Newly Released FTC Health Breach Notification Rule: A Guide for Non-HIPAA Health Apps and Technologies

As healthcare regulatory attorneys, we’ve seen firsthand the confusion and challenges that arise when health-related entities fall outside the purview of the Health Insurance Portability and Accountability Act (HIPAA). One crucial, newly released, regulation that often gets overlooked is the Federal Trade Commission’s (FTC) Health Breach Notification Rule (HBN Rule). This rule is particularly relevant for health apps and technologies that are not covered by HIPAA because they do not conduct standardized transactions. Understanding and complying with this rule is essential for protecting your business and your users.


The Need for the Health Breach Notification Rule

In the evolving landscape of healthcare technology, many entities manage personal health records (PHRs) without being subject to HIPAA. HIPAA primarily governs healthcare providers, health plans, and their business associates who conduct standardized electronic transactions. However, the rise of direct-to-consumer health apps, wearable devices, and other digital health technologies necessitated additional regulatory measures to ensure these entities also adhere to stringent privacy and security protocols. This is where the FTC’s newly released HBN Rule comes into play.


Who Does the HBN Rule Affect?

The HBN Rule specifically targets vendors of personal health records and health care tech related entities that are not covered by HIPAA. This includes:

  • Health Apps and Technologies: Many mobile health applications and connected devices now fall under this rule. If your app collects, stores, or manages personal health information and can draw data from multiple sources, you are likely governed by the HBN Rule even if you aren’t governed by HIPAA.
  • Non-HIPAA Entities: Companies offering products and services through PHR websites or those accessing and sending information to personal health records are included. This encompasses a wide array of modern health technologies that, although pivotal in the healthcare ecosystem, do not conduct standardized transactions as defined by HIPAA.


Key Compliance Requirements

To comply with the HBN Rule, entities must follow specific notification protocols in the event of a data breach involving unsecured PHR identifiable health information:

  1. Notify Affected Individuals: You must inform individuals whose information has been compromised without unreasonable delay and no later than 60 calendar days after discovering the breach. This notice should include details about the breach, the types of information involved, and the steps individuals can take to protect themselves.
  2. Notify the FTC: For breaches affecting 500 or more individuals, immediate notification to the FTC is required, along with the individual notices. For breaches involving fewer individuals, a log must be maintained and submitted to the FTC annually.
  3. Notify the Media: In cases where a breach affects 500 or more residents of a state or jurisdiction, you are required to notify prominent media outlets to ensure the breach information is widely disseminated.


What Constitutes a Breach?

Under the HBN Rule, a breach is defined as any unauthorized acquisition of unsecured PHR identifiable health information. This includes data security breaches as well as unauthorized disclosures, whether through hacking, loss of devices, or improper sharing of information without patient consent. The broad definition underscores the FTC’s commitment to comprehensive consumer protection.

The HBN Rule’s breach standards largely mirror HIPAA’s, with some exceptions.


Enforcement and Implications

The FTC treats violations of the HBN Rule as unfair or deceptive acts under the Federal Trade Commission Act, leading to potential civil penalties. Recent enforcement actions highlight the FTC’s diligence in holding companies accountable. For example, actions against companies like GoodRx Holdings, Inc., and Easy Healthcare Corporation underscore the importance of adhering to breach notification requirements.


Why This Matters for Health Apps and Technologies

For health apps and technologies not covered by HIPAA, understanding and complying with the HBN Rule is crucial. These entities often handle sensitive health data but might not engage in standardized transactions that would bring them under HIPAA’s protections. As a result, the HBN Rule serves as a critical regulatory framework to ensure these entities also maintain high standards of privacy and security.

At The Health Law Partners, P.C., we help healthcare technology companies navigate complex regulatory landscapes. The FTC’s newly released Health Breach Notification Rule is a vital regulation that ensures even non-HIPAA covered entities maintain stringent data protection practices. By understanding and complying with this rule, you can safeguard your business, protect your users, and maintain trust in your digital health solutions.

For more detailed guidance and compliance support, feel free to contact Clinton Mikel at (; (248) 996-8510), or your contact your regular HLP attorney.

Contact Information