Proposed Rule2023-12148
Health Breach Notification Rule
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 9, 2023
Issuing agencies
Federal Trade Commission
Abstract
The Federal Trade Commission ("FTC" or "Commission") proposes to amend the Commission's Health Breach Notification Rule (the "HBN Rule" or the "Rule") and requests public comment on the proposed changes. The HBN Rule requires vendors of personal health records ("PHRs") and related entities that are not covered by the Health Insurance Portability and Accountability Act ("HIPAA") to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 111 (Friday, June 9, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 111 (Friday, June 9, 2023)]
[Proposed Rules]
[Pages 37819-37839]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-12148]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 318
Health Breach Notification Rule
AGENCY: Federal Trade Commission.
ACTION: Notice of proposed rulemaking; request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'')
proposes to amend the Commission's Health Breach Notification Rule (the
``HBN Rule'' or the ``Rule'') and requests public comment on the
proposed changes. The HBN Rule requires vendors of personal health
records (``PHRs'') and related entities that are not covered by the
Health Insurance Portability and Accountability Act (``HIPAA'') to
notify individuals, the FTC, and, in some cases, the media of a breach
of unsecured personally identifiable health data.
DATES: Written comments must be received on or before August 8, 2023.
ADDRESSES: Interested parties may file a comment online or on paper by
following the Request for Comment part of the SUPPLEMENTARY INFORMATION
section below. Write ``Health Breach Notification Rule, Project No.
P205405'' on your comment and file your comment online at <a href="https://www.regulations.gov">https://www.regulations.gov</a> by following the instructions on the web-based
form. If you prefer to file your comment on paper, mail your comment to
the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex H),
Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Ryan Mehm (202) 326-2918, Elisa
Jillson, (202) 326-3001, Ronnie Solomon, (202) 326-2098, Division of
Privacy and Identity Protection, Bureau of Consumer Protection, Federal
Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: The amendments would: (1) clarify the Rule's
scope, including its coverage of developers of many health applications
(``apps''); (2) amend the definition of breach of security to clarify
that a breach of security includes data security breaches and
unauthorized disclosures; (3) revise the definition of PHR related
entity; (4) clarify what it means for a vendor of personal health
records to draw PHR identifiable health information from multiple
sources; (5) modernize the method of notice; (6) expand the content of
the notice; and (7) improve the Rule's readability by clarifying cross-
references and adding statutory citations, consolidating notice and
timing requirements, and articulating the penalties for non-compliance.
I. Background
Congress enacted the American Recovery and Reinvestment Act of 2009
(``Recovery Act'' or ``the Act''),\1\ in part, to advance the use of
health information technology and, at the same time, strengthen privacy
and security protections for health information. Recognizing that
certain entities that hold or interact with consumers' personal health
records were not subject to the privacy and security requirements of
HIPAA,\2\ Congress created requirements for such entities to notify
individuals, the Commission, and, in some cases, the media of the
breach of
[[Page 37820]]
unsecured identifiable health information from those records.
---------------------------------------------------------------------------
\1\ American Recovery and Reinvestment Act of 2009, Public Law
111-5, 123 Stat. 115 (2009).
\2\ Health Insurance Portability and Accountability Act, Public
Law 104-191, 110 Stat. 1936 (1996).
---------------------------------------------------------------------------
Specifically, section 13407 of the Recovery Act created certain
protections for ``personal health records'' or ``PHRs,'' \3\ electronic
records of PHR identifiable health information on an individual that
can be drawn from multiple sources and that are managed, shared, and
controlled by or primarily for the individual.\4\ Congress recognized
that vendors of personal health records and PHR related entities (i.e.,
companies that offer products and services through PHR websites or
access information in or send information to personal health records)
were collecting consumers' health information but were not subject to
the privacy and security requirements of HIPAA. Accordingly, the
Recovery Act directed the FTC to issue a rule requiring these non-HIPAA
covered entities, and their third party service providers, to provide
notification of any breach of unsecured PHR identifiable health
information. The Commission issued its Rule implementing these
provisions in 2009.\5\ FTC enforcement of the Rule began on February
22, 2010.
---------------------------------------------------------------------------
\3\ 42 U.S.C. 17937.
\4\ 42 U.S.C. 17921(11).
\5\ 74 FR 42962 (Aug. 25, 2009) (``2009 Final Rule'').
---------------------------------------------------------------------------
The Rule requires vendors of personal health records and PHR
related entities to provide: (1) notice to consumers whose unsecured
PHR identifiable health information has been breached; (2) notice to
the Commission; and (3) notice to prominent media outlets \6\ serving a
State or jurisdiction, in cases where 500 or more residents are
confirmed or reasonably believed to have been affected by a breach.\7\
The Rule also requires third party service providers (i.e., those
companies that provide services such as billing, data storage,
attribution, or analytics) to vendors of personal health records and
PHR related entities to provide notification to such vendors and
entities following the discovery of a breach.\8\
---------------------------------------------------------------------------
\6\ The Recovery Act does not limit this notice to particular
types of media. Thus, an entity can satisfy the requirement to
notify ``prominent media outlets'' by, for example, disseminating
press releases to a number of media outlets, including internet
media in appropriate circumstances, where most of the residents of
the relevant state or jurisdiction get their news. This will be a
fact-specific inquiry that will depend upon what media outlets are
``prominent'' in the relevant jurisdiction. 74 FR 42974.
\7\ 16 CFR 318.3, 318.5.
\8\ Id. 318.3.
---------------------------------------------------------------------------
The Rule requires notice to individuals ``without unreasonable
delay and in no case later than 60 calendar days'' after discovery of a
data breach.\9\ If the breach affects 500 or more individuals, notice
to the FTC must be provided ``as soon as possible and in no case later
than ten business days'' after discovery of the breach.\10\ The FTC
makes available a standard form for companies to use to notify the
Commission of a breach,\11\ and posts a list of breaches involving 500
or more individuals on its website.\12\
---------------------------------------------------------------------------
\9\ Id. 318.4.
\10\ Id. 318.5(c).
\11\ Fed. Trade Comm'n, Notice of Breach of Health Information,
<a href="https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/health_breach_form.pdf">https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/health_breach_form.pdf</a>.
\12\ Fed. Trade Comm'n, Notices Received by the FTC Pursuant to
the Health Breach Notification Rule, Breach Notices Received by the
FTC, <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20by%20the%20FTC.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20by%20the%20FTC.pdf</a> (last
visited Dec. 2, 2022).
---------------------------------------------------------------------------
The Rule applies only to breaches of ``unsecured'' health
information, which the Rule defines as health information that is not
secured through technologies or methodologies specified by the
Department of Health and Human Services (``HHS'') and it does not apply
to businesses or organizations covered by HIPAA.\13\ HIPAA-covered
entities and their ``business associates'' must instead comply with
HHS's breach notification rule.\14\
---------------------------------------------------------------------------
\13\ Per HHS guidance, electronic health information is
``secured'' if it has been encrypted according to certain
specifications set forth by HHS, or if the media on which electronic
health information has been stored or recorded is destroyed
according to HHS specifications. See 74 FR 19006; see also U.S.
Dep't of Health & Human Servs., Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable
to Unauthorized Individuals (July 26, 2013), <a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html">https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html</a>. PHR
identifiable health information would be considered ``secured'' if
such information is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third party service
provider, in an encrypted format meeting HHS specifications, and the
PHR related entity or third party service provider stores the data
in an encrypted format that meets HHS specifications and also stores
the encryption and/or decryption tools on a device or at a location
separate from the data.
\14\ 45 CFR 164.400-414.
---------------------------------------------------------------------------
Since the Rule's issuance, apps and other direct-to-consumer health
technologies, such as fitness trackers and wearable blood pressure
monitors, have become commonplace.\15\ Further, as an outgrowth of the
COVID-19 pandemic, consumer use of such health-related technologies has
increased significantly.\16\
---------------------------------------------------------------------------
\15\ See, e.g., Tehseen Kiani, App Development in Healthcare: 12
Exciting Facts, TechnoChops (Jan. 27, 2022), <a href="https://www.technochops.com/programming/4329/app-development-in-healthcare/">https://www.technochops.com/programming/4329/app-development-in-healthcare/</a>;
Elad Natanson, Healthcare Apps: A Boon, Today and Tomorrow, Forbes
(July 21, 2020), <a href="https://www.forbes.com/sites/eladnatanson/2020/07/21/healthcare-apps-a-boon-today-and-tomorrow/?sh=21df01ac1bb9">https://www.forbes.com/sites/eladnatanson/2020/07/21/healthcare-apps-a-boon-today-and-tomorrow/?sh=21df01ac1bb9</a>; Emily
Olsen, Digital health apps balloon to more than 350,000 available on
the market, according to IQVIA report, MobiHealthNews (Aug. 4,
2021), <a href="https://www.mobihealthnews.com/news/digital-health-apps-balloon-more-350000-available-market-according-iqvia-report">https://www.mobihealthnews.com/news/digital-health-apps-balloon-more-350000-available-market-according-iqvia-report</a>.
\16\ See id.; see also Lis Evenstad, Covid-19 has led to a 25%
increase in health app downloads, research shows, <a href="http://ComputerWeekly.com">ComputerWeekly.com</a>
(Jan. 12, 2021), <a href="https://www.computerweekly.com/news/252494669/Covid-19-has-led-to-a-25-increase-in-health-app-downloads-research-shows">https://www.computerweekly.com/news/252494669/Covid-19-has-led-to-a-25-increase-in-health-app-downloads-research-shows</a> (finding that COVID-19 has led to a 25% increase in health app
downloads); Jasmine Pennic, U.S. Telemedicine App Downloads Spikes
During COVID-19 Pandemic, HIT Consultant (Sept. 8, 2020), <a href="https://hitconsultant.net/2020/09/08/u-s-telemedicine-app-downloads-spikes-during-covid-19-pandemic/">https://hitconsultant.net/2020/09/08/u-s-telemedicine-app-downloads-spikes-during-covid-19-pandemic/</a> (``US telemedicine app downloads see
dramatic increases during the COVID-19 pandemic, with some seeing an
8,270% rise YoY.'').
---------------------------------------------------------------------------
In May 2020, the Commission announced its regular, ten-year review
of the Rule and requested public comments about potential Rule
changes.\17\ The Commission requested comment on, among other things,
whether changes should be made to the Rule in light of technological
changes, such as the proliferation of apps and similar technologies.
The Commission received 26 public comments.
---------------------------------------------------------------------------
\17\ 85 FR 31085 (May 22, 2020).
---------------------------------------------------------------------------
Many of the commenters encouraged the Commission to clarify that
the Rule applies to apps and similar technologies.\18\ In fact, no
commenter opposed this type of clarification regarding the Rule's
coverage of health apps. Several commenters pointed out examples of
health apps that have abused users' privacy, such as by disclosing
sensitive health information without consent.\19\ Several commenters
noted the urgency of this issue, as consumers have further embraced
digital health technologies during the COVID-19 pandemic.\20\
Commenters argued that the Commission should take additional steps to
protect unsecured PHR identifiable health information that is not
covered by HIPAA, both to prevent harm to consumers \21\ and to
[[Page 37821]]
level the competitive playing field among companies dealing with the
same health information.\22\ To that end, commenters not only urged the
Commission to revise the Rule, but also to increase its enforcement
efforts.\23\
---------------------------------------------------------------------------
\18\ E.g., Amer. Health Info. Mgmt. Ass'n (``AHIMA'') at 2;
Kaiser Permanente at 3; Allscripts at 3; Amer. Acad. of
Ophthalmology at 2; All. for Nursing Informatics at 2; Amer. Med.
Ass'n (``AMA'') at 4; Amer. College of Surgeons at 6; Physicians'
Elec. Health Record Coal. (``PEHRC'') at 4 (``Apps that collect
health information, regardless of whether or not they connect to an
EHR, must be regulated by the FTC Health Breach Notification Rule to
ensure the safety and security of personal health information.'');
America's Health Ins. Plans (``AHIP'') and Blue Cross Blue Shield
Ass'n (``BCBS'') at 2; The App Ass'n's Connected Health Initiative
(``CHI'') at 3.
\19\ Kaiser Permanente at 7; The Light Collective at 2; Amer.
Acad. of Ophthalmology at 2; Healthcare Info. and Mgmt. Sys. Soc'y
(``HIMSS'') and the Personal Connected Health All. (``PCH
Alliance'') at 3; PEHRC at 2-3.
\20\ Lisa McKeen at 2-3; Kaiser Permanente at 7-8; AMA at 3;
Off. of the Att'y Gen. for the State of Cal. (``OAG-CA'') at 4.
\21\ Georgia Morgan; Amer. Acad. of Ophthalmology at 2-3
(arguing that the breach of health information held by a non-HIPAA-
covered app, for example, harms the patient-provider relationship,
because the patient erroneously believes that the provider is the
source of the breach); CHIME at 3 (arguing that apps' privacy
practices impact the patient-provider relationship because providers
do not know what technologies are sufficiently trustworthy for their
patients); AMA at 2-3 (expressing concern that patients share less
health data with health care providers, perhaps because of
``spillover from privacy and security breaches'').
\22\ Kaiser Permanente at 2, 4; Workgroup for Electronic Data
Interchange (``WEDI'') at 2; AHIP & BCBS at 3 (``[HIPAA] covered
entities, such as health plans, that use or disclose protected
health information should not be subject to stricter notification
requirements than those imposed on vendors of personal health
records or other such entities. Otherwise, the Federal government
will be providing market advantages to particular industry segments
with the effect of dampening competition and harming consumers.'').
\23\ Kaiser Permanente at 3, 4; Fred Trotter at 1; Casey Quinlan
at 1; CARIN All. at 2. At the time of this Notice, the Commission
has brought two enforcement actions under the Rule; the first
against digital health company GoodRx Holdings, Inc., and the second
against an ovulation-tracking mobile app marketed under the name
``Premom'' and developed by Easy Healthcare, Inc. U.S. v. GoodRx
Holdings, Inc., Case No. 23-cv-460 (N.D. Cal. 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc</a>; U.S. v. Easy Healthcare Corporation, Case No. 1:23-cv-
3107 (N.D. Ill. 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v">https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v</a>.
---------------------------------------------------------------------------
1. The Commission's 2021 Policy Statement
On September 15, 2021, the Commission issued a Policy Statement
providing guidance on the scope of the Rule. The Policy Statement
clarified that the Rule covers most health apps and similar
technologies that are not covered by HIPAA.\24\ The Rule defines a
``personal health record'' as ``an electronic record of PHR
identifiable health information on an individual that can be drawn from
multiple sources and that is managed, shared, and controlled by or
primarily for the individual.'' \25\ As the Commission explained in the
Policy Statement, many makers and purveyors of health apps and other
connected devices are vendors of personal health records covered by the
Rule because their products are electronic records of PHR identifiable
health information.
---------------------------------------------------------------------------
\24\ Statement of the Commission on Breaches by Health Apps and
Other Connected Devices, Fed. Trade Comm'n (Sept. 15, 2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf">https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf</a> (``Policy Statement'').
\25\ 16 CFR 318.2(d).
---------------------------------------------------------------------------
The Commission explained that PHR identifiable health information
includes individually identifiable health information created or
received by a health care provider,\26\ and that ``health care
providers'' include any entities that ``furnish[] health care services
or supplies.'' \27\ Because these health app purveyors furnish health
care services to their users through the mobile applications they
provide, the information held in the app is PHR identifiable health
information, and therefore many app makers likely qualify as vendors of
personal health records.\28\
---------------------------------------------------------------------------
\26\ Id. 318.2(e).
\27\ Id. 318.2(e); 42 U.S.C. 1320d(6), d(3).
\28\ See Policy Statement at 1.
---------------------------------------------------------------------------
The Policy Statement further explained that the statute directing
the FTC to promulgate the Rule requires that a ``personal health
record'' be an electronic record that can be drawn from multiple
sources.\29\ Accordingly, health apps and similar technologies likely
qualify as personal health records covered by the Rule if they are
capable of drawing information from multiple sources. The Commission
further clarified that health apps and other products experience a
``breach of security'' under the Rule when they disclose users'
sensitive health information without authorization; \30\ a breach is
``not limited to cybersecurity intrusions or nefarious behavior.'' \31\
---------------------------------------------------------------------------
\29\ The Policy Statement provided this example: ``[I]f a blood
sugar monitoring app draws health information only from one source
(e.g., a consumer's inputted blood sugar levels), but also takes
non-health information from another source (e.g., dates from your
phone's calendar), it is covered under the Rule.'' Id. at 2.
\30\ 16 CFR 318.2(a).
\31\ Policy Statement at 2; 74 FR 42967 (Commentary to 2009
Final Rule) (``On a related issue, the final rule provides that a
breach of security means acquisition of information without the
authorization `of the individual.' Some commenters raised questions
about how the extent of individual authorization should be
determined. For example, if a privacy policy contains buried
disclosures describing extensive dissemination of consumers' data,
could consumers be said to have authorized such dissemination?
The Commission believes that an entity's use of information to
enhance individuals' experience with their PHR would be within the
scope of the individuals' authorization, as long as such use is
consistent with the entity's disclosures and individuals' reasonable
expectations. Such authorized uses could include communication of
information to the consumer, data processing, or Web design, either
in-house or through the use of service providers. Beyond such uses,
the Commission expects that vendors of personal health records and
PHR related entities would limit the sharing of consumers'
information, unless the consumers exercise meaningful choice in
consenting to such sharing.'') (citations omitted).
---------------------------------------------------------------------------
2. Enforcement History
In 2023, the Commission has brought its first enforcement actions
under the Rule against vendors of personal health records. In February
2023, the Commission brought its first enforcement action alleging a
violation of the Rule against GoodRx Holdings, Inc. (``GoodRx''), a
digital health company that sells health-related products and services
directly to consumers, including prescription medication discount
products and telehealth services through its website and mobile
applications.\32\
---------------------------------------------------------------------------
\32\ U.S. v. GoodRx Holdings, Inc., Case No. 23-cv-460 (N.D.
Cal. 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc</a>.
---------------------------------------------------------------------------
In its complaint, the Commission alleged that between 2017 and
2020, GoodRx as a vendor of personal health records, disclosed more
than 500 consumers' unsecured PHR identifiable health information to
third party advertising platforms like Facebook and Google, without the
authorization of those consumers. As charged in the complaint, these
disclosures violated explicit privacy promises the company made to its
users about its data sharing practices (including about its sharing of
PHR identifiable health information). The Commission alleged that
GoodRx broke these promises and disclosed its users' prescription
medications and personal health conditions, personal contact
information, and unique advertising and persistent identifiers. The
Commission charged GoodRx with violating the Rule by failing to provide
the required notifications, as prescribed by the Rule, to (1)
individuals whose unsecured PHR identifiable health information was
acquired by an unauthorized person, (2) to the Federal Trade
Commission, or (3) to media outlets. 16 CFR 318.3-6. The Commission
entered into a settlement that, among other injunctive relief, required
GoodRx to pay a $1.5 million civil penalty for its violation of the
Rule.\33\
---------------------------------------------------------------------------
\33\ In addition, the Commission alleged that GoodRx's data
sharing practices were deceptive and unfair, in violation of Section
5 of the FTC Act.
---------------------------------------------------------------------------
Similarly, on May 17, 2023, the Commission brought its second
enforcement action under the Rule against Easy Healthcare Corporation
(``Easy Healthcare''), a company that publishes an ovulation and period
tracking mobile application called Premom, which allows its users to
input and track various types of health and other sensitive data.
Similar to the conduct alleged against GoodRx, Easy Healthcare
disclosed PHR identifiable health information to third party companies
such as Google and AppsFlyer, contrary to its privacy promises, and did
not comply with the Rule's notification requirements. The
[[Page 37822]]
Commission entered into a settlement that, among other injunctive
relief, required Easy Healthcare to pay a $100,000 civil penalty for
its violation of the Rule.\34\
---------------------------------------------------------------------------
\34\ U.S. v. Easy Healthcare Corporation, Case No. 1:23-cv-3107
(N.D. Ill. 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v">https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v</a>.
---------------------------------------------------------------------------
3. Summary of Proposed Rule Changes
Having considered the public comments, described in further detail
below, and its Policy Statement, the Commission now proposes to revise
the Rule, 16 CFR part 318, in seven ways.
<bullet> First, the Commission proposes to revise several
definitions in order to clarify the Rule and better explain its
application to health apps and similar technologies not covered by
HIPAA. Consistent with this objective, the proposed Rule would modify
the definition of ``PHR identifiable health information'' and add two
new definitions (``health care provider'' and ``health care services or
supplies''). These changes are consistent with a number of public
comments supporting the Rule's coverage of these technologies.
<bullet> Second, the Commission proposes to revise the definition
of breach of security to clarify that a breach of security includes an
unauthorized acquisition of PHR identifiable health information in a
personal health record that occurs as a result of a data security
breach or an unauthorized disclosure.
<bullet> Third, the Commission proposes to revise the definition of
PHR related entity in two ways. Consistent with its clarification that
the Rule applies to health apps, the Commission first proposes
clarifying the definition of ``PHR related entity'' to make clear that
the Rule covers entities that offer products and services through the
online services, including mobile applications, of vendors of personal
health records. In addition, the Commission proposes revising the
definition of ``PHR related entity'' to provide that entities that
access or send unsecured PHR identifiable health information to a
personal health record--rather than entities that access or send any
information to a personal health record--are PHR related entities.
<bullet> Fourth, the Commission proposes to clarify what it means
for a personal health record to draw PHR identifiable health
information from multiple sources.
<bullet> Fifth, in response to public comments expressing concern
that mailed notice is costly and not consistent with how consumers
interact with online technologies like health apps, the Commission
proposes to revise the Rule to authorize electronic notice in
additional circumstances. Specifically, the proposed Rule would adjust
the language in the ``method of notice section'' and add a new
definition of the term ``electronic mail.'' The proposed Rule also
requires that any notice delivered by electronic mail be ``clear and
conspicuous,'' a newly defined term, which aligns closely with the
definition of ``clear and conspicuous'' codified in the FTC's Financial
Privacy Rule.\35\
---------------------------------------------------------------------------
\35\ 16 CFR 313.3(b). The FTC's Financial Privacy Rule requires
financial institutions to provide particular notices and to comply
with certain limitations on disclosure of nonpublic personal
information. Using a comprehensive definition of ``clear and
conspicuous'' that is based on the Financial Privacy Rule definition
aims to ensure consistency across the Commission's privacy-related
rules.
---------------------------------------------------------------------------
<bullet> Sixth, the proposed Rule would expand the required content
of the notice to individuals, to require that consumers whose unsecured
PHR identifiable information has been breached receive additional
important information, including information regarding the potential
for harm from the breach and protections that the notifying entity is
making available to affected consumers. In addition, the proposed Rule
would include exemplar notices, which entities subject to the Rule
could use to notify consumers in terms that are easy to understand.
<bullet> Seventh, in response to public comments, the Commission
proposes to make a number of changes to improve the Rule's readability.
Specifically, the Commission proposes to include explanatory
parentheticals for internal cross-references, add statutory citations
in relevant places, consolidate notice and timing requirements in
single sections, respectively, of the Rule, and add a new section that
plainly states the penalties for non-compliance.
Finally, this Notice also includes a section discussing several
alternatives the Commission considered but is not proposing. Although
the Commission has not put forth any proposed modifications on those
issues, the Commission nonetheless seeks public comment on them.
The Commission believes that the proposed changes are consistent
with the language and intent of the Recovery Act, will address the
concerns raised by the public comments, and will ensure that the Rule
remains relevant in the face of changing business practices and
technological developments. The Commission invites comment on the
proposed rule revisions generally and on the specific issues outlined
through section III. Written comments must be received on or before
August 8, 2023.
II. Analysis of the Proposed Rule
The following discussion analyzes the proposed changes to the Rule.
1. Clarification of Entities Covered
The Commission proposes revisions to clarify the Rule's treatment
of health apps and similar technologies not covered by HIPAA. As the
Commission's Policy Statement makes clear, many health apps and similar
technologies not covered by HIPAA are covered by the FTC's existing
Rule. To ensure that entities covered by the Rule understand their
obligations under the Rule, the Commission is proposing changes to
clarify that mobile health applications are covered by the Rule, giving
important guidance to the marketplace on the Rule's scope. To
accomplish this objective, the Commission proposes several changes to
Sec. 318.2, which defines key terms in the Rule. Commenters broadly
support the Rule covering health apps and similar technologies.\36\
---------------------------------------------------------------------------
\36\ See supra note 18.
---------------------------------------------------------------------------
First, consistent with one commenter's recommendation,\37\ the
Commission proposes revising ``PHR identifiable information'' to import
language from section 1171(6) of the Social Security Act, 42 U.S.C.
1320d(6), which is included in the current Rule only by cross-reference
to that statute.\38\ This revision is not substantive and is being
proposed to improve readability.
---------------------------------------------------------------------------
\37\ See Lisa McKeen at 5.
\38\ The HBN Rule, as currently drafted, defines ``PHR
identifiable health information ''as`` individually identifiable
health information,'' as defined in section 1171(6) of the Social
Security Act (42 U.S.C. 1320d(6)), and, with respect to an
individual, information: (1) That is provided by or on behalf of the
individual; and (2) That identifies the individual or with respect
to which there is a reasonable basis to believe that the information
can be used to identify the individual. See 16 CFR 318.2(e). Section
1171(6) of the Social Security Act (42 U.S.C. 1320d(6)) states:
``The term `individually identifiable health information' means any
information, including demographic information collected from an
individual, that--
(A) is created or received by a health care provider, health
plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care
to an individual, or the past, present, or future payment for the
provision of health care to an individual, and--
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to
believe that the information can be used to identify the
individual.''
---------------------------------------------------------------------------
As revised, ``PHR identifiable information'' would be defined as
information (1) that is provided by or on behalf of the individual; (2)
that
[[Page 37823]]
identifies the individual or with respect to which there is a
reasonable basis to believe that the information can be used to
identify the individual; (3) relates to the past, present, or future
physical or mental health or condition of an individual, the provision
of health care to an individual, or the past, present, or future
payment for the provision of health care to an individual; and (4) is
created or received by a health care provider, health plan (as defined
in 42 U.S.C. 1320d(5)), employer, or health care clearinghouse (as
defined in 42 U.S.C. 1320d(2)).
The Commission believes that this definition covers traditional
health information (such as diagnoses or medications), health
information derived from consumers' interactions with apps and other
online services (such as health information generated from tracking
technologies employed on websites or mobile applications or from
customized records of website or mobile application interactions),\39\
as well as emergent health data (such as health information inferred
from non-health-related data points, such as location and recent
purchases).\40\ The Commission requests comment as to whether any
further amendment of the definition is needed to clarify the scope of
data covered.
---------------------------------------------------------------------------
\39\ In the Matter of Flo Health, Inc., FTC File No. 1923133
(June 22, 2021), <a href="https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_complaint.pdf">https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_complaint.pdf</a>; U.S. v. GoodRx Holdings, Inc.,
Case No. 23-cv-460 (N.D. Cal. 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc</a>.; In
the Matter of BetterHelp, Inc., FTC File No. 2023169 (March 2,
2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/2023169-betterhelp-inc-matter">https://www.ftc.gov/legal-library/browse/cases-proceedings/2023169-betterhelp-inc-matter</a> (proposed complaint and order); U.S.
v. Easy Healthcare Corporation, Case No. 1:23-cv-3107 (N.D. Ill.
2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v">https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v</a>.; See also U.S. Dep't of
Health & Human Servs., Use of Online Tracking Technologies by HIPAA
Covered Entities and Business Associates (Dec. 1, 2022), <a href="https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html">https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html</a>.
\40\ See e.g., Mason Marks, Emergent Medical Data: Health
Information Inferred by Artificial Intelligence, 11 UC Irvine L.
Rev. 995 (2021), <a href="https://scholarship.law.uci.edu/cgi/viewcontent.cgi?article=1501&context=ucilr">https://scholarship.law.uci.edu/cgi/viewcontent.cgi?article=1501&context=ucilr</a>.
---------------------------------------------------------------------------
The proposed Rule also defines a new term, ``health care
provider,'' in a manner similar to the definition of ``health care
provider'' found in 42 U.S.C. 1320d(3) (and referenced in 1320d(6)).
Specifically, the proposed Rule defines ``health care provider'' to
mean a provider of services (as defined in 42 U.S.C. 1395x(u) \41\), a
provider of medical or other health services (as defined in 42 U.S.C.
1395x(s)), or any other entity furnishing health care services or
supplies.
---------------------------------------------------------------------------
\41\ Under 42 U.S.C. 1395x(u), the term ``provider of services''
means a hospital, critical access hospital, rural emergency
hospital, skilled nursing facility, comprehensive outpatient
rehabilitation facility, home health agency, hospice program, or,
for purposes of section 1395f(g) and section 1395n(e) of this title,
a fund.
---------------------------------------------------------------------------
The proposed Rule adds a new definition for the term ``health care
services or supplies'' to include any online service, such as a
website, mobile application, or internet-connected device that provides
mechanisms to track diseases, health conditions, diagnoses or
diagnostic testing, treatment, medications, vital signs, symptoms,
bodily functions, fitness, fertility, sexual health, sleep, mental
health, genetic information, diet, or that provides other health-
related services or tools.\42\ The Commission's proposed definition of
``health care services and supplies'' is based on a number of factors,
including the Commission's institutional knowledge, expertise, and law
enforcement experience in health data technology. This definition is
designed to reflect the current state of technology for health apps and
connected devices, as well as emerging technological capabilities that
the Commission has observed through its investigatory, enforcement, and
policy work.
---------------------------------------------------------------------------
\42\ See Joint Statement of Commissioner Rohit Chopra and
Commissioner Rebecca Kelly Slaughter, Concurring in Part, Dissenting
in Part, In the Matter of Flo Health, Inc., FTC File No. 1923133
(Jan. 13, 2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1586018/20210112_final_joint_rcrks_statement_on_flo.pdf">https://www.ftc.gov/system/files/documents/public_statements/1586018/20210112_final_joint_rcrks_statement_on_flo.pdf</a> (``The FTC's Health
Breach Notification Rule covers (a) health care providers that (b)
store unsecured, personally identifiable health information that (c)
can be drawn from multiple sources, and the rule is triggered when
such entities experience a `breach of security.' See 16 CFR 318.
Under the definitions cross-referenced by the Rule, Flo--which
markets itself as a `health assistant'--is a `health care provider,'
in that it `furnish[es] health care services and supplies.' See 16
CFR 318.2(e); 42 U.S.C. 1320d(6), d(3).'').
---------------------------------------------------------------------------
These changes clarify that developers of health apps and similar
technologies providing these types of ``health care services or
supplies'' qualify as ``health care providers'' under the Rule.
Accordingly, any individually identifiable health information these
products collect or use would constitute ``PHR identifiable health
information'' covered by the Rule. These changes also clarify that
mobile health applications, therefore, are a ``personal health record''
covered by the Rule (as long as other conditions set forth in the
definition of ``personal health record'' are met) and accordingly the
developers of such applications are ``vendors of personal health
records.'' \43\ The proposed definition of ``health care services or
supplies'' clarifies the Rule's scope in two ways. First, it makes
clear that the Rule applies generally to online services, including
websites, apps, and internet-connected devices that provide health care
services or supplies. Second, it illustrates that the Rule covers
online services related not only to medical issues (by including in the
definition terms such as ``diseases, diagnoses, treatment,
medications'') but also wellness issues (by including in the definition
terms such as fitness, sleep, and diet). The Commission intends to
ensure app developers understand their notice obligations, even if an
app is positioned as a ``wellness'' product rather than a ``health''
product.
---------------------------------------------------------------------------
\43\ The mobile health applications covered as ``vendors of
personal health records'' under the Rule are distinct from the
``online applications'' referenced in footnote 78 of the 2009
Statement of Basis and Purpose as ``PHR related entities.'' Footnote
78 from the 2009 Statement of Basis and Purpose states that PHR
related entities include ``online applications through which
individuals connect their blood pressure cuffs, blood glucose
monitors, or other devices'' so they can track the results through
their personal health records. See 74 FR 42962, 42969 n.78 (2009).
Footnote 78 refers narrowly to online applications that collect
health information from a single source and transfer it to a
personal health record maintained separate and apart from the PHR
related entity by the PHR vendor. In other words, a PHR related
entity sends health information to a personal health record which
the PHR related entity does not itself maintain.
---------------------------------------------------------------------------
The Commission's proposed changes are consistent with the public
comments, which recommended the Rule cover health apps and similar
technologies.\44\ In revising and adding these definitions, Commission
staff also sought informal input from staff at the Federal agencies
that interpret or enforce the referenced statutory provision, 42 U.S.C.
1320d, including staff at HHS. The Commission's definition of ``health
care provider'' differs from, but does not contradict, the definitions
or interpretations adopted by HHS.\45\ The Commission's proposed
definition is consistent with the statutory scheme established by
Congress to regulate non-HIPAA covered entities and within the agency's
discretion in administering the Rule.
---------------------------------------------------------------------------
\44\ See supra note 18.
\45\ Although in other contexts HHS has defined the term
``health care provider'' based upon a more limited understanding of
that term (e.g., referring primarily to persons and entities such as
doctors, clinics, psychologists, dentists, chiropractors, nursing
homes, and pharmacies), its definition does not contradict or
preclude an interpretation of the referenced statutory provision, 42
U.S.C. 1320d, that encompasses developers of health applications and
similar technologies.
---------------------------------------------------------------------------
Topics on Which the Commission Seeks Public Comment
The Commission seeks comment as to whether these changes
sufficiently clarify the Rule's application to
[[Page 37824]]
purveyors of health apps and similar technologies that are not covered
by HIPAA. The Commission also seeks comment as to whether the proposed
rule, as explained here, makes clear to the market which entities are
covered by the Rule and under what circumstances. As the Commission has
explained, the Rule is intended to cover developers and purveyors of
health apps and internet-connected health devices, such as fitness
trackers, that are not covered by HIPAA. The Commission seeks comment
as to whether the proposed changes and added definitions would apply to
entities that offer other technologies and, if so, whether these
definitions include appropriate distinctions. If the scope should be
limited, the Commission seeks comment as to how that limitation could
be effected through the Rule's language, consistent with the language
and purpose of the Recovery Act. The Commission seeks comment on
defining ``health care provider'' in a manner that is broader than a
more limited definition of that term used in other contexts (e.g.,
referring primarily to persons and entities such as doctors, clinics,
psychologists, dentists, chiropractors, nursing homes, and pharmacies
\46\). And, finally, the Commission seeks comment on the definition of
``healthcare services or supplies,'' including whether any
modifications should be made to this definition.
---------------------------------------------------------------------------
\46\ See, e.g., U.S. Dep't of Human Servs., Guidance on Covered
Entities and Business Associates (June 16, 2017), <a href="https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html">https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html</a>
(listing these persons/entities as examples of health care
providers).
---------------------------------------------------------------------------
2. Clarification Regarding Types of Breaches Subject to the Rule
The Commission proposes a definitional change to clarify that a
breach of security under the Rule encompasses unauthorized acquisitions
that occur as a result of a data breach or an unauthorized disclosure.
The current Rule defines ``breach of security'' as the acquisition of
unsecured PHR identifiable health information of an individual in a
personal health record without the authorization of the individual.\47\
This language mirrors the definition of ``breach of security'' in
section 13407(f)(1) of the Recovery Act. The current Rule also includes
a rebuttable presumption for unauthorized access to an individual's
data. It states that when there is unauthorized access to data,
unauthorized acquisition will be presumed unless the entity that
experienced the breach ``has reliable evidence showing that there has
not been, or could not reasonably have been, unauthorized acquisition
of such information.'' \48\
---------------------------------------------------------------------------
\47\ 16 CFR 318.2(a).
\48\ 16 CFR 318.2(a).
---------------------------------------------------------------------------
The Commission's proposed changes are consistent with the plain
language of the current Rule and the Recovery Act definition of
``breach of security.'' \49\ Additionally, the Commission's Policy
Statement makes clear that ``[i]ncidents of unauthorized access,
including sharing of covered information without an individual's
authorization, triggers notification obligations under the Rule,'' and
that a breach ``is not limited to cybersecurity intrusions or nefarious
behavior.'' \50\ Further, recent Commission enforcement actions against
GoodRx and Easy Healthcare also make clear that the Rule covers
unauthorized disclosures of consumers' PHR identifiable health
information to third party companies. The Commission's proposed changes
also are consistent with public comments, which urged the Commission to
clarify what constitutes an unauthorized acquisition under the
Rule.\51\
---------------------------------------------------------------------------
\49\ The commentary to the current Rule already provides
guidance on the types of disclosures that the Commission considers
to be ``unauthorized.'' For instance, it states: ``Given the highly
personal nature of health information, the Commission believes that
consumers would want to know if such information was read or shared
without authorization.'' It further states that data sharing to
enhance consumers' experience with a PHR is authorized only ``as
long as such use is consistent with the entity's disclosures and
individuals' reasonable expectations'' and that ``[b]eyond such
uses, the Commission expects that vendors of personal health records
and PHR related entities would limit the sharing of consumers'
information, unless the consumers exercise meaningful choice in
consenting to such sharing. Buried disclosures in lengthy privacy
policies do not satisfy the standard of `meaningful choice.' '' 74
FR 42967.
\50\ Policy Statement at 2.
\51\ See AMA at 5-6 (``The FTC should define `unauthorized
access' as presumed when entities fail to disclose to individuals
how they access, use, process, and disclose their data and for how
long data are retained. Specifically, an entity should disclose to
individuals exactly what data elements it is collecting and the
purpose for their collection''; ``[T]he FTC should define
`unauthorized access' as presumed when an entity fails to disclose
to an individual the specific secondary recipients of the
individual's data.''); Amer. Med. Informatics Ass'n (``AMIA'') at 2
(recommending that the FTC ``[e]xpand on the concept of
`unauthorized access' under the definition of `Breach of security,'
to be presumed when a PHR or PHR related entity fails to adequately
disclose to individuals how user data is accessed, processed, used,
reused, and disclosed.''); OAG-CA at 5-6 (urging the FTC to include
``impermissible acquisition, access, use, disclosure'' under the
definition of breach.).
---------------------------------------------------------------------------
Accordingly, consistent with the Recovery Act definition, the
Policy Statement, FTC enforcement actions under the Rule, and public
comments received, the Commission proposes amending the definition of
``breach of security'' in Sec. 318.2(a) by adding the following
sentence to the end of the existing definition: ``A breach of security
includes an unauthorized acquisition of unsecured PHR identifiable
health information in a personal health record that occurs as a result
of a data breach or an unauthorized disclosure.'' The proposed
definition is intended to make clear to the marketplace that a breach
includes an unauthorized acquisition of identifiable health information
that occurs as a result of a data breach or an unauthorized disclosure,
such as a voluntary disclosure made by the PHR vendor or PHR related
entity where such disclosure was not authorized by the consumer.
Topics on Which the Commission Seeks Public Comment
The Commission seeks comment on (1) whether this addition to the
definition of ``breach of security'' is necessary, given that the
definition in the current Rule already encompasses unauthorized
acquisitions beyond security breaches, and (2) whether the proposed
definitional change sufficiently clarifies for the marketplace the
Rule's coverage.
3. Revised Scope of PHR Related Entity
The Commission also proposes revising the definition of ``PHR
related entity'' in two ways that pertain to the Rule's scope.
Currently, the Rule defines ``PHR related entity'' to mean an entity,
other than a HIPAA-covered entity or a business associate of a HIPAA-
covered entity, that: (1) offers products or services through the
website of a vendor of personal health records; (2) offers products or
services through the websites of HIPAA-covered entities that offer
individuals personal health records; or (3) accesses information in a
personal health record or sends information to a personal health
record.\52\
---------------------------------------------------------------------------
\52\ 16 CFR 318.2(f).
---------------------------------------------------------------------------
First, the Commission proposes language to clarify that PHR related
entities include entities offering products and services not only
through the websites of vendors of personal health records, but also
through any online service, including mobile applications. Commenters
urged this change because websites are no longer the only means through
which consumers access health information online.\53\ To the contrary,
online
[[Page 37825]]
services such as apps are equally relevant to consumers' online
experiences with health information.
---------------------------------------------------------------------------
\53\ See, e.g., AHIMA at 2 (``[W]e also recommend that the
Commission consider updating the existing definition of a `PHR-
related entity' [sic] at 318.2(f) as 318.2(f)(1) and 318.2(f)(2)
appear to focus primarily on products and services offered through a
vendor's website and may not be entirely reflective of today's
environment as new platforms and related services are increasingly
deployed and adopted.''; Amer. Acad. of Ophthalmology at 3-4
(recommending that the definition cover apps); PEHRC at 4 (same).
---------------------------------------------------------------------------
Second, the Commission proposes to revise the third prong of the
definition so that only entities that access or send unsecured PHR
identifiable health information to a personal health record--rather
than entities that access or send any information to a personal health
record--qualify as PHR related entities. This change--from any
information to unsecured PHR identifiable health information--is
intended to eliminate potential confusion about the Rule's breadth and
promote compliance by narrowing the scope of entities that qualify as
PHR related entities.\54\
---------------------------------------------------------------------------
\54\ The revised definition would state that a PHR related
entity is an entity, other than a HIPAA-covered entity or an entity
to the extent that it engages in activities as a business associate
of a HIPAA-covered entity, that (1) offers products or services
through the website, including any online service, of a vendor of
personal health records; (2) offers products or services through the
websites, including any online services, of HIPAA-covered entities
that offer individuals personal health records; or (3) accesses
unsecured PHR identifiable health information in a personal health
record or sends unsecured PHR identifiable health information to a
personal health record. Although the Rule is only triggered when
there is a breach of security involving unsecured PHR identifiable
health information, the Commission nevertheless believes there is a
benefit to revising the third prong of PHR related entity to make
clear that only entities that access or send unsecured PHR
identifiable health information to a personal health record--rather
than entities that access or send any information to a personal
health record--are PHR related entities. Otherwise, under the Rule's
current formulation, many entities could be a PHR related entity
under the definition's third prong and such entities would then, in
the event of a breach, need to analyze whether they experienced a
reportable breach under the Rule. If an entity, per this proposed
revision, does not qualify as a PHR related entity in the first
place, there is no need to consider whether it experienced a
reportable breach.
---------------------------------------------------------------------------
As the Rule is currently drafted, for example, a grocery delivery
service that integrates with a diet and fitness app could arguably be
considered a PHR related entity when the grocery delivery service sends
information about food purchases to the diet and fitness app. This
expansive reading of the Rule is not consistent with the purposes of
the statute or the Commission's intent when it drafted the Rule. The
Commission believes that a more appropriate interpretation of the term
PHR related entity encompasses entities that access unsecured PHR
identifiable health information in a personal health record or send
unsecured PHR identifiable health information to a personal health
record. Remote blood pressure cuffs, connected blood glucose monitors,
and fitness trackers are all examples of devices that could qualify as
a PHR related entity when individuals sync them with a personal health
record (i.e., mobile health application).\55\
---------------------------------------------------------------------------
\55\ For example, the maker of a wearable fitness tracker may be
both a vendor of personal health records (to the extent that its
tracker interfaces with its own app, which also accepts consumer
inputs) and a PHR related entity (to the extent that it sends
information to another company's health app). Regardless of whether
the maker of the fitness tracker is a vendor of personal health
records or a PHR related entity, its notice obligations are the
same: it must notify individuals, the FTC, and in some case, the
media, of a breach. 16 CFR 318.3(a), 318.5(b).
---------------------------------------------------------------------------
As a result of this proposed change, a firm that performs
attribution and analytics services for a health app might be considered
both a PHR related entity (to the extent it accesses unsecured PHR
identifiable health information in a personal health record) and a
third party service provider. This overlap could create competing
notice obligations, where, in the event of a breach, the firm would be
required to notify individuals and the FTC (per Sec. 318.3's notice
requirements for PHR related entities) and notify the vendor of the
personal health record (per Sec. 318.3's notice requirements for third
party service providers).
The Commission does not intend this result. Instead, the Commission
considers firms that perform services such as attribution and analytics
for apps and technologies providing healthcare services and supplies to
be third party service providers. Such service providers must notify
the health app developers for whom they provide services, who in turn
would notify affected individuals.\56\ Otherwise, treating such service
providers as PHR related entities would create a problematic result for
the consumer, who would receive notice from an unfamiliar company. To
clarify this issue, the Commission proposes to revise Sec. 318.3(b) by
adding that a third party service provider is not rendered a PHR
related entity when it accesses unsecured PHR identifiable health
information in the course of providing services.
---------------------------------------------------------------------------
\56\ In attempting to help distinguish between PHR related
entities and third party service providers, the Commission offers
the following observation: in most cases, third party service
providers are likely to be non-consumer facing. Thus, examples of
PHR related entities include, as noted above, fitness trackers and
health monitors when consumers sync them with a mobile health app.
Examples of third party service providers include entities that
provide support or administrative functions to vendors of personal
health records and PHR related entities.
---------------------------------------------------------------------------
Moreover, this result will create incentives for responsible data
stewardship and for de-identification. Specifically, PHR vendors will
have incentives to select and retain service providers, such as those
that perform services such as attribution or analytics for apps,
capable of treating data responsibly (e.g., not engaging in any onward
disclosures of data that could result in a reportable breach) and
incentives to oversee their service providers to ensure ongoing
responsible data stewardship (which would avoid a breach). Further, it
will create incentives for PHR vendors to avoid breaches by service
providers by de-identifying health information before sharing it with
any service provider, as de-identification would render the data no
longer PHR identifiable health information subject to the Rule.
a. Topics on Which the Commission Seeks Public Comment
The Commission seeks comment on whether additional changes to the
Rule would be necessary or helpful to clarify this result. The
Commission also requests comment on the following scenario: a third
party service provider, such as an analytics firm, receives PHR
identifiable health info (e.g., device identifier and geolocation data
from which health information about an individual can be inferred) and
then sells it to another entity without the consumer's authorization.
The Commission considers this to be a reportable breach, even if the
consumer consented to the original collection. In such a scenario, the
third party service provider would be required to notify the vendor of
personal health records or PHR related entity, who in turn would notify
affected individuals. The Commission requests comment on this approach,
including whether as a policy matter it is advisable under the Rule to
require a vendor of personal health records or PHR related entity to
notify its customers about such onward disclosures.
The Commission also seeks comment on the definition of ``PHR
related entity,'' including the scope. Conversely, the Commission seeks
comment as to whether, by limiting the third prong of the definition to
entities that access or send unsecured PHR identifiable health
information, the proposed definition is too narrow and would exclude
entities that should be required to notify consumers of breaches,
consistent with the Recovery Act. To assess this question of breadth,
the Commission requests comment on
[[Page 37826]]
what entities are (1) offering products or services through personal
health records such as apps; or (2) sending or accessing information,
including but not limited to identifiable health information, in health
apps and other personal health records. Finally, the Commission
requests comment on the potential overlap between the definitions of
``PHR related entity'' and ``third party service provider,'' and how to
sufficiently distinguish between them.
4. Clarification of What it Means for a Personal Health Record To Draw
Information From Multiple Sources
The Commission proposes revising the definition of ``personal
health record'' to clarify what it means for a personal health record
to draw information from multiple sources. Under the current Rule, a
personal health record is defined as an electronic record of PHR
identifiable health information that can be drawn from multiple sources
and that is managed, shared, and controlled by or primarily for the
individual.
Under the revised definition, a ``personal health record'' would be
defined as an electronic record of PHR identifiable health information
on an individual that has the technical capacity to draw information
from multiple sources and that is managed, shared, and controlled by or
primarily for the individual.\57\
---------------------------------------------------------------------------
\57\ One commenter specifically recommended that the definition
of PHR be broadened to ``to explicitly include any website, mobile
application, or other electronic record system that collects and
stores individually identifiable information, including health
information, even if it draws that information from a single
source.'' Kaiser Permanente at 3.
---------------------------------------------------------------------------
This change clarifies the application of the statutory definition
of a personal health record that can draw information from multiple
sources. Adding the phrase ``technical capacity to draw information''
serves several purposes. First, it clarifies that a product is a
personal health record if it can draw information from multiple
sources, even if the consumer elects to limit information from a single
source only, in a particular instance. For example, a depression
management app that accepts consumer inputs of mental health states and
has the technical capacity to sync with a wearable sleep monitor is a
personal health record, even if some customers choose not to sync a
sleep monitor with the app. Thus, whether an app qualifies as a
personal health record would not depend on the prevalence of consumers'
use of a particular app feature, like sleep monitor-syncing. Instead,
the analysis of the Rule's application would be straightforward: either
the app has the technical means (e.g., the application programming
interface or API) to draw information from multiple sources, or it does
not. Next, adding the phrase ``technical capacity to draw information''
would clarify that a product is a personal health record if it can draw
any information from multiple sources, even if it only draws health
information from one source. This change further clarifies the
Commission's interpretation of the Recovery Act, as explained in the
Policy Statement.\58\
---------------------------------------------------------------------------
\58\ Policy Statement at 2.
---------------------------------------------------------------------------
To illustrate the intended meaning of the proposed revisions to the
term ``personal health record,'' the Commission offers the example of
two non-HIPAA covered diet and fitness apps available for consumer
download in an app store. The proposed Rule makes clear that each is a
personal health record.
<bullet> Diet and Fitness App Y allows users to sync their app with
third-party wearable fitness trackers with the app. Diet and Fitness
App Y has the technical capacity to draw identifiable health
information both from the user (name, weight, height, age) and the
fitness tracker (user's name, miles run, heart rate), even if some
users elect not to connect the fitness tracker.
<bullet> Diet and Fitness App Y has the ability to pull information
from the user's phone calendar via the calendar API to suggest
personalized healthy eating options. Diet and Fitness App Y has the
technical capacity to draw identifiable health information from the
user (name, weight, height, age) and non-health information (calendar
entry info, location, and time zone) from the user's calendar.
a. Topics on Which the Commission Seeks Public Comment
The Commission seeks comment as to whether the proposed changes
sufficiently clarify the Rule's application to developers and purveyors
of products that have the technical capacity to draw information from
more than one source. In particular, the Commission invites comment on
its interpretation that an app is a personal health record because it
has the technical capacity to draw information from multiple sources,
even if particular users of the app choose not to enable the syncing
features. The Commission also requests comment about whether an app (or
other product) should be considered a personal health record even if it
only draws health information from one place (in addition to non-health
information drawn elsewhere); or only draws identifiable health
information from one place (in addition to non-identifiable health
information drawn elsewhere). The Commission also requests comment
about whether the Commission's bright-line rule (apps with the
``technical capacity to draw information'' are covered) should be
adjusted to take into account consumer use, such as where no consumers
(or only a de minimis number) use a feature. For example, an app might
have the technical capacity to draw information from multiple sources,
but its API is entirely or mostly unused, either because it remains a
Beta feature, has not been publicized, or is not popular. The
Commission also requests comment on the likelihood of such scenarios.
5. Facilitating Greater Opportunity for Electronic Notice
Fourth, the Commission proposes to authorize expanded use of email
and other electronic means of providing clear and effective notice of a
breach to consumers. Increasingly, consumers interact with vendors of
personal health records (and vice versa) solely online and communicate
primarily or exclusively through electronic means.
Currently, the Rule permits notice by either postal mail or, in
limited circumstances, email. The Rule provides that vendors of
personal health records or PHR related entities that discover a breach
of security must provide ``[w]ritten notice, by first-class mail to the
individual at the last known address of the individual, or by email, if
the individual is given a clear, conspicuous, and reasonable
opportunity to receive notification by first-class mail, and the
individual does not exercise that choice.'' \59\
---------------------------------------------------------------------------
\59\ 16 CFR 318.5(a)(1).
---------------------------------------------------------------------------
Several commenters noted the cost and inconvenience associated with
postal mail notice to companies and consumers alike.\60\ Several
commenters encouraged the Commission to update the methods of notice to
permit notice by electronic means.\61\ Commenters suggested that the
Commission revise the Rule to encourage different kinds of electronic
notice, including email, in-app messaging, and QR codes.\62\ For
example, one commenter stated that the Rule's notice requirement should
be
[[Page 37827]]
updated to permit notification by email or within an application,
including through such means as banner, ``pop-up,'' and clickthrough
notifications.\63\ This commenter also noted that an electronic
communication is more likely to be read by an individual who is using
an application, and is more cost effective.\64\ Another commenter urged
the Commission to increase the options for breach notification to
include email rather than certified mail as the only option.\65\ And
another commenter noted that in-app messaging, text messages, and
platform messaging are widely used tools and should be allowed to be
utilized to more effectively communicate with consumers that consent to
them.\66\ This commenter added that it is common sense that consumers
should be able to consent to receiving communications under the Rule
via these modalities as well as via email.\67\
---------------------------------------------------------------------------
\60\ Allscripts at 2; Bruce Grimm at 1; All. for Nursing
Informatics at 2; Anonymous, No. FTC-2020-0045-0005 at 1; CHI at 3;
CARIN All. at 2.
\61\ The App Ass'n's Connected Health Initiative (``CHI'') at 3;
CARIN All. at 2; Allscripts at 2; Bruce Grimm at 1; All. for Nursing
Informatics at 2.
\62\ Id.
\63\ Allscripts at 2.
\64\ Id.
\65\ All. for Nursing Informatics at 2.
\66\ CHI at 3.
\67\ Id.
---------------------------------------------------------------------------
The Commission recognizes that, as commenters noted, the
relationship between vendors of personal health records and PHR related
entities, on the one hand, and individuals takes place online and
increasingly via applications present on devices such as mobile phones
and tablets. These applications communicate with individuals by various
electronic means, including text, within-application message, and
email.
a. Notice via Electronic Mail
Accordingly, the Commission proposes to update this provision to
specify that vendors of personal health records or PHR related entities
that discover a breach of security must provide written notice at the
last known contact information of the individual and such written
notice may be sent by electronic mail, if an individual has specified
electronic mail as the primary contact method, or by first-class mail.
Authorizing entities to provide notice about a breach of security
by electronic mail is consistent with how consumers often receive other
communications from these entities and will align with consumers'
expectations. As a result, they are less likely to be ignored or viewed
as suspicious by individuals.
Consistent with this objective, the Commission proposes defining
``electronic mail'' to mean email in combination with one or more of
the following: text message, within-application messaging, or
electronic banner. The proposed Rule would facilitate more notice by
electronic mail. This new definition of electronic mail would ensure
that the notice is both (1) convenient and low-cost (because it is
electronic) and (2) unavoidable and consistent with the consumer's
relationship with the product. For example, if an app developer is
providing notice, it could send written notice by email and in-app
message, ensuring that the consumer receives notice in a manner
consistent with her experience with the app. Similarly, a website
operator could send written notice by email and an electronic banner on
the home page of its website. The two prongs of the definition would
ensure that a notifying entity cannot select a single form of
electronic notice that is unlikely to reach consumers--for example,
sending an in-app message alone to app users who do not frequently
check in-app notifications.
The goal of structuring the notice in two parts is to increase the
likelihood that consumers encounter the notice. Many individuals
routinely check email messages, making email a useful vehicle to
communicate a breach notification. However, some individuals do not
read email often, and these consumers under the proposed definition
would also receive notice via text, in-app, or banner notice, thereby
increasing the likelihood that they will encounter the breach
notification.
The Commission believes any notification delivered via electronic
mail should be clear and conspicuous. The proposed Rule defines ``clear
and conspicuous.'' Among other things, for a notice to be clear and
conspicuous, the notice must be reasonably understandable and designed
to call attention to the nature and significance of the information in
the notice. The proposed definition of ``clear and conspicuous''
closely tracks the definition of clear and conspicuous in the FTC's
Financial Privacy Rule.\68\
---------------------------------------------------------------------------
\68\ 16 CFR 313.3(b)(1).
---------------------------------------------------------------------------
Vendors of personal health records and PHR related entities must
obtain consumer consent prior to adopting ``electronic mail'' as their
notification method for affected individuals. The proposed Rule would
require that entities covered by the Rule may provide ``electronic
mail'' notifications if the individual user has specified electronic
mail as their primary method of communication with the entity. This is
consistent with section 13402 of the Recovery Act, which requires that
entities can only send notice by electronic mail ``if specified as a
preference by the individual.'' The Commission interprets this phrase
as allowing entities to send an email or in-app alert notifying their
users that they will receive breach notices by electronic mail and
offering them the opportunity to opt out of electronic mail
notification and instead receive notice by first class mail. The
proposed Rule also allows for notification by first-class mail where
electronic mail is not available.
b. Model Notice
To assist entities that are required to provide notice to
individuals under the Rule, the Commission has developed a model notice
that entities may use, in their discretion, to notify individuals. This
model notice is attached as Exhibit A to this Notice of Proposed
Rulemaking. The Commission invites comment on this model notice,
including: (1) whether the model notice should be mandatory and any
advantages or disadvantages of mandating use of the model notice; (2)
whether and how the model notice could be compatible with the methods
of notice contemplated by the proposed definition of electronic mail,
such as text, banner and within-application messaging, including
whether and how entities could suitably link to model notice language
from a text message,\69\ electronic banner, or in-application message;
(3) and recommended changes to the substance and format of the model
notice.
---------------------------------------------------------------------------
\69\ The proposed text message and in-app language in the
exemplar notice invites consumers to ``Visit [add non-clickable URL]
to learn what happened, how it affects you, and what you can do to
protect your information.'' The exemplar proposes a non-clickable
URL due to the risk that a clickable URL could expose consumers to,
for example, malware or scams.
---------------------------------------------------------------------------
c. Topics on Which the Commission Seeks Public Comment
The Commission also requests comment on the proposed changes,
including whether the definition of ``electronic mail'' would achieve
the Commission's goal to make notice unavoidable and consistent with
the consumer's relationship with the product. The Commission also
requests comment as to whether this definition would result in over-
notification from ``duplicate'' notices, including the extent to which
the proposed two-pronged approach could confuse consumers or reduce the
impact that a single notice might have. And the Commission requests
comment as to whether this definition is consistent with principles of
data minimization, i.e., whether an entity might collect more data
(e.g., email or text) than it otherwise would have simply to obtain
[[Page 37828]]
sufficient information to send notice via ``electronic mail'' in the
event of a breach.
6. Expanded Content of Notice
The Commission proposes several modifications to the content of the
required notice to individuals. Currently, the Rule requires that the
notice include a description of what happened; a description of the
types of unsecured PHR identifiable health information that were
involved in the breach; the steps individuals should take to protect
themselves from potential harm; a description of what the vendor of
personal health records or PHR related entity involved is doing to
investigate the breach, to mitigate any losses, and to protect against
any further breaches; and contact procedures for individuals to ask
questions or learn additional information.\70\ The Commission proposes
five changes to the content of the notice.
---------------------------------------------------------------------------
\70\ 16 CFR 318.6.
---------------------------------------------------------------------------
a. Summary of Changes to Content of the Notice
First, in Sec. 318.6(a), as part of relaying what happened
regarding the breach, the Commission proposes that the notice to
individuals also include a brief description of the potential harm that
may result from the breach, such as medical or other identity theft.
The Commission proposes adding this provision so that individuals
better understand the nexus between the information breached and the
potential harms that could result from the breach of such information.
In some cases, it is unclear to individuals what harms may flow from
the breach of their information. The Commission believes it is
important to equip individuals with information about the harms they
may experience so that they can better understand the potential risks
from a breach and determine what steps or measures to take following a
breach. The Commission invites comment on this proposed provision,
including (1) whether the requirement that the notice describe
potential harms would serve the public interest and benefit consumers,
(2) whether notifying entities typically possess information following
a breach to assess the potential harms to individuals, (3) whether, in
the absence of such information, notifying entities may minimize the
potential risks by informing individuals that they are unaware of any
harms that may result from the breach, (4) how notifying entities, in
the absence of known, actionable harm resulting from a breach, should
best describe to individuals the potential harms they may experience,
and (5) whether additional and more specific data elements may
overwhelm or confuse recipients of the notice.
Second, the Commission also proposes to amend the requirements for
the notice under Sec. 318.6(a) to include the full name, website, and
contact information (such as a public email address or phone number) of
any third parties that acquired unsecured PHR identifiable health
information as a result of a breach of security, if this information is
known to the vendor of personal health records or PHR related entity
(such as where the breach resulted from disclosures of users' sensitive
health information without authorization). No such requirement exists
in the current Rule.
Third, the Commission proposes modifications to Sec. 318.6(b),
which requires that the notice include a description of the types of
unsecured PHR identifiable health information that were involved in the
breach. The Rule currently sets forth examples of different types of
PHR identifiable health information, such as full name, date of birth,
Social Security number, account number, or disability code, that could
have been involved in the breach.
The Commission proposes that this exemplar list be expanded to
include additional types of PHR identifiable health information, such
as health diagnosis or condition, lab results, medications, other
treatment information, the individual's use of a health-related mobile
application, and device identifier. The Commission believes it is
important for individuals to receive notice of the specific types of
PHR identifiable health information involved in a breach, given that
the exposure of health information can lead to a wide spectrum of
harms.\71\ For example, even the disclosure of an individual's use of a
health-related mobile application (e.g., a HIV management app, mental
health app, or addiction recovery app) could, depending on the type of
health app at issue, lead to a number of potential injuries, including
embarrassment, social stigma, more expensive health insurance premiums,
or even loss of employment.
---------------------------------------------------------------------------
\71\ See, e.g., Fed. Trade Comm'n, FTC Informational Injury
Workshop: BE and BCP Staff Perspective (Oct. 2018), <a href="https://www.ftc.gov/system/files/documents/reports/ftc-informational-injury-workshop-be-bcp-staff-perspective/informational_injury_workshop_staff_report_-_oct_2018_0.pdf">https://www.ftc.gov/system/files/documents/reports/ftc-informational-injury-workshop-be-bcp-staff-perspective/informational_injury_workshop_staff_report_-_oct_2018_0.pdf</a>; Fed.
Trade Comm'n, Former Acting Chairwoman Maureen K. Ohlhausen,
Painting the Privacy Landscape: Informational Injury in FTC Privacy
and Data Security Cases (Sept. 19, 2017), <a href="https://www.ftc.gov/system/files/documents/public_statements/1255113/privacy_speech_mkohlhausen.pdf">https://www.ftc.gov/system/files/documents/public_statements/1255113/privacy_speech_mkohlhausen.pdf</a>.
---------------------------------------------------------------------------
Fourth, Sec. 318.6(d) of the Rule currently requires that a vendor
of personal health records or PHR related entity describe what the
entity is doing to investigate the breach, to mitigate any losses, and
to protect against any further breaches. The Commission proposes to
revise this provision to require that the notice to individuals include
additional information providing a brief description of what the entity
that experienced the breach is doing to protect affected individuals,
such as offering credit monitoring or other services. The Commission
believes it is important that notifying entities explain to individuals
not only the steps individuals should take to protect themselves from
potential harm resulting from the breach, but also what steps the
notifying entity is taking to protect affected individuals following
the breach. Any protections offered by notifying entities likely will
be tailored to the facts and circumstances of each breach and could, in
certain circumstances, include credit monitoring or other support such
as identity theft protection or identity restoration services.
Fifth, the Commission proposes to modify Sec. 318.6(e). Currently,
this section requires that the notice to individuals include contact
procedures for individuals to ask questions or learn additional
information about the breach, and the contact procedure must include
one of the following: a toll-free telephone number; an email address;
website; or postal address. The Commission proposes to modify Sec.
318.6(e) to specify that the contact procedures specified by the
notifying entity must include two or more of the following: toll-free
telephone number; email address; website; within-application; or postal
address. The Commission proposes this change to encourage and
facilitate communication between the notifying entities and affected
individuals. This modification is intended to avoid a scenario where,
for example, a notifying entity regularly communicates with most of its
customers via email and the notifying entity establishes a postal
address as the only contact procedure for individuals to employ
following a breach.
7. Proposed Changes To Improve Rule's Readability
The Commission proposes several changes to improve the Rule's
readability. Specifically, the Commission proposes to include
explanatory parentheticals for internal cross-references, add statutory
citations
[[Page 37829]]
in relevant places, consolidate notice and timing requirements in
single sections, and revise the Enforcement section to state more
plainly the penalties for non-compliance.
a. Explanatory Parentheticals and Statutory References
Throughout the Rule, the Commission proposes to include explanatory
parentheticals for each internal cross-reference and add statutory
citations to help orient the reader.\72\ The Commission invites comment
on whether the inclusion of explanatory parentheticals and statutory
citations improves the Rule's readability and promotes comprehension.
---------------------------------------------------------------------------
\72\ For example, the Commission proposes to add a statutory
citation for the Recovery Act section referenced in the definition
of ``unsecured,'' to improve the clarity and readability of this
defined term. The revised definition would provide that
``unsecured'' means PHR identifiable health information that is not
protected through the use of a technology or methodology specified
by the Secretary of Health and Human Services in the guidance issued
under section 13402(h)(2) of the American Reinvestment and Recovery
Act of 2009, 42 U.S.C. 17932(h)(2).
---------------------------------------------------------------------------
(1) Consolidated Notice and Timing Requirements
To facilitate reader understanding, the Commission proposes
consolidating into single sections, respectively, the Rule's breach
notification and timing requirements. Currently, the breach
notification requirements are located in sections 318.3 and 318.5 and
the timing requirements are located in sections 318.4 and 318.5.
To consolidate the Rule's notice requirements, the Commission
proposes to move the provision in Sec. 318.5 (Methods of notice)
requiring notice to the media (Sec. 318.5(b)) to Sec. 318.3. The
Commission does not intend to make any substantive change to the breach
notification requirements; this change is merely intended to
consolidate breach notification requirements in a single section to
improve readability and promote compliance.
New Sec. 318.3(a)(3) would set forth the requirement to notify
prominent media \73\ outlets serving a State or jurisdiction, following
the discovery of a breach of security, if the unsecured PHR
identifiable health information of 500 or more residents of such State
or jurisdiction is, or is reasonably believed to have been, acquired
during such breach. The Commission requests comment as to whether the
consolidation of breach notification requirements improves the Rule's
readability and will promote compliance.\74\
---------------------------------------------------------------------------
\73\ See supra note 6.
\74\ As noted above, the Commission does not intend this
consolidation of timing requirements to have any effect on the
substantive requirements of the Rule. In making this proposed
change, minor revisions are required to Sec. 318.5(b). Section
318.5(b) of the proposed Rule would provide: ``Notice to media. As
described in Sec. 318.3(a)(3), a vendor of personal health records
or PHR related entity shall provide notice to prominent media
outlets serving a State or jurisdiction, following the discovery of
a breach of security, if the unsecured PHR identifiable health
information of 500 or more residents of such State or jurisdiction
is, or is reasonably believed to have been, acquired during such
breach.''
---------------------------------------------------------------------------
Second, to consolidate requirements regarding the timing of
notification, the Commission proposes moving timing requirements for
notice to the FTC that appear in Sec. 318.5(c) of the current Rule to
a new paragraph (b) in Sec. 318.4 of the proposed Rule. Accordingly,
proposed Sec. 318.4(b) would now require vendors of personal health
records and PHR related entities to notify the Commission as soon as
possible and in no case later than ten business days following the date
of discovery of the breach if the breach involves the unsecured PHR
identifiable health information of 500 or more individuals. If the
breach involves the unsecured PHR identifiable health information of
fewer than 500 individuals, this section permits vendors of personal
health records and PHR related entities, in lieu of immediate notice,
to maintain a breach log and submit this log annually to the Federal
Trade Commission no later than 60 calendar days following the end of
the calendar year.\75\
---------------------------------------------------------------------------
\75\ As noted above, the Commission does not intend this
consolidation of timing requirements to have any effect on the
substantive requirements of these sections. Section 318.5(c) of the
proposed Rule would provide: ``(c) Notice to FTC. Vendors of
personal health records and PHR related entities shall provide
notice to the Federal Trade Commission following the discovery of a
breach of security, as described in 318.4(b) (Timing of notice to
FTC). If the breach involves the unsecured PHR identifiable health
information of fewer than 500 individuals, the vendor of personal
health records or PHR related entity may maintain a log of any such
breach and submit such a log to the Federal Trade Commission as
described in 318.4(b) (Timing of notice to FTC), documenting
breaches from the preceding calendar year. All notices pursuant to
this paragraph shall be provided according to instructions at the
Federal Trade Commission's website.''
---------------------------------------------------------------------------
Importantly, the Commission does not intend to make any substantive
change to the timing requirements; this change is merely intended to
consolidate timing requirements in a single section to improve
readability and promote compliance. The Commission requests comment as
to whether the inclusion of explanatory parentheticals and the proposed
consolidation of timing requirements improves the Rule's readability
and will promote compliance.
(2) Revised Enforcement Provision
Commenters suggested that the Rule be revised to specify the
penalties for non-compliance.\76\ Currently, the Rule provides that a
violation of Sec. 318.3 shall be treated as an unfair or deceptive act
or practice in violation of a regulation under section 18 of the FTC
Act. The Commission proposes modifying Sec. 318.7 to make plain that a
violation of the Rule constitutes a violation of a rule promulgated
under section 18 of the FTC Act and is subject to civil penalties.
---------------------------------------------------------------------------
\76\ See Bruce Grimm at 1 (``Areas of 16 CFR [p]art 318.5 method
of notice could be enhanced by adding an option for consumers to
text or use a quick response (QR) code generator to obtain data
breach information that is on file. This coupled with a modification
of 16 CFR [p]art 318.7 enforcement where the actual potential
penalty for practice in violation of regulation is noted would act
as a deterrent to non-compliance.''); All. for Nursing Informatics
at 2 (``We offer the following additional considerations to update
and improve the HBN Rule, including. . . . Identify sufficiently
stringent penalties and monitoring for responsible management of
identifiable PHI.'').
---------------------------------------------------------------------------
Under section 18 of the FTC Act, 15 U.S.C. 57a, the Commission is
authorized to prescribe ``rules which define with specificity acts or
practices which are unfair or deceptive acts or practices in or
affecting commerce'' within the meaning of section 5(a)(1) of the FTC
Act, 15 U.S.C. 45(a)(1). Once the Commission has promulgated a trade
regulation rule, anyone who violates the rule with actual knowledge, or
knowledge fairly implied on the basis of objective circumstances, that
such act is unfair or deceptive and is prohibited by such rule is
liable for civil penalties for each violation. 15 U.S.C. 45(m)(1)(A).
Entities that fail to comply with the Rule are subject to penalties of
up to $50,120 per violation per day, and this amount is increased
annually per the Federal Civil Penalties Inflation Adjustment Act
Improvements Act of 2015.\77\ The Commission seeks comment on these
proposed modifications to Sec. 318.7.
---------------------------------------------------------------------------
\77\ 16 CFR 1.98; see also Federal Trade Commission, FTC
Publishes Inflation-Adjusted Civil Penalty Amounts for 2022 (Jan. 6,
2023), <a href="https://www.ftc.gov/news-events/news/press-releases/2023/01/ftc-publishes-inflation-adjusted-civil-penalty-amounts-2023">https://www.ftc.gov/news-events/news/press-releases/2023/01/ftc-publishes-inflation-adjusted-civil-penalty-amounts-2023</a>.
---------------------------------------------------------------------------
III. Changes Considered but Not Proposed and on Which the Commission
Seeks Public Comment
1. Defining Authorization and Affirmative Express Consent
As previously noted above, when a health app or other device
discloses sensitive health information without users' authorization,
this is a ``breach of
[[Page 37830]]
security'' under the Rule. The Commission considered defining the term
``authorization,'' which appears in Sec. 318.2(a)'s definition of
``breach of security.'' Specifically, Sec. 318.2(a) defines ``breach
of security,'' in relevant part, to mean the acquisition of unsecured
PHR identifiable information of an individual in a personal health
record without the ``authorization'' of the individual. The Commission
considered defining ``authorization'' to mean the affirmative express
consent of the individual, and then defining ``affirmative express
consent,'' consistent with state laws that define consent, such as the
California Consumer Privacy Rights Act, Cal. Civ. Code 1798.140(h).\78\
Such changes would ensure that notification is required anytime there
is acquisition of unsecured PHR identifiable information without the
individual's affirmative express consent for that acquisition--such as
when an app discloses unsecured PHR identifiable information to another
company, having obtained nominal ``consent'' from the individual by
using a small, greyed-out, pre-selected checkbox following a page of
dense legalese.
---------------------------------------------------------------------------
\78\ The Commission considered defining ``affirmative express
consent'' as follows:
Affirmative express consent means any freely given, specific,
informed, and unambiguous indication of an individual's wishes
demonstrating agreement by the individual, such as by a clear
affirmative action, following a clear and conspicuous disclosure to
the individual, apart from any ``privacy policy,'' ``terms of
service,'' ``terms of use,'' or other similar document, of all
information material to the provision of consent. Acceptance of a
general or broad terms of use or similar document that contains
descriptions of agreement by the individual along with other,
unrelated information, does not constitute affirmative express
consent. Hovering over, muting, pausing, or closing a given piece of
content does not constitute affirmative consent. Likewise, agreement
obtained through use of user interface designed or manipulated with
the substantial effect of subverting or impairing user autonomy,
decision-making, or choice, does not constitute affirmative express
consent.
---------------------------------------------------------------------------
In considering whether to define ``authorization'' and
``affirmative express consent,'' the Commission considered public
comments that argued the Rule should do more to prevent data collection
and use without the individual's consent.\79\ Defining these terms to
emphasize the importance of meaningful consent would partially address
the concerns of some commenters that privacy compliance obligations for
entities not covered by HIPAA should be similar to obligations for
HIPAA covered entities, both to ensure consistent protections for
consumers' health information and to level the competitive playing
field among companies holding that information.\80\
---------------------------------------------------------------------------
\79\ Lisa McKeen at 1 (recommending that the Rule require
``express written acknowledgement and consent of the consumer/
person(s) to which this information is personally owned''); Kaiser
Permanente at 3 (``[T]he HBN Rule should require all [covered]
entities to establish and follow notices of privacy and security
practices [and] inform consumers about those notices in a prominent
manner[.]''; AMA at 4-5 (identifying problems with consent structure
and urging the Commission to presume ``unauthorized access'' ``when
an entity fails to disclose to an individual the specific secondary
recipients of the individual's data.''); AMIA at 2 (urging the
Commission to presume that unauthorized access has occurred where an
entity ``fails to adequately disclose to individuals how user data
is accessed, processed, used, reused, and disclosed.'').
\80\ E.g., OAG-CA at 5.
---------------------------------------------------------------------------
The Commission is not, however, proposing to make those changes at
this time, because the commentary to the current Rule already provides
guidance on the types of disclosures that the Commission considers to
be ``unauthorized.'' \81\ Further, recent Commission orders, such as
GoodRx, also make clear that the use of ``dark patterns,'' which have
the effect of manipulating or deceiving consumers, including through
use of user interfaces designed with the substantial effect of
subverting or impairing user autonomy and decision-making, do not
satisfy the standard of ``meaningful choice.'' Finally, Commission
settlements establish important guidelines involving authorization. For
example, the Commission's recent settlement with GoodRx, alleging
violations of the Rule, highlights that disclosures of PHR identifiable
information inconsistent with a company's privacy promises constitute
an unauthorized disclosure.
---------------------------------------------------------------------------
\81\ See supra note 49.
---------------------------------------------------------------------------
The Commission seeks public comment about whether the commentary
above and FTC enforcement actions provide sufficient guidance to put
companies on notice about their obligations for obtaining consumer
authorization for disclosures, or whether defining the term
``authorization'' would better inform companies of their compliance
obligations.
To the extent that including such definitions would be appropriate,
the Commission seeks comment on the definitions of ``authorization''
and ``affirmative express consent,'' as described above, and the extent
to which such definitions are consistent with the language and purpose
of the Recovery Act. The Commission also seeks comment on what
constitutes acceptable methods of authorization, particularly when
unauthorized sharing is occurring. For example, the Commission seeks
comment on the following: when a vendor of personal health records or a
PHR-related entity is sharing information covered by the Rule, is it
acceptable for that entity to obtain the individual's authorization to
share that information when an individual clicks ``agree'' or
``accept'' in connection with a pre-checked box disclosing such
sharing? Is it sufficient if an individual agrees to terms and
conditions disclosing such sharing but that individual is not required
to review the terms and conditions? Or is it sufficient if an
individual uses a health app that discloses in its privacy policy that
such sharing occurs, but the app knows via technical means that the
individual never interacts with the privacy policy?
Relatedly, the Commission seeks comment on whether there are
certain types of sharing for which authorization by consumers is
implied, because such sharing is expected and/or necessary to provide a
service to consumers. Finally, the Commission emphasizes that its
decision to not define ``authorization'' or ``affirmative express
consent'' does not mean that a ``breach of security'' is limited only
to cybersecurity events.
2. Modifying Definition of Third Party Service Provider
The Commission also considered modifying the definition of ``third
party service provider.'' Under the Rule, a ``third party service
provider'' means an entity that ``(1) [p]rovides services to a vendor
of personal health records in connection with the offering or
maintenance of a personal health record or to a PHR related entity in
connection with a product or service offered by that entity; and (2)
[a]ccesses, maintains, retains, modifies, records, stores, destroys, or
otherwise holds, uses, or discloses unsecured PHR identifiable health
information as a result of such services.'' \82\ The 2009 Notice of
Proposed Rulemaking notes that third party service providers include,
for example, entities that provide billing or data storage services to
vendors of personal health records or PHR related entities.\83\
Although the Commission is not proposing to modify the definition of
``third party service provider'' at this time, the Commission requests
comment on certain issues related to the definition. Given
technological changes and the proliferation of new business models that
have occurred since the Rule's issuance, the Commission invites
comments on the scope of entities that should be considered third party
service providers under the Rule. While the
[[Page 37831]]
2009 Notice of Proposed Rulemaking provides examples of third party
service providers, the examples are illustrative. For example, under
the Rule, should all advertising and analytics providers and platforms
be considered third party service providers anytime they access,
maintain, retain, modify, record, store, destroy, or otherwise hold,
use, or disclose unsecured PHR identifiable health information when
providing services to vendors of personal health records and PHR
related entities? Relatedly, the Commission requests comment on what it
means to ``provide services'' under the Rule's definition.
---------------------------------------------------------------------------
\82\ 16 CFR 318.2(h).
\83\ 74 FR 17917 (Apr. 17, 2009) (``2009 Notice of Proposed
Rulemaking'').
---------------------------------------------------------------------------
3. Changing Timing Requirements
The Commission also weighed whether to propose changing the Rule's
timing requirements. Specifically, the Commission considered public
comments about whether the timing requirements were appropriate,\84\
introduced unnecessary delay,\85\ or did not give notifying entities
sufficient time to investigate the facts of a breach.\86\ One commenter
expressed concern that the timing requirements do not provide consumers
with important information as soon as would be valuable to them and
there is no compelling reason for delaying notice.\87\ Other
commenters, however, expressed concern that entities experiencing a
breach may not have sufficient information to be able to give the
Commission a meaningful notification within 10 days.\88\ These
commenters recommended that the Commission extend the 10-day
requirement for the notice to the FTC, consistent with the HIPAA Health
Breach Notification Rule, which requires notification to the Secretary
of HHS without unreasonable delay and in no case later than 60 calendar
days following a breach.\89\ Commission staff also consulted staff at
HHS about its experience enforcing the HIPAA Health Breach Notification
Rule regarding the timing requirements in that rule.
---------------------------------------------------------------------------
\84\ Lisa McKeen at 5; CHIME at 3; WEDI at 2.
\85\ Hilal Johnson at 1.
\86\ CARIN All. at 2; Allscripts at 2; Kaiser at 10.
\87\ Hilal Johnson at 1.
\88\ CARIN All. at 2; Allscripts at 2; Kaiser at 10.
\89\ 45 CFR 164.408 (referencing timing requirement in 404).
---------------------------------------------------------------------------
Although the Commission has not proposed any timing changes, the
Commission requests comments on several issues related to timing.
First, the Commission requests comment about the timing of
notifications to consumers. In particular, the Commission requests
comment regarding whether earlier notification of consumers would
better protect them or whether it would lead to partial notifications,
because the entity experiencing the breach may not have had time to
identify all the relevant facts. Second, the Commission also requests
additional comment on the timing of the notification to the FTC:
whether it should extend the timeline to give entities more time to
investigate breaches and better ascertain the number of affected
individuals or whether an extension would simply facilitate dilatory
action and minimize the opportunity for an important dialogue with
Commission staff during the fact-gathering stage immediately following
a breach.
IV. Paperwork Reduction Act
The Commission is submitting this Notice of Proposed Rulemaking and
a Supporting Statement to the Office of Management and Budget (``OMB'')
for review under the Paperwork Reduction Act (``PRA'') (44 U.S.C. 3501-
3521). The breach notification requirements discussed above constitute
``collections of information'' for purposes of the PRA. See 5 CFR
1320.3(c). OMB has approved the Rule's existing information collection
requirements through July 31, 2025 (OMB Control No. 3084-0150).
The proposed amendments to 16 CFR part 318 would likely result in
more reportable breaches by covered entities to the FTC. In the event
of a breach of security, the proposed Rule would require covered firms
to investigate and, if certain conditions are met, notify consumers and
the Commission.\90\
---------------------------------------------------------------------------
\90\ Third party service providers who experience a breach are
required to notify the vendor of personal health records or PHR
related entity, and then this firm would be required to notify
consumers. The Commission expects that the cost of notification to
third party service providers would be small, relative to the
entities who have to notify consumers. The Commission invites
comment on this issue and data that may be used to quantify the
costs to third party service providers.
---------------------------------------------------------------------------
Accordingly, staff has estimated the burdens associated with these
proposed information collection requirements as set forth below.
Based on industry reports, staff estimates that the Commission's
proposed information collection requirements will cover approximately
170,000 entities, which, in the event that they experience a breach,
may be required to notify consumers and the Commission. While there are
approximately 1.8 million apps in the Apple App Store \91\ and 2.7
million apps in the Google Play Store,\92\ as of November 2022 it
appears that roughly 170,000 of the apps offered in either store are
categorized as ``Health and Fitness.'' \93\ This figure for apps is a
rough proxy for all covered PHRs, because most websites and connected
health devices that would be subject to the Rule act in conjunction
with an app.
---------------------------------------------------------------------------
\91\ See App Store--Apple, <a href="https://www.apple.com/app-store/">https://www.apple.com/app-store/</a> and
App Store Data (2023)--Business of Apps, <a href="https://www.businessofapps.com/data/app-stores/">https://www.businessofapps.com/data/app-stores/</a>.
\92\ App Store Data (2023)--Business of Apps, <a href="https://www.businessofapps.com/data/app-stores/">https://www.businessofapps.com/data/app-stores/</a>.
\93\ See App Store Data (2023), supra note 91, which reports
78,764 apps in the Apple App Store and 91,743 apps in the Google
Play Store were categorized as ``Health and Fitness'' apps as of
November 2022. This figure is likely both under- and over-inclusive.
For example, this figure does not include apps categorized elsewhere
(i.e., outside ``Health and Fitness'') that may be PHRs. However, at
the same time, this figure also overestimates the number of covered
entities, since many developers make more than one app.
---------------------------------------------------------------------------
Staff estimates that these entities will, cumulatively, experience
71 breaches per year for which notification may be required. With the
proviso that there is insufficient data at this time about the number
and incidence rate of breaches at entities covered by the Commission's
Rule (due to underreporting prior to issuance of the Policy Statement),
staff determined the number of estimated breaches by calculating the
breach incidence rate for HIPAA-covered entities, and then applied this
rate to the estimated total number of entities that will be subject to
the proposed Rule.\94\ Additionally, as the number of breaches per year
grew significantly in the recent years,\95\ and staff expects this
trend to continue, staff relied on the average number of breaches in
2021 and 2022 to estimate the annual breach incidence rate for HIPAA-
covered entities.
---------------------------------------------------------------------------
\94\ Staff used information publicly available from HHS on HIPAA
related breaches because the HIPAA Breach Notification Rule is
similarly constructed. However, while there are similarities between
HIPAA-covered entities and HBNR-covered entities, it is not
necessarily the case that rates of breaches would follow the same
pattern. For instance, HIPAA-covered entities are generally subject
to stronger data security requirements under HIPAA, but also may be
more likely targets for security incidents (e.g., ransomware attacks
on hospitals and other medical treatment centers covered by HIPAA
have increased dramatically in recent years); thus, this number
could be an under- or overestimate of the number of potential
breaches per year.
\95\ According to the HHS Office for Civil Rights (``OCR''), the
number of breaches per year grew from 358 in 2017 to 715 breaches in
2021 and 717 breaches in 2022. See Breach Portal, U.S. Dep't of
Health & Human Servs., Office for Civil Rights, <a href="https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf">https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf</a> (visited on March 2,
2023). The data was downloaded on March 2, 2023, resulting in
limited data for 2023. Thus, breaches from 2023 were not considered.
However, breach investigations that remain open (under
investigation) are included in the count of yearly breaches.
---------------------------------------------------------------------------
Specifically, the HHS Office for Civil Rights (``OCR'') reported
715 breaches in
[[Page 37832]]
2021 and 717 breaches in 2022,\96\ which results in an average of 716
of breaches for 2021 and 2022. Based on the 1.7 million entities that
are covered by the HIPAA Breach Notification Rule \97\ and the average
number of breaches for 2021 and 2022, staff determined an annual breach
incidence rate of 0.00042 (716/1.7 million). Accordingly, multiplying
the breach incidence rate (0.00042) by the estimated number of entities
covered by the proposed information collection requirements (170,000)
results in an estimated 71 breaches per year.
---------------------------------------------------------------------------
\96\ See Breach Portal, U.S. Dep't of Health & Human Servs.,
Office for Civil Rights, <a href="https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf">https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf</a> (visited on March 2, 2023).
\97\ In a recent Federal Register Notice (``FRN'') on Proposed
Modifications to the HIPAA Privacy Rule to Support, and Remove
Barriers to, Coordinated Care and Individual Engagement, OCR
proposes increasing the number of covered entities from 700,000 to
774,331. 86 FR 6446, 6497 (Jan. 21, 2021). The FRN also lists the
number of covered Business Associates as 1,000,000 (Table 2).
---------------------------------------------------------------------------
Costs
To determine the costs for purposes of this analysis, staff has
developed estimates for two categories of potential costs: (1) the
estimated annual burden hours and labor cost of determining what
information has been breached, identifying the affected customers,
preparing the breach notice, and making the required report to the
Commission; and (2) the estimated capital and other non-labor costs
associated with notifying consumers.
Estimated Annual Burden Hours: 10,650.
Estimated Annual Labor Cost: $720,579.
First, to determine what information has been breached, identify
the affected customers, prepare the breach notice, and make the
required report to the Commission, staff estimates that covered firms
will require per breach, on average, 150 hours of employee labor at a
cost of $10,149.\98\ This estimate does not include the cost of
equipment or other tangible assets of the breached firms because they
likely will use the equipment and other assets they have for ordinary
business purposes. Based on the estimate that there will be 71 breaches
per year the annual hours of burden for affected entities will be
10,650 hours (150 hours x 71 breaches) with an associated labor cost of
$720,579 (71 breaches x $10,149).
---------------------------------------------------------------------------
\98\ This estimate is the sum of 40 hours of marketing
managerial time (at an average wage of $73.77), 40 hours of computer
programmer time ($46.46), 20 hours of legal staff ($71.17), 50 hours
of computer and information systems managerial time ($78.33). See
Occupational Employment and Wage Statistics, U.S. Bureau of Labor
Statistics (May 2021), <a href="https://www.bls.gov/oes/current/oes_nat.htm#00-0000">https://www.bls.gov/oes/current/oes_nat.htm#00-0000</a>.
---------------------------------------------------------------------------
Estimated Capital and Other Non-Labor Costs: $49,463,046.
The capital and non-labor costs associated with breach
notifications depends upon the number of consumers contacted and
whether covered firms are likely to retain the services of a forensic
expert. For breaches affecting large numbers of consumers, covered
firms are likely to retain the services of a forensic expert. FTC staff
estimates that, for each breach requiring the services of forensic
experts, forensic experts may spend approximately 40 hours to assist in
the response to the cybersecurity intrusion, at an estimated cost of
$20,000.\99\ FTC staff estimates that the services of forensic experts
will be required in 60% of the 71 breaches. Based on the estimate that
there will be 43 breaches per year requiring forensic experts (60% x 71
breaches), the annual hours burden for affected entities will be 1,720
hours (43 breaches requiring forensic experts x 40 hours) with an
associated cost of $860,000 (43 breaches requiring forensic experts x
$20,000).
---------------------------------------------------------------------------
\99\ This estimate is the sum of 40 hours of forensic expert
time at a cost of $500 per hour, which yields a total cost of
$20,000 (40 hours x $500/hour).
---------------------------------------------------------------------------
Using the data on HIPAA-covered breach notices available from HHS
for the years 2021-2022, FTC staff estimates that the average number of
individuals affected per breach is 62,402.\100\ Given an estimated 71
breaches per year, FTC staff estimates an average of 4,430,542
consumers per year will receive a breach notification (71 breaches x
62,402 individuals per breach).
---------------------------------------------------------------------------
\100\ HHS Breach Data, supra note 96 (mean of Individuals
Affected during breaches 2017-2022). This analysis uses the last six
years of HHS breach data to generate the average, in order to
account for the variation in number of individuals affected by
breaches observed in the HHS data over time.
---------------------------------------------------------------------------
Based on a recent study of data breach costs, staff estimates the
cost of providing notice to consumers to be $10.97 per breached
record.\101\ This estimate includes the costs of electronic notice,
letters, outbound calls or general notice to data subjects; and
engagement of outside experts.\102\ Applied to the above-stated
estimate of 4,430,542 consumers per year receiving breach notification
yields an estimated total annual cost for all forms of notice to
consumers of $48,603,046 (4,430,542 consumers x $10.97 per record). The
estimated capital and non-labor costs total $49,463,046 ($860,000 +
$48,603,046).
---------------------------------------------------------------------------
\101\ See IBM Security, Costs of a Data Breach Report 2022
(2022), <a href="https://www.ibm.com/reports/data-breach">https://www.ibm.com/reports/data-breach</a> (``2022 IBM Security
Report''). The research for the 2022 IBM Security Report is
conducted independently by the Ponemon Institute, and the results
are reported and published by IBM Security. Figure 2 of the 2022 IBM
Security Report shows that cost per record of a breach was $164 per
record in 2022 and $161 in 2021, resulting in an average cost of
$162.50. Figure 5 of the 2022 IBM Security Report shows that 7.1%
($0.31m/$4.35m) of the average cost of a data breach are due to
``Notification'' costs. The fraction of average breach costs due to
``Notification'' were 6.4% the previous year (IBM Security, Costs of
a Data Breach Report 2021). Using the average of these numbers,
staff estimates that notification costs per record across the two
years are 6.75% x $162.50 = $10.97 per record.
\102\ See 2022 IBM Security Report at 54.
---------------------------------------------------------------------------
Staff notes that these estimates likely overstate the costs imposed
by the proposed Rule because: (1) it assumes that all entities covered
by the Rule will be required to take all the steps required above; and
(2) staff made conservative assumptions in developing many of the
underlying estimates. Moreover, many entities covered by the Rule
already have similar notification obligations under state data breach
laws.\103\ In addition, the Commission has taken several steps designed
to limit the potential burden on covered entities that are required to
provide notice, including by providing exemplar notices that entities
may choose to use if they are required to provide notifications and
proposing expanded use of electronic notifications.
---------------------------------------------------------------------------
\103\ Many state data breach notification statutes require
notification when a breach occurs involving certain health or
medical information of individuals in that state. See, e.g., Ala.
Code 8-38-1 et seq.; Alaska Stat. 45.48.010 et seq.; Ariz. Rev.
Stat. 18-551 et seq.; Ark. Code 4-110-101 et seq.; Cal. Civ. Code
1798.80 et seq.; Cal. Health & Safety Code 1280.15; Colo. Rev. Stat.
6-1-716; Del. Code Ann. tit. 6 12B-101 et seq.; DC Code 28-3851 et
seq.; Fla. Stat. 501.171; 815 Ill. Comp. Stat. 530/5 et seq.; Md.
Code Com. Law 14-3501 et seq; Mo. Rev. Stat. 407.1500; Nev. Rev.
Stat. 603A.010 et seq.; N.H. Rev. Stat. 359-C:19-C:21; N.H. Rev.
Stat. 332-I:5; N.D. Cent. Code 51-30-01-07; Or. Rev. Stat. 646A.600-
646A.628; R.I. Gen. Laws 11-49.3-1-11-49.3-6; SDCL 22-40-19-22-40-
26; Tex. Bus. & Com. Code 521.002, 521.053, 521.151-152; 9 V.S.A.
2430, 2435; Va. Code 18.2-186.6; Va. Code 32.1-127.1:05; Va. Code
58.1-341.2; Wash. Rev. Code 19.255.010 et seq.
---------------------------------------------------------------------------
The Commission invites comments on: (1) whether the proposed
collection of information is necessary for the proper performance of
the functions of the FTC, including whether the information will have
practical utility; (2) the accuracy of the FTC's estimate of the burden
of the proposed collection of information; (3) ways to enhance the
quality, utility, and clarity of the information to be collected; and
(4) ways to minimize the burden of collecting information on those who
respond.
Written comments and recommendations for the proposed information
collection should also be sent within 30 days of publication of this
document to <a href="https://www.reginfo.gov/public/do/PRAMain">https://www.reginfo.gov/public/do/PRAMain</a>.
[[Page 37833]]
Find this particular information collection by selecting ``Currently
under Review--Open for Public Comments'' or by using the search
function. The <a href="http://reginfo.gov">reginfo.gov</a> web link is a United States Government
website produced by OMB and the General Services Administration
(``GSA''). Under PRA requirements, OMB's Office of Information and
Regulatory Affairs (``OIRA'') reviews Federal information collections.
V. Regulatory Flexibility Act
The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601 et seq.,
requires that the Commission conduct an analysis of the anticipated
economic impact of the proposed amendment on small entities. The
purpose of a regulatory flexibility analysis is to ensure that an
agency considers potential impacts on small entities and examines
regulatory alternatives that could achieve the regulatory purpose while
minimizing burdens on small entities. The RFA requires that the
Commission provide an Initial Regulatory Flexibility Analysis
(``IRFA'') with a proposed rule and a Final Regulatory Flexibility
Analysis (``FRFA'') with a final rule, if any, unless the Commission
certifies that the proposed rule will not have a significant economic
impact on a substantial number of small entities. 5 U.S.C. 605.
The Commission believes that the proposed amendment would not have
a significant economic impact upon small entities, although it may
affect a substantial number of small businesses. Among other things,
the proposed amendments clarify certain definitions, revise the
disclosures that must accompany notice of a breach under the Rule, and
modernize the methods of notice to allow additional use of electronic
notice such as email by entities affected by a breach. In addition, the
proposed amendments improve the Rule's readability by clarifying cross-
references and adding statutory citations. The Commission does not
anticipate these changes will add significant additional costs to
entities covered by the Rule and the revisions to allow additional use
of electronic notice may reduce costs for many entities covered by the
Rule. Therefore, based on available information, the Commission
certifies that amending the Rule as proposed will not have a
significant economic impact on a substantial number of small entities.
Although the Commission certifies under the RFA that the proposed
amendment would not, if promulgated, have a significant impact on a
substantial number of small entities, the Commission has determined,
nonetheless, that it is appropriate to publish an IRFA to inquire into
the impact of the proposed amendment on small entities. Therefore, the
Commission has prepared the following analysis:
1. Description of the Reasons That Action by the Agency Is Being
Considered
The Commission conducts a review of each of its rules ten years
after issuance. In May 2020, the Commission requested public comment on
whether technological and business changes warranted any changes to the
Rule. After careful review of the comments received, the Commission
concludes that there is a need to update certain Rule provisions.
Therefore, it proposes modifications to the Rule as described in
sections I and II.
2. Statement of the Objectives of, and Legal Basis for, the Proposed
Rule
The objective of the proposed changes is to clarify existing notice
obligations for entities covered by the Rule. The legal basis for the
proposed Rule is section 13407 of the Recovery Act.
3. Description and Estimate of the Number of Small Entities to Which
the Proposed Rule Will Apply
The proposed amendments, like the current Rule, will apply to
vendors of personal health records, PHR related entities, and third
party service providers, including developers and purveyors of health
apps, connected health devices, and similar technologies. As discussed
in the Commission's PRA estimates above, FTC staff estimates that the
proposed Rule will apply to approximately 170,000 entities. The
Commission estimates that a substantial number of these entities likely
qualify as small businesses. According to the Statistics on Small
Businesses Census data, approximately 94% of ``Software Publishers''
(the category to which health and fitness apps belong) are small
businesses.\104\ The Commission invites comment and information on this
issue.
---------------------------------------------------------------------------
\104\ 2017 SUSB Annual Data Tables by Establishment Industry,
U.S. Census Bureau (May 2021), <a href="https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html">https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html</a>. The U.S. Small Business
Administration (``SBA'') categorizes Software Publishers as a small
business if the annual receipts are less than $41.5 million.
---------------------------------------------------------------------------
4. Projected Reporting, Recordkeeping and Other Compliance Requirements
The Recovery Act and the proposed Rule impose certain reporting
requirements within the meaning of the PRA. The proposed Rule will
clarify which entities are subject to those reporting requirements. The
Commission is seeking clearance from OMB for these requirements.
Specifically, the Act and proposed Rule require vendors of personal
health records and PHR related entities to provide notice to consumers,
the Commission, and in some cases the media in the event of a breach of
unsecured PHR identifiable health information. The Act and proposed
Rule also require third party service providers to provide notice to
vendors of personal health records and PHR related entities in the
event of such a breach. If a breach occurs, each entity covered by Act
and proposed Rule will expend costs to determine the extent of the
breach and the individuals affected. If the entity is a vendor of
personal health records or PHR related entity, additional costs will
include the costs of preparing a breach notice, notifying the
Commission, compiling a list of consumers to whom a breach notice must
be sent, and sending a breach notice. Such entities may incur
additional costs in locating consumers who cannot be reached, and in
certain cases, posting a breach notice on a website, notifying
consumers through media advertisements, or sending breach notices
through press releases to media outlets.
In-house costs may include technical costs to determine the extent
of breaches; investigative costs of conducting interviews and gathering
information; administrative costs of compiling address lists;
professional/legal costs of drafting the notice; and potentially, costs
for postage, web posting, and/or advertising. Costs may also include
the purchase of services of a forensic expert. The Commission seeks
further comment on the costs and burdens of small entities in complying
with the requirements of the proposed Rule.
5. Other Duplicative, Overlapping, or Conflicting Federal Rules
The FTC has not identified any other Federal statutes, rules, or
policies currently in effect that would conflict with the proposed
Rule. The HIPAA Breach Notification Rule applies to HIPAA-covered
entities; the proposed Rule does not. The Commission invites comment
and information about any potentially duplicative, overlapping, or
conflicting Federal statutes, rules, or policies.
[[Page 37834]]
6. Description of Any Significant Alternatives to the Proposed Rule
In drafting the proposed Rule, the Commission has made every effort
to avoid unduly burdensome requirements for entities. In particular,
the Commission believes that the proposed changes to facilitate
electronic notice will assist small entities by significantly reducing
the costs of sending breach notices. In addition, the Commission is
also proposing exemplar notices that entities covered by the Rule may
use, in their discretion, to notify individuals. The Commission
anticipates that these exemplar notices will further reduce the
potential burden on entities that are required to provide notice under
the Rule. The Commission is not aware of alternative methods of
compliance that will reduce the impact of the proposed Rule on small
entities, while also comporting with the Recovery Act. The statutory
requirements are specific as to the timing, method, and content of
notice. Accordingly, the Commission seeks comment and information on
ways in which the Rule could be modified to reduce any costs or burdens
for small entities consistent with the Recovery Act's mandated
requirements.
VI. Instructions for Submitting Comments
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before August 8, 2023.
Write ``Health Breach Notification Rule, Project No. P205405'' on the
comment. Your comment-including your name and your state-will be placed
on the public record of this proceeding, including the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website.
Because of the agency's heightened security screening, postal mail
addressed to the Commission is subject to delay. We strongly encourage
you to submit your comments online through the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website. To make sure the Commission considers your
online comment, please follow the instructions on the web-based form.
If you file your comment on paper, write ``Health Breach
Notification Rule, Project No. P205405'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex H), Washington, DC 20580.
Because your comment will be placed on the publicly accessible
website at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, you are solely responsible for
making sure that your comment does not include any sensitive or
confidential information. In particular, your comment should not
include any sensitive personal information, such as your or anyone
else's Social Security number; date of birth; driver's license number
or other state identification number, or foreign country equivalent;
passport number; financial account number; or credit or debit card
number. You are also solely responsible for making sure that your
comment does not include any sensitive health information, such as
medical records or other individually identifiable health information.
In addition, your comment should not include any ``trade secret or any
commercial or financial information which . . . is privileged or
confidential''--as provided by section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--including in
particular competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request and
must identify the specific portions of the comment to be withheld from
the public record. Your comment will be kept confidential only if the
FTC's General Counsel grants your request in accordance with the law
and the public interest. Once your comment has been posted publicly at
<a href="http://www.regulations.gov">www.regulations.gov</a>, we cannot redact or remove your comment unless you
submit a confidentiality request that meets the requirements for such
treatment under FTC Rule 4.9(c), and the FTC's General Counsel grants
that request.
Visit the FTC website to read this document and the news release
describing it. The FTC Act and other laws that the Commission
administers permit the collection of public comments to consider and
use in this proceeding as appropriate. The Commission will consider all
timely and responsive public comments that it receives on or before
August 8, 2023. For information on the Commission's privacy policy,
including routine uses permitted by the Privacy Act, see <a href="https://www.ftc.gov/site-information/privacy-policy">https://www.ftc.gov/site-information/privacy-policy</a>.
List of Subjects in 16 CFR Part 318
Breach, Consumer protection, Health, Privacy, Reporting and
recordkeeping requirements, Trade practices.
For the reasons set out in this document, the Commission proposes
to amend part 318 of title 16 of the Code of Federal Regulations as
follows:
0
1. Revise part 318 to read as follows:
PART 318--HEALTH BREACH NOTIFICATION RULE
Sec.
318.1 Purpose and scope.
318.2 Definitions.
318.3 Breach notification requirement.
318.4 Timeliness of notification.
318.5 Methods of notice.
318.6 Content of notice.
318.7 Enforcement.
318.8 Effective date.
318.9 Sunset.
Authority: 42 U.S.C. 17937 and 17953.
318.1 Purpose and scope.
(a) This part, which shall be called the ``Health Breach
Notification Rule,'' implements section 13407 of the American Recovery
and Reinvestment Act of 2009, 42 U.S.C. 17937. It applies to foreign
and domestic vendors of personal health records, PHR related entities,
and third party service providers, irrespective of any jurisdictional
tests in the Federal Trade Commission (FTC) Act, that maintain
information of U.S. citizens or residents. It does not apply to HIPAA-
covered entities, or to any other entity to the extent that it engages
in activities as a business associate of a HIPAA-covered entity.
(b) This part preempts state law as set forth in section 13421 of
the American Recovery and Reinvestment Act of 2009, 42 U.S.C. 17951.
318.2 Definitions.
(a) Breach of security means, with respect to unsecured PHR
identifiable health information of an individual in a personal health
record, acquisition of such information without the authorization of
the individual. Unauthorized acquisition will be presumed to include
unauthorized access to unsecured PHR identifiable health information
unless the vendor of personal health records, PHR related entity, or
third party service provider that experienced the breach has reliable
evidence showing that there has not been, or could not reasonably have
been, unauthorized acquisition of such information. A breach of
security includes an unauthorized acquisition of unsecured PHR
identifiable health information in a personal health record
[[Page 37835]]
that occurs as a result of a data breach or an unauthorized disclosure.
(b) Business associate means a business associate under the Health
Insurance Portability and Accountability Act, Public Law 104-191, 110
Stat. 1936, as defined in 45 CFR 160.103.
(c) Clear and conspicuous means that a notice is reasonably
understandable and designed to call attention to the nature and
significance of the information in the notice.
(1) Reasonably Understandable: You make your notice reasonably
understandable if you:
(i) Present the information in the notice in clear, concise
sentences, paragraphs, and sections;
(ii) Use short explanatory sentences or bullet lists whenever
possible;
(iii) Use definite, concrete, everyday words and active voice
whenever possible;
(iv) Avoid multiple negatives;
(v) Avoid legal and highly technical business terminology whenever
possible; and
(vi) Avoid explanations that are imprecise and readily subject to
different interpretations.
(2) Designed to call attention. You design your notice to call
attention to the nature and significance of the information in it if
you:
(i) Use a plain-language heading to call attention to the notice;
(ii) Use a typeface and type size that are easy to read;
(iii) Provide wide margins and ample line spacing;
(iv) Use boldface or italics for key words; and
(v) In a form that combines your notice with other information, use
distinctive type size, style, and graphic devices, such as shading or
sidebars, when you combine your notice with other information. The
notice should stand out from any accompanying text or other visual
elements so that it is easily noticed, read, and understood.
(3) Notices on websites or within-application messaging. If you
provide a notice on a web page or using within-application messaging,
you design your notice to call attention to the nature and significance
of the information in it if you use text or visual cues to encourage
scrolling down the page if necessary to view the entire notice and
ensure that other elements on the website or software application (such
as text, graphics, hyperlinks, or sound) do not distract attention from
the notice, and you either:
(i) Place the notice on a screen that consumers frequently access,
such as a page on which transactions are conducted; or
(ii) Place a link on a screen that consumers frequently access,
such as a page on which transactions are conducted, that connects
directly to the notice and is labeled appropriately to convey the
importance, nature and relevance of the notice.
(d) Electronic mail means (1) email in combination with one or more
of the following: (2) text message, within-application messaging, or
electronic banner.
(e) Health care services or supplies includes any online service
such as a website, mobile application, or internet-connected device
that provides mechanisms to track diseases, health conditions,
diagnoses or diagnostic testing, treatment, medications, vital signs,
symptoms, bodily functions, fitness, fertility, sexual health, sleep,
mental health, genetic information, diet, or that provides other
health-related services or tools.
(f) Health care provider means a provider of services (as defined
in 42 U.S.C. 1395x(u)), a provider of medical or other health services
(as defined in 42 U.S.C. 1395x(s)), or any other entity furnishing
health care services or supplies.
(g) HIPAA-covered entity means a covered entity under the Health
Insurance Portability and Accountability Act, Public Law 104-191, 110
Stat. 1936, as defined in 45 CFR 160.103.
(h) Personal health record means an electronic record of PHR
identifiable health information on an individual that has the technical
capacity to draw information from multiple sources and that is managed,
shared, and controlled by or primarily for the individual.
(i) PHR identifiable health information means information:
(1) That is provided by or on behalf of the individual;
(2) That identifies the individual or with respect to which there
is a reasonable basis to believe that the information can be used to
identify the individual;
(3) Relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care to
an individual, or the past, present, or future payment for the
provision of health care to an individual; and
(4) Is created or received by a:
(i) health care provider;
(ii) health plan (as defined in 42 U.S.C. 1320d(5));
(iii) employer; or
(iv) health care clearinghouse (as defined in 42 U.S.C. 1320d(2)).
(j) PHR related entity means an entity, other than a HIPAA-covered
entity or an entity to the extent that it engages in activities as a
business associate of a HIPAA-covered entity, that:
(1) Offers products or services through the website, including any
online service, of a vendor of personal health records;
(2) Offers products or services through the websites, including any
online service, of HIPAA-covered entities that offer individuals
personal health records; or
(3) Accesses unsecured PHR identifiable health information in a
personal health record or sends unsecured PHR identifiable health
information to a personal health record.
(k) State means any of the several States, the District of
Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and
the Northern Mariana Islands.
(l) Third party service provider means an entity that:
(1) Provides services to a vendor of personal health records in
connection with the offering or maintenance of a personal health record
or to a PHR related entity in connection with a product or service
offered by that entity; and
(2) Accesses, maintains, retains, modifies, records, stores,
destroys, or otherwise holds, uses, or discloses unsecured PHR
identifiable health information as a result of such services.
(m) Unsecured means PHR identifiable information that is not
protected through the use of a technology or methodology specified by
the Secretary of Health and Human Services in the guidance issued under
section 13402(h)(2) of the American Reinvestment and Recovery Act of
2009, 42 U.S.C. 17932(h)(2).
(n) Vendor of personal health records means an entity, other than a
HIPAA-covered entity or an entity to the extent that it engages in
activities as a business associate of a HIPAA-covered entity, that
offers or maintains a personal health record.
318.3 Breach notification requirement.
(a) In general. In accordance with Sec. 318.4 (Timeliness of
notification), Sec. 318.5 (Notice to FTC), and Sec. 318.6 (Content of
notice), each vendor of personal health records, following the
discovery of a breach of security of unsecured PHR identifiable health
information that is in a personal health record maintained or offered
by such vendor, and each PHR related entity, following the discovery of
a breach of security of such information that is obtained through a
product or service provided by such entity, shall:
[[Page 37836]]
(1) Notify each individual who is a citizen or resident of the
United States whose unsecured PHR identifiable health information was
acquired by an unauthorized person as a result of such breach of
security;
(2) Notify the Federal Trade Commission; and
(3) Notify prominent media outlets serving a State or jurisdiction,
following the discovery of a breach of security, if the unsecured PHR
identifiable health information of 500 or more residents of such State
or jurisdiction is, or is reasonably believed to have been, acquired
during such breach.
(b) Third party service providers. A third party service provider
shall, following the discovery of a breach of security, provide notice
of the breach to an official designated in a written contract by the
vendor of personal health records or the PHR related entity to receive
such notices or, if such a designation is not made, to a senior
official at the vendor of personal health records or PHR related entity
to which it provides services, and obtain acknowledgment from such
official that such notice was received. Such notification shall include
the identification of each customer of the vendor of personal health
records or PHR related entity whose unsecured PHR identifiable health
information has been, or is reasonably believed to have been, acquired
during such breach. For purposes of ensuring implementation of this
requirement, vendors of personal health records and PHR related
entities shall notify third party service providers of their status as
vendors of personal health records or PHR related entities subject to
this part. While some third party service providers may access
unsecured PHR identifiable health information in the course of
providing services, this does not render the third party service
provider a PHR related entity.
(c) Breaches treated as discovered. A breach of security shall be
treated as discovered as of the first day on which such breach is known
or reasonably should have been known to the vendor of personal health
records, PHR related entity, or third party service provider,
respectively. Such vendor, entity, or third party service provider
shall be deemed to have knowledge of a breach if such breach is known,
or reasonably should have been known, to any person, other than the
person committing the breach, who is an employee, officer, or other
agent of such vendor of personal health records, PHR related entity, or
third party service provider.
318.4 Timeliness of notification.
(a) In general. Except as provided in paragraphs (b) (Timing of
notice to FTC) and (d) of this section (Law enforcement exception), all
notifications required under Sec. 318.3(a)(1) (required notice to
individuals), Sec. 318.3(b) (required notice by third party service
providers), and Sec. 318.3(a)(3) (required notice to media) shall be
sent without unreasonable delay and in no case later than 60 calendar
days after the discovery of a breach of security.
(b) Timing of notice to FTC. All notifications required under Sec.
318.5(c) (Notice to FTC) involving the unsecured PHR identifiable
health information of 500 or more individuals shall be provided as soon
as possible and in no case later than ten business days following the
date of discovery of the breach. All logged notifications required
under Sec. 318.5(c) (Notice to FTC) involving the unsecured PHR
identifiable health information of fewer than 500 individuals may be
sent annually to the Federal Trade Commission no later than 60 calendar
days following the end of the calendar year.
(c) Burden of proof. The vendor of personal health records, PHR
related entity, and third party service provider involved shall have
the burden of demonstrating that all notifications were made as
required under this part, including evidence demonstrating the
necessity of any delay.
(d) Law enforcement exception. If a law enforcement official
determines that a notification, notice, or posting required under this
part would impede a criminal investigation or cause damage to national
security, such notification, notice, or posting shall be delayed. This
paragraph shall be implemented in the same manner as provided under 45
CFR 164.528(a)(2), in the case of a disclosure covered under such
section.
318.5 Methods of notice.
(a) Individual notice. A vendor of personal health records or PHR
related entity that discovers a breach of security shall provide notice
of such breach to an individual promptly, as described in Sec. 318.4
(Timeliness of notification), and in the following form:
(1) Written notice at the last known address of the individual.
Written notice may be sent by electronic mail if the individual has
specified electronic mail as the primary method of communication. Any
written notice sent by electronic mail must be Clear and Conspicuous.
Where notice via electronic mail is not available or the individual has
not specified electronic mail as the primary method of communication, a
vendor of personal health records or PHR related entity may provide
notice by first-class mail at the last known address of the individual.
If the individual is deceased, the vendor of personal health records or
PHR related entity that discovered the breach must provide such notice
to the next of kin of the individual if the individual had provided
contact information for his or her next of kin, along with
authorization to contact them. The notice may be provided in one or
more mailings as information is available. Exemplar notices that
vendors of personal health records or PHR related entities may use to
notify individuals pursuant to this paragraph are attached as Appendix
A.
(2) If, after making reasonable efforts to contact all individuals
to whom notice is required under Sec. 318.3(a), through the means
provided in paragraph (a)(1) of this section, the vendor of personal
health records or PHR related entity finds that contact information for
ten or more individuals is insufficient or out-of-date, the vendor of
personal health records or PHR related entity shall provide substitute
notice, which shall be reasonably calculated to reach the individuals
affected by the breach, in the following form:
(i) Through a conspicuous posting for a period of 90 days on the
home page of its website; or
(ii) In major print or broadcast media, including major media in
geographic areas where the individuals affected by the breach likely
reside. Such a notice in media or web posting shall include a toll-free
phone number, which shall remain active for at least 90 days, where an
individual can learn whether the individual's unsecured PHR
identifiable health information may be included in the breach.
(3) In any case deemed by the vendor of personal health records or
PHR related entity to require urgency because of possible imminent
misuse of unsecured PHR identifiable health information, that entity
may provide information to individuals by telephone or other means, as
appropriate, in addition to notice provided under paragraph (a)(1) of
this section.
(b) Notice to media. As described in Sec. 318.3(a)(3), a vendor of
personal health records or PHR related entity shall provide notice to
prominent media outlets serving a State or jurisdiction, following the
discovery of a breach of security, if the unsecured PHR identifiable
health information of 500 or more residents of such State or
jurisdiction is, or is reasonably believed
[[Page 37837]]
to have been, acquired during such breach.
(c) Notice to FTC. Vendors of personal health records and PHR
related entities shall provide notice to the Federal Trade Commission
following the discovery of a breach of security, as described in Sec.
318.4(b) (Timing of notice to FTC). If the breach involves the
unsecured PHR identifiable health information of fewer than 500
individuals, the vendor of personal health records or PHR related
entity may maintain a log of any such breach and submit such a log
annually to the Federal Trade Commission as described in Sec. 318.4(b)
(Timing of notice to FTC), documenting breaches from the preceding
calendar year. All notices pursuant to this paragraph shall be provided
according to instructions at the Federal Trade Commission's website.
318.6 Content of notice.
Regardless of the method by which notice is provided to individuals
under Sec. 318.5 (Methods of notice) of this part, notice of a breach
of security shall be in plain language and include, to the extent
possible, the following:
(a) A brief description of what happened, including: the date of
the breach and the date of the discovery of the breach, if known; the
potential harm that may result from the breach, such as medical or
other identity theft; and the full name, website, and contact
information (such as a public email address or phone number) of any
third parties that acquired unsecured PHR identifiable health
information as a result of a breach of security, if this information is
known to the vendor of personal health records or PHR related entity;
(b) A description of the types of unsecured PHR identifiable health
information that were involved in the breach (such as but not limited
to full name, Social Security number, date of birth, home address,
account number, health diagnosis or condition, lab results,
medications, other treatment information, the individual's use of a
health-related mobile application, or device identifier (in combination
with another data element));
(c) Steps individuals should take to protect themselves from
potential harm resulting from the breach;
(d) A brief description of what the entity that experienced the
breach is doing to investigate the breach, to mitigate harm, to protect
against any further breaches, and to protect affected individuals, such
as offering credit monitoring or other services; and
(e) Contact procedures for individuals to ask questions or learn
additional information, which must include two or more of the
following: toll-free telephone number; email address; website; within-
application; or postal address.
318.7 Enforcement.
Any violation of this part shall be treated as a violation of a
rule promulgated under section 18 of the Federal Trade Commission Act,
15 U.S.C. 57a, regarding unfair or deceptive acts or practices, and
thus subject to civil penalties (as adjusted for inflation pursuant to
Sec. 1.98 of this chapter), and the Commission will enforce this Rule
in the same manner, by the same means, and with the same jurisdiction,
powers, and duties as are available to it pursuant to the Federal Trade
Commission Act, 15 U.S.C. 41 et seq.
318.8 Effective date.
This part shall apply to breaches of security that are discovered
on or after September 24, 2009.
318.9 Sunset.
If new legislation is enacted establishing requirements for
notification in the case of a breach of security that apply to entities
covered by this part, the provisions of this part shall not apply to
breaches of security discovered on or after the effective date of
regulations implementing such legislation.
By direction of the Commission.
April J. Tabor,
Secretary.
Appendix A: Health Breach Notification Rule Exemplar Notices
The notices below are intended to be examples of notifications
that entities may use, in their discretion, to notify individuals of
a breach of security pursuant to the Health Breach Notification
Rule. The examples below are for illustrative purposes only. You
should tailor any notices to the particular facts and circumstances
of your breach. While your notice must comply with the Health Breach
Notification Rule, you are not required to use the notices below.
Mobile Text Message and In-App Message Exemplars
Text Message Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. Visit [add non-clickable URL] to learn what
happened, how it affects you, and what you can do to protect your
information. We also sent you an email with additional information.
Text Message Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [describe why the company shared the info] without
your permission. Visit [add non-clickable URL] to learn what
happened, how it affects you, and what you can do to protect your
information. We also sent you an email with more information.
In-App Message Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. This could include your [Add specifics--for
example, your name, email, address, blood pressure data]. Visit
[URL] to learn what happened, how it affects you, and what you can
do to protect your information. We also sent you an email with
additional information.
In-App Message Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [if known, describe why the company shared the
info] without your permission. This could include your [Add
specifics--for example, your name, email, address, blood pressure
data]. Visit [URL] to learn what happened, how it affects you, and
what you can do to protect your information. We also sent you an
email with additional information.
Web Banner Exemplars
Web Banner Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. This could include your [Add specifics--for
example, your name, email, address, blood pressure data]. Visit
[URL] to learn what happened, how it affects you, and what you can
do to protect your information.
<bullet> Recommend: Include clear ``Take action'' call to action
button, such as the example below:
[GRAPHIC] [TIFF OMITTED] TP09JN23.006
[[Page 37838]]
Web Banner Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [if known, describe why the company shared the
info] without your permission. This could include your [Add
specifics--for example, your name, email, address, blood pressure
data]. Visit [URL] to learn what happened, how it affects you, and
what you can do to protect your information.
<bullet> Recommend: Include clear ``Take action'' call to action
button, such as the example below:
[GRAPHIC] [TIFF OMITTED] TP09JN23.007
Email Exemplars
Exemplar Email Notice 1
Email Sender: [Company] <company email>
Email Subject Line: [Company] Breach of Your Health Information
Dear [Name],
We are contacting you because an attacker recently gained
unauthorized access to our system and stole health information about
our customers, including you.
What happened and what it means for you
On [March 1, 2022], we learned that an attacker had accessed a
file containing our customers' health information on [February 28,
2022]. The file included your name, the name of your health
insurance company, your date of birth, and your group or policy
number.
A hacker could use your information now or at a later time to
commit identity theft or could sell your information to other
criminals. For example, a criminal could get medical care in your
name or change your medical records or run up bills in your name.
What you can do to protect yourself
You can take steps now to reduce the risk of identity theft.
1. Review your medical records, statements, and bills for signs
that someone is using your information. Under the health privacy law
known as HIPAA, you have the right to access your medical records.
Get your records and review them for any treatments or doctor visits
you don't recognize. If you find any, report them to your healthcare
provider in writing. Then go to <a href="http://www.IdentityTheft.gov/steps">www.IdentityTheft.gov/steps</a> to see
what other steps you can take to limit the damage.
Also review the Explanation of Benefits statement your insurer
sends you when it pays for medical care.
Some criminals wait before using stolen information so keep
monitoring your benefits and bills.
2. Review your credit reports for errors. You can get your free
credit reports from the three credit bureaus at
<a href="http://www.annualcreditreport.com">www.annualcreditreport.com</a> or call 1-877-322-8228. Look for medical
billing errors, like medical debt collection notices that you don't
recognize. Report any medical billing errors to all three credit
bureaus by following the ``What To Do Next'' steps on
<a href="http://www.IdentityTheft.gov">www.IdentityTheft.gov</a>.
3. Sign up for free credit monitoring to detect suspicious
activity. Credit monitoring detects and alerts you about activity on
your credit reports. Activity you don't recognize could be a sign
that someone stole your identity. We're offering free credit
monitoring for two years through [name of service]. Learn more and
sign up at [URL].
4. Consider freezing your credit report or placing a fraud alert
on your credit report. A credit report freeze means potential
creditors can't get your credit report without your permission. That
makes it less likely that an identity thief can open new accounts in
your name. A freeze remains in place until you ask the credit bureau
to temporarily lift it or remove it.
A fraud alert will make it harder for someone to open a new
credit account in your name. It tells creditors to contact you
before they open any new accounts in your name or change your
accounts. A fraud alert lasts for one year. After a year, you can
renew it.
To freeze your credit report, contact each of the three credit
bureaus, Equifax, Experian, and TransUnion.
To place a fraud alert, contact any one of the three credit
bureaus, Equifax, Experian, and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others are notified to place
fraud alerts on your credit report.
Credit bureau contact information
Equifax, <a href="http://www.equifax.com/personal/credit-report-services">www.equifax.com/personal/credit-report-services</a>, 1-800-
685-1111
Experian, <a href="http://www.experian.com/help">www.experian.com/help</a>, 1-888-397-3742
TransUnion, <a href="http://www.transunion.com/credit-help">www.transunion.com/credit-help</a>, 1-888-909-8872
Learn more about how credit report freezes and fraud alerts can
protect you from identity theft or prevent further misuse of your
personal information at <a href="http://www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts">www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts</a>.
What we are doing in response.
We hired security experts to secure our system. We are working
with law enforcement to find the attacker. And we are investigating
whether we made mistakes that made it possible for the attackers to
get in.
Learn more about the breach.
Go to [URL] to learn more about what happened and what you can
do to protect yourself. If we have any updates, we will post them
there.
If you have questions or concerns, call us at [telephone
number], email us at [address], or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 2
Email Sender: [Company] <company email>
Email Subject Line: Unauthorized disclosure of your health
information by [Company]
Dear [Name],
We are contacting you because you use our company's app [name of
app]. When you downloaded our app, we promised to keep your personal
health information private. Instead, we disclosed health information
about you to another company without your approval.
What happened?
We told Company XYZ (insert website address of Company XYZ) that
you use our app, and between [January 10, 2021] and [March 1, 2022],
we gave them your name and your email address.
We gave Company XYZ this information so they could use it for
advertising and marketing purposes. For example, to target you for
ads for cancer drugs.
You may contact Company XYZ at [insert contact info, such as
email or phone] for more information.
What we are doing in response
We will stop selling or sharing your health information with
other companies.We will stop using your health information for
advertising or marketing purposes. We have asked Company XYZ to
delete your health information, but it's possible they could
continue to use it for advertising and marketing.
What you can do
We made important changes to our app to fix this problem.
Download the latest updates to our app then review your privacy
settings. You can also contact Company XYZ to request that it delete
your data.
Learn more
Learn more about our privacy and security practices at [URL]. If
we have any updates, we will post them there.
If you have any questions or concerns, call us at [telephone
number] or email us at [address].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 3
Email Sender: [Company] <company email>
Email Subject Line:[Company] Breach of Your Health Information
[[Page 37839]]
Dear [Name],
We are contacting you about a breach of your health information
collected through the [product], a device sold by our company,
[Company].
What happened? On [March 1, 2022], we discovered that our
employee had accidentally posted a database online on [February 28,
2022]. That database included your name, your credit or debit card
information, and your blood pressure readings. We don't know if
anyone else found the database and saw your information. If someone
found the database, they could use personal information to steal
your identity or make unauthorized charges in your name.
What you can do to protect yourself
You can take steps now to reduce the risk of identity theft.
1. Get your free credit report and review it for signs of
identity theft. Order your free credit report at
<a href="http://www.annualcreditreport.com">www.annualcreditreport.com</a>. Review it for accounts and activity you
don't recognize. Recheck your credit reports periodically.
2. Consider freezing your credit report or placing a fraud alert
on your credit report. A credit report freeze means potential
creditors can't get your credit report without your permission. That
makes it less likely that an identity thief can open new accounts in
your name. A freeze remains in place until you ask the credit bureau
to temporarily lift it or remove it.
A fraud alert will make it harder for someone to open a new
credit account in your name. It tells creditors to contact you
before they open any new accounts in your name or change your
accounts. A fraud alert lasts for one year. After a year, you can
renew it.
To freeze your credit report, contact each of the three credit
bureaus, Equifax, Experian, and TransUnion.
To place a fraud alert, contact any one of the three credit
bureaus, Equifax, Experian, and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others are notified to place
fraud alerts on your credit report.
Credit bureau contact information
Equifax, <a href="http://www.equifax.com/personal/credit-report-services">www.equifax.com/personal/credit-report-services</a>, 1-800-
685-1111
Experian, <a href="http://www.experian.com/help">www.experian.com/help</a>, 1-888-397-3742
TransUnion, <a href="http://www.transunion.com/credit-help">www.transunion.com/credit-help</a>, 1-888-909-8872
Learn more about how credit report freezes and fraud alerts can
protect you from identity theft or prevent further misuse of your
personal information at <a href="http://www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts">www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts</a>.
3. Sign up for free credit monitoring to detect suspicious
activity. Credit monitoring detects and alerts you about activity on
your credit reports. Activity you don't recognize could be a sign
that someone stole your identity. We're offering free credit
monitoring for two years through [name of service]. Learn more and
sign up at [URL].
What we are doing in response
We are investigating our mistakes. We know the database
shouldn't have been online and it should have been encrypted. We are
making changes to prevent this from happening again.
We are working with experts to secure our system. We are
reviewing our databases to make sure we store health information
securely.
Learn more about the breach
Go to [URL] to learn more about what happened and what you can
do to protect yourself. If we have any updates, we will post them
there.
If you have questions or concerns, call us at [telephone
number], email us at [address], or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
[FR Doc. 2023-12148 Filed 6-8-23; 8:45 am]
BILLING CODE 6750-01-P
</pre></body>
</html>Indexed from Federal Register on June 9, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.