June 07, 2023

While employer-sponsored group health plans are subject to the Department of Health and Human Services’ (HHS) Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act (HIPAA Rules), the Business Group summarizes the FTC’s latest rulemaking below to help employer plan sponsors understand the background and recent changes given the FTC has recently been increasing its HBNR enforcement activity.

Background

The HBNR was enacted by Congress as part of the American Recovery and Reinvestment Act of 2009 (“Recovery Act”) as there was recognition that certain entities that hold or interact with consumers’ personal health records were not subject to HIPAA’s privacy and security requirements. The Recovery Act created certain protections for “personal health records” (PHRs), electronic records of PHR identifiable health information on an individual and that are managed, shared, and controlled by or primarily for the individual. The FTC issued the HBNR in 2009 and began enforcing the rule in 2010.

The HBNR applies only to breaches of “unsecured” health information, which the Rule defines as health information that is not secured through technologies or methodologies specified by the Department of Health and Human Services (HHS). The HBNR rule does not apply to businesses or organizations covered by HIPAA; HIPAA covered entities and their business associates must instead comply with HHS’s HIPAA breach notification rule.

The HBNR requires vendors of PHRs that are not covered by HIPAA to notify individuals, the FTC, and in some cases, the media, of a breach of unsecured personally identifiable data. It also requires third-party service providers to vendors of PHRs and PHR-related entities (e.g., companies providing billing, data storage, attribution, or analytics services) to provide notification to such vendors entities following the discovery of a breach. Notice must be provided to impacted individuals no later than 60 days after discovery of a data breach, and if a data breach affects 500 or more individuals, notice must be provided to the FTC after no more than 10 days.

As part of the FTC’s regular review of its rules, the FTC sought comments in 2020 on whether changes were needed to the HBNR. In September 2021, the FTC issued a policy statement affirming that health apps and connected devices that collect consumers’ health information must comply with the HBNR. The FTC only recently brought its first enforcement actions under the HBNR against vendors of personal health records.

Proposed Amendments to the HBNR

The FTC cites the expansion of health applications and other direct-to-consumer health technologies (e.g., fitness trackers; wearable blood pressure monitors) since the HBNR was first issued as necessitating updating the Rule. The FTC is proposing the following changes to the HBNR.

• Clarifying the Rule’s scope to better explain the Rule’s application to health applications and similar technologies not covered by HIPAA;
• Revising the definition of breach of security to clarify that a breach of security includes data security breaches and unauthorized disclosures;
• Revising the definition of PHR-related entity, including to clarify that the Rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records;
• Clarifying what it means for a vendor of PHRs to draw PHR identifiable health information from multiple sources;
• In response to public comments, modernizing the method of notice to authorize electronic notice in additional circumstances;
• Expanding the required content of the notice, and providing a model notice which regulated entities could use to notify consumers; and
• Improving the readability of the Rule, including adding statutory citations, consolidating notice and timing requirements, and adding a new section that clearly states the penalties for non-compliance.

What the Proposed Rule Means for Employer Plan Sponsors

Employer-sponsored group health plans and their business associates are regulated entities subject to the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules). As such, while the FTC’s HBNR is generally less directly applicable than the HHS’ HIPAA Rules, there may be some circumstances where a company can be subject to both sets of rule – which the FTC outlines in FAQs on its website. As employer plan sponsors continue to examine health technology solutions as part of their benefits strategy, in addition to employees and their dependents increasingly utilizing health application and digital tools to manage their own health, employers should be aware of the FTC’s HBNR and ongoing enforcement efforts.

Resources

• FTC: Notice of Proposed Rulemaking - Health Breach Notification Rule
• FTC: Press Release – FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule
• FTC: Complying with FTC’s Health Breach Notification Rule
• HHS HIPAA Breach Notification Rule
• HHS: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

If you have questions, comments, or concerns about these or other regulatory and compliance issues, please contact us.

We provide this material for informational purposes only; it is not a substitute for legal advice.

More Topics

Policy & Advocacy Health Information Technology