuant to HBN rule.
  • HBN Rule Provisions
  • Defined scope, including coverage of developers of many health applications (apps).
  • Clarified a breach of security includes an unauthorized acquisition of PHR identifiable health information in a record that occurred as a result of a data security breach.
  • Revised the definition of a PHR-related entity to clarify that the rule covers entities that offer products and services through online services, including mobile applications.
  • Also applies to entities that access unsecured PHR identifiable data in a health record.
  • Additionally, rule clarified what it means for a PHR to draw data from multiple sources.
  • PHR is defined as an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources.
  • These records must managed, shared, and controlled by/primarily for the individual.
  • Modernized method of notice; allowed electronic notice in additional circumstances.
  • Expanded the content of the notice; consumers affected by a breach must be provided additional important facts, including potential breach harm and available protections.
  • Improved readability by clarifying cross-references and adding statutory citations, consolidating notice and timing requirements, articulating non-compliance penalties.
  • Consultation
  • Comments on the proposed health breach rule must be submitted by Aug. 8, 2023.
  • Apr. 2024 FTC Final Rule
  • On Apr. 26, 2024, FTC finalized changes to the Health Breach Notification Rule (HBNR).
  • Changes will strengthen and modernize the rule by clarifying its applicability to health apps, and expand what entities must provide to consumers when notifying of a breach.
  • Requires vendors of personal health records that are not covered by HIPAA to notify individuals, FTC, and, in some cases, the media of breach of personal health data.
  • Also requires third party service providers to vendors of PHRs and PHR related entities to notify such vendors and PHR related entities following the discovery of a breach.
  • The final rule will go into effect 60 days after its publication in the federal register.
  • May 2024 FTC Fed Reg Final Rule
  • On May 30, 2024, FTC published final rule in federal register, for effect Jul. 29, 2024.

Regulators FTC
Entity Types Corp; Ins
Reference 89 FR 47028, 5/30/2024; PR, RF RIN 3084-AB56, 4/26/2024; 88 FR 37819, 6/9/2023, HIPAA; Citation: 16 CFR 318; 45 CFR 160;
Functions Compliance; Legal; Operations; Outsourcing; Privacy; Product Administration; Reporting; Technology
Countries United States of America
Category
State
Products Corporate; Insurance; Insurance-Health
Regions Am
Rule Type Final
Rule Date 6/9/2023
Effective Date 7/29/2024
Rule Id 175697
Linked to N/A
Reg. Last Update 5/30/2024
Report Section US Insurance

Last substantive update on 05/31/2024