On January 21, the Federal Trade Commission (“FTC”) announced new resources to help companies determine their obligations under the Health Breach Notification Rule (the “Rule”): the Health Breach Notification Rule: Basics for Business, which provides a quick introduction to the Rule, and Complying with FTC’s Health Breach Notification Rule (“Compliance Guidance”), a more in-depth compliance guidance. These resources follow the FTC’s September 2021 Policy Statement, which expanded the Rule’s application to the developers of health apps, connected devices, and similar products, and similarly emphasize the FTC’s continued scrutiny of health technology.
The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information. 16 C.F.R. §§ 318.3, 318.5. Third-party service providers also are required to notify covered vendors of any breach. 16 C.F.R. § 318.3. The Compliance Guidance addresses who is covered under the Rule, what triggers the Rule, and what to do when a breach occurs (i.e., notification requirements).
Notably, the Compliance Guidance contains an FAQ section, which, among other things, highlights the FTC’s desire to apply the Rule to certain “apps, wearables, and other technologies for health advice, information, and tracking.” According to the FAQs, a fitness app that collects users’ height, weight, and age and can sync with users’ wearable fitness trackers (even if not all users use this feature) would “likely [be] a vendor of personal health records” under the Rule. This example underscores the FTC’s broad interpretation of the Rule’s applicability set forth in the September 2021 Policy Statement.
The Compliance Guidance does not address any of the questions raised by Commissioners Noah Philips and Christine Wilson in their dissents to the Commission’s recent Policy Statement about the FTC’s authority to expand the application of its Rule through a Policy Statement.
The Compliance Guidance FAQs also offer examples of how the notification and breach aspects of the Rule would apply in various situations, including when (1) a health app accidentally shares health information with a social media platform, and (2) an individual accesses health records without authorization. With respect to cases involving unauthorized access, the FAQs note that the Rule contains a rebuttable presumption—in other words, the FTC will presume unauthorized access unless the vendor of personal health records can prove that the access has not, or could not reasonably have, taken place. Thus, in the case of an employee’s unauthorized access of health information, a vendor of personal health records can potentially “overcome that presumption by establishing and enforcing a company policy that requires an employee who inadvertently accesses a health record not to read it or share it, to log out immediately, and to report the access to a supervisor right away.”
The FTC has linked these resources in its new Health Privacy webpage, which also contains cases, blog posts, and other materials to assist companies in complying with their legal obligations.