Rule2024-10855
Health Breach Notification Rule
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
May 30, 2024
Effective
July 29, 2024
Issuing agencies
Federal Trade Commission
Abstract
The Federal Trade Commission ("FTC" or "Commission") is amending the Commission's Health Breach Notification Rule (the "HBN Rule" or the "Rule"). The HBN Rule requires vendors of personal health records ("PHRs") and related entities that are not covered by the Health Insurance Portability and Accountability Act ("HIPAA") to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 105 (Thursday, May 30, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 105 (Thursday, May 30, 2024)]
[Rules and Regulations]
[Pages 47028-47064]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-10855]
[[Page 47027]]
Vol. 89
Thursday,
No. 105
May 30, 2024
Part III
Federal Trade Commission
-----------------------------------------------------------------------
16 CFR Part 318
Health Breach Notification Rule; Final Rule
��Federal Register / Vol. 89 , No. 105 / Thursday, May 30, 2024 / Rules
and Regulations��
[[Page 47028]]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 318
RIN 3084-AB56
Health Breach Notification Rule
AGENCY: Federal Trade Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is
amending the Commission's Health Breach Notification Rule (the ``HBN
Rule'' or the ``Rule''). The HBN Rule requires vendors of personal
health records (``PHRs'') and related entities that are not covered by
the Health Insurance Portability and Accountability Act (``HIPAA'') to
notify individuals, the FTC, and, in some cases, the media of a breach
of unsecured personally identifiable health data.
DATES: The amendments are effective July 29, 2024.
ADDRESSES: Relevant portions of the record of this proceeding,
including this document, are available at <a href="https://www.ftc.gov">https://www.ftc.gov</a> and
<a href="https://www.regulations.gov">https://www.regulations.gov</a>.
FOR FURTHER INFORMATION CONTACT: Ryan Mehm, (202) 326-2918,
<a href="/cdn-cgi/l/email-protection#16647b737e7b5670627538717960"><span class="__cf_email__" data-cfemail="1a68777f72775a7c6e79347d756c">[email protected]</span></a>, and Ronnie Solomon, (202) 326-2098, <a href="/cdn-cgi/l/email-protection#9be9e8f4f7f4f6f4f5dbfdeff8b5fcf4ed"><span class="__cf_email__" data-cfemail="0577766a696a686a6b456371662b626a73">[email protected]</span></a>,
Bureau of Consumer Protection, Federal Trade Commission.
SUPPLEMENTARY INFORMATION: The amendments: (1) clarify the Rule's
scope, including its coverage of developers of many health applications
(``apps''); (2) clarify what it means for a vendor of personal health
records to draw PHR identifiable health information from multiple
sources; (3) revise the definition of breach of security to clarify
that a breach of security includes data security breaches and
unauthorized disclosures; (4) revise the definition of PHR related
entity; (5) modernize the method of notice; (6) expand the content of
the notice; (7) alter the Rule's timing requirement for notifying the
FTC of a breach of security; and (8) improve the Rule's readability by
clarifying cross-references and adding statutory citations,
consolidating notice and timing requirements, articulating the
penalties for non-compliance, and incorporating a small number of non-
substantive changes.
I. Background
Congress enacted the American Recovery and Reinvestment Act of 2009
(``Recovery Act'' or ``the Act''),\1\ in part to advance the use of
health information technology and, at the same time, strengthen privacy
and security protections for health information. Recognizing that
certain entities that hold or interact with consumers' personal health
records were not subject to the privacy and security requirements of
HIPAA,\2\ Congress created requirements for such entities to notify
individuals, the Commission, and, in some cases, the media of the
breach of unsecured identifiable health information from those records.
---------------------------------------------------------------------------
\1\ Am. Recovery and Reinvestment Act of 2009, Public Law 111-5,
123 Stat. 115 (2009).
\2\ Health Ins. Portability and Accountability Act, Public Law
104-191, 110 Stat. 1936 (1996).
---------------------------------------------------------------------------
Specifically, section 13407 of the Recovery Act created certain
protections for ``personal health records'' or ``PHRs,'' \3\ electronic
records of PHR identifiable health information on an individual that
can be drawn from multiple sources and that are managed, shared, and
controlled by or primarily for the individual.\4\ Congress recognized
that vendors of personal health records and PHR related entities (i.e.,
companies that offer products and services through PHR websites or
access information in or send information to personal health records)
were collecting consumers' health information but were not subject to
the privacy and security requirements of HIPAA. Accordingly, the
Recovery Act directed the FTC to issue a rule requiring these non-HIPAA
covered entities, and their third party service providers, to provide
notification of any breach of unsecured PHR identifiable health
information. The Commission issued its Rule implementing these
provisions in 2009.\5\ FTC enforcement of the Rule began on February
22, 2010.
---------------------------------------------------------------------------
\3\ 42 U.S.C. 17937.
\4\ 42 U.S.C. 17921(11).
\5\ 74 FR 42962 (Aug. 25, 2009) (``2009 Final Rule'').
---------------------------------------------------------------------------
The Rule the Commission issued in 2009 (``2009 Rule'') requires
vendors of personal health records and PHR related entities to provide:
(1) notice to consumers whose unsecured PHR identifiable health
information has been breached; (2) notice to the Commission; and (3)
notice to prominent media outlets \6\ serving a State or jurisdiction,
in cases where 500 or more residents are confirmed or reasonably
believed to have been affected by a breach.\7\ The Rule also requires
third party service providers (i.e., those companies that provide
services such as billing, data storage, attribution, or analytics) to
vendors of personal health records and PHR related entities to provide
notification to such vendors and entities following the discovery of a
breach.\8\
---------------------------------------------------------------------------
\6\ The Recovery Act does not limit this notice to particular
types of media. Thus, an entity can satisfy the requirement to
notify ``prominent media outlets'' by, for example, disseminating
press releases to a number of media outlets, including internet
media in appropriate circumstances, where most of the residents of
the relevant State or jurisdiction get their news. This will be a
fact-specific inquiry that will depend on what media outlets are
``prominent'' in the relevant jurisdiction. 74 FR 42974.
\7\ 16 CFR 318.3, 318.5.
\8\ Id. Sec. 318.3(b).
---------------------------------------------------------------------------
The 2009 Rule requires notice to individuals ``without unreasonable
delay and in no case later than 60 calendar days'' after discovery of a
data breach.\9\ If the breach affects 500 or more individuals, notice
to the FTC must be provided ``as soon as possible and in no case later
than ten business days'' after discovery of the breach.\10\ The FTC
makes available a standard form for companies to use to notify the
Commission of a breach,\11\ and posts a list of breaches involving 500
or more individuals on its website.\12\
---------------------------------------------------------------------------
\9\ Id. Sec. 318.4(a).
\10\ Id. Sec. 318.5(c).
\11\ Fed. Trade Comm'n, Notice of Breach of Health Information,
<a href="https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/health_breach_form.pdf">https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/health_breach_form.pdf</a>.
\12\ Fed. Trade Comm'n, Notices Received by the FTC Pursuant to
the Health Breach Notification Rule, <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20by%20the%20FTC.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20by%20the%20FTC.pdf</a> (last
visited Dec. 2, 2022).
---------------------------------------------------------------------------
The 2009 Rule applies only to breaches of ``unsecured'' health
information, which the Rule defines as health information that is not
secured through technologies or methodologies specified by the
Department of Health and Human Services (``HHS''). The Rule does not
apply to businesses or organizations covered by HIPAA.\13\ HIPAA-
covered entities and their ``business associates'' must instead comply
with HHS's breach notification rule.\14\
---------------------------------------------------------------------------
\13\ Per HHS guidance, electronic health information is
``secured'' if it has been encrypted according to certain
specifications set forth by HHS, or if the media on which electronic
health information has been stored or recorded is destroyed
according to HHS specifications. See 74 FR 19006; see also U.S.
Dep't of Health & Human Servs., Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable
to Unauthorized Individuals (July 26, 2013), <a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html">https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html</a>. PHR
identifiable health information would be considered ``secured'' if
such information is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third party service
provider, in an encrypted format meeting HHS specifications, and the
PHR related entity or third party service provider stores the data
in an encrypted format that meets HHS specifications and also stores
the encryption and/or decryption tools on a device or at a location
separate from the data.
\14\ 45 CFR 164.400 through 164.414.
---------------------------------------------------------------------------
[[Page 47029]]
Since the Rule's issuance, apps and other direct-to-consumer health
technologies, such as fitness trackers and wearable blood pressure
monitors, have become commonplace.\15\ Further, as an outgrowth of the
COVID-19 pandemic, consumer use of such health-related technologies has
increased significantly.\16\
---------------------------------------------------------------------------
\15\ See, e.g., Kokou Adzo, App Development in Healthcare: 12
Exciting Facts, TechnoChops (Jan. 3, 2023), <a href="https://www.technochops.com/programming/4329/app-development-in-healthcare/">https://www.technochops.com/programming/4329/app-development-in-healthcare/</a>;
Emily Olsen, Digital health apps balloon to more than 350,000
available on the market, according to IQVIA report, MobiHealthNews
(Aug. 4, 2021), <a href="https://www.mobihealthnews.com/news/digital-health-apps-balloon-more-350000-available-market-according-iqvia-report">https://www.mobihealthnews.com/news/digital-health-apps-balloon-more-350000-available-market-according-iqvia-report</a>;
Elad Natanson, Healthcare Apps: A Boon, Today and Tomorrow, Forbes
(July 21, 2020), <a href="https://www.forbes.com/sites/eladnatanson/2020/07/21/healthcare-apps-a-boon-today-and-tomorrow/?sh=21df01ac1bb9">https://www.forbes.com/sites/eladnatanson/2020/07/21/healthcare-apps-a-boon-today-and-tomorrow/?sh=21df01ac1bb9</a>.
\16\ See id. See also Lis Evenstad, Covid-19 has led to a 25%
increase in health app downloads, research shows, <a href="http://ComputerWeekly.com">ComputerWeekly.com</a>
(Jan. 12, 2021), <a href="https://www.computerweekly.com/news/252494669/Covid-19-has-led-to-a-25-increase-in-health-app-downloads-research-shows">https://www.computerweekly.com/news/252494669/Covid-19-has-led-to-a-25-increase-in-health-app-downloads-research-shows</a> (finding that COVID-19 has led to a 25% increase in health app
downloads); Jasmine Pennic, U.S. Telemedicine App Downloads Spikes
During COVID-19 Pandemic, HIT Consultant (Sept. 8, 2020), <a href="https://hitconsultant.net/2020/09/08/u-s-telemedicine-app-downloads-spikes-during-covid-19-pandemic/">https://hitconsultant.net/2020/09/08/u-s-telemedicine-app-downloads-spikes-during-covid-19-pandemic/</a> (``US telemedicine app downloads see
dramatic increases during the COVID-19 pandemic, with some seeing an
8,270% rise YoY.'').
---------------------------------------------------------------------------
In May 2020, the Commission announced its regular, ten-year review
of the Rule and requested public comment about potential Rule
changes.\17\ The Commission requested comment on, among other things,
whether changes should be made to the Rule in light of technological
changes, such as the proliferation of apps and similar technologies.
The Commission received 26 public comments.\18\
---------------------------------------------------------------------------
\17\ 85 FR 31085 (May 22, 2020).
\18\ Comments are available at <a href="https://www.regulations.gov/docket/FTC-2020-0045/comments">https://www.regulations.gov/docket/FTC-2020-0045/comments</a>.
---------------------------------------------------------------------------
Many of the commenters in 2020 encouraged the Commission to clarify
that the Rule applies to apps and similar technologies.\19\ In fact, no
commenter opposed this type of clarification regarding the Rule's
coverage of health apps. Several commenters pointed out examples of
health apps that have abused users' privacy, such as by disclosing
sensitive health information without consent.\20\ Several commenters
noted the urgency of this issue, as consumers have further embraced
digital health technologies during the COVID-19 pandemic.\21\
Commenters argued the Commission should take additional steps to
protect unsecured PHR identifiable health information that is not
covered by HIPAA, both to prevent harm to consumers \22\ and to level
the competitive playing field among companies dealing with the same
health information.\23\ To that end, commenters not only urged the
Commission to revise the Rule, but also to increase its enforcement
efforts.\24\
---------------------------------------------------------------------------
\19\ E.g., Am. Health Info. Mgmt. Ass'n (``AHIMA'') at 2; Kaiser
Permanente at 3; Allscripts at 3; Am. Acad. of Ophthalmology at 2;
All. for Nursing Informatics (``ANI'') at 2; Am. Med. Ass'n
(``AMA'') at 4; Am. Coll. of Surgeons at 6; Physicians' Elec. Health
Rec. Coal. (``PEHRC'') at 4 (``Apps that collect health information,
regardless of whether or not they connect to an EHR, must be
regulated by the FTC Health Breach Notification Rule to ensure the
safety and security of personal health information.''); Am.'s Health
Ins. Plans (``AHIP'') and Blue Cross Blue Shield Ass'n (``BCBS'') at
2; The App Ass'n's Connected Health Initiative (``CHI'') at 3.
\20\ Kaiser Permanente at 7; The Light Collective at 2; Am.
Acad. of Ophthalmology at 2; PEHRC at 2-3.
\21\ Lisa McKeen at 2-3; Kaiser Permanente at 7-8; AMA at 3;
Off. of the Att'y Gen. for the State of Cal. (``OAG-CA'') at 3-4;
Healthcare Info. and Mgmt. Sys. Soc'y (``HIMSS'') and Personal
Connected Health All. (``PCH Alliance'') at 4-5.
\22\ Georgia Morgan; Am. Acad. of Ophthalmology at 2-3 (arguing
that consumers do not know all the ways their data is being used by
third parties, and the downstream consequences of data being used in
this way may ultimately erode a patient's privacy and willingness to
disclose information to his or her physician); Coll. of Healthcare
Info. Mgmt. Exec.'s (``CHIME'') at 3 (arguing that apps' privacy
practices impact the patient-provider relationship because providers
do not know what technologies are sufficiently trustworthy for their
patients); AMA at 2-3 (expressing concern that patients share less
health data with health care providers, perhaps because of
``spillover from privacy and security breaches'').
\23\ Kaiser Permanente at 2, 4; Workgroup for Elec. Data
Interchange (``WEDI'') at 2; AHIP and BCBS at 3 (``[HIPAA] covered
entities, such as health plans, that use or disclose protected
health information should not be subject to stricter notification
requirements than those imposed on vendors of personal health
records or other such entities. Otherwise, the Federal government
will be providing market advantages to particular industry segments
with the effect of dampening competition and harming consumers.'').
\24\ Kaiser Permanente at 4; Fred Trotter at 1; Casey Quinlan at
1; CARIN Alliance at 2. At the time of this document's publication,
the Commission has brought two enforcement actions under the Rule;
the first against digital health company GoodRx Holdings, Inc., and
the second against an ovulation-tracking mobile app marketed under
the name ``Premom'' and developed by Easy Healthcare, Inc. United
States v. GoodRx Holdings, Inc., No. 23-cv-460 (N.D. Cal. Feb. 17,
2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc</a>; United States v. Easy Healthcare Corp.,
No. 1:23-cv-3107 (N.D. Ill. June 22, 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v">https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v</a>.
---------------------------------------------------------------------------
A. The Commission's 2021 Policy Statement
On September 15, 2021, the Commission issued a Policy Statement
providing guidance on the scope of the Rule. The Policy Statement
clarified that the Rule covers most health apps and similar
technologies that are not covered by HIPAA.\25\ The Rule defines a
``personal health record'' as ``an electronic record of PHR
identifiable health information on an individual that can be drawn from
multiple sources and that is managed, shared, and controlled by or
primarily for the individual.'' \26\ As the Commission explained in the
Policy Statement, many makers and purveyors of health apps and other
connected devices are vendors of personal health records covered by the
Rule because their products are electronic records of PHR identifiable
health information.
---------------------------------------------------------------------------
\25\ Statement of the Commission on Breaches by Health Apps and
Other Connected Devices, Fed. Trade Comm'n (Sept. 15, 2021), <a href="https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf">https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf</a> (``Policy Statement'').
\26\ 16 CFR 318.2.
---------------------------------------------------------------------------
The Commission explained that PHR identifiable health information
includes individually identifiable health information created or
received by a health care provider,\27\ and that ``health care
providers'' include any entities that ``furnish[ ] health care services
or supplies.'' \28\ Because these health app purveyors furnish health
care services to their users through the mobile applications they
provide, the information held in the app is PHR identifiable health
information, and therefore many health app purveyors likely qualify as
vendors of personal health records.\29\
---------------------------------------------------------------------------
\27\ Id. Sec. 318.2, incorporating in part the definition from
section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).
\28\ Id. Sec. 318.2; 42 U.S.C. 1320d(6), d(3).
\29\ See Policy Statement at 1.
---------------------------------------------------------------------------
The Policy Statement further explained that the statute directing
the FTC to promulgate the Rule requires that a ``personal health
record'' be an electronic record that can be drawn from multiple
sources.\30\ Accordingly, health apps and similar technologies likely
qualify as personal health records covered by the Rule if they are
capable of drawing information from multiple sources. The Commission
further clarified that health apps and other products experience a
``breach of security'' under the Rule when they disclose users'
sensitive health information without authorization; \31\ a breach is
``not limited to cybersecurity intrusions or nefarious behavior.'' \32\
---------------------------------------------------------------------------
\30\ The Policy Statement provided this example: ``[I]f a blood
sugar monitoring app draws health information only from one source
(e.g., a consumer's inputted blood sugar levels), but also takes
non-health information from another source (e.g., dates from your
phone's calendar), it is covered under the Rule.'' Id. at 2.
\31\ 16 CFR 318.2.
\32\ Policy Statement at 2. In the Statement of Basis and
Purpose to the 2009 Final Rule published in the Federal Register
(``2009 Rule Commentary''), the Commission, in addressing questions
about how the extent of individual authorization should be
determined, stated data sharing to enhance consumers' experience
with a PHR is authorized only if such use is consistent with the
entity's disclosures and individuals' reasonable expectations. For
anything beyond such uses, the Commission expects vendors of
personal health records and PHR related entities to limit the
sharing of consumers' information, unless the consumers exercise
``meaningful choice'' in allowing sharing. The Commission believes
burying disclosures in lengthy privacy policies does not satisfy the
standard of ``meaningful choice.'' 74 FR 42967.
---------------------------------------------------------------------------
[[Page 47030]]
B. Enforcement History
In 2023, the Commission brought its first enforcement actions under
the Rule against vendors of personal health records. In February 2023,
the Commission brought an enforcement action alleging a violation of
the Rule against GoodRx Holdings, Inc. (``GoodRx''), a digital health
company that sells health-related products and services directly to
consumers, including prescription medication discount products and
telehealth services through its website and mobile applications.\33\
---------------------------------------------------------------------------
\33\ United States v. GoodRx Holdings, Inc., No. 23-cv-460 (N.D.
Cal. Feb. 17, 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc</a>.
---------------------------------------------------------------------------
In its complaint, the Commission alleged that between 2017 and
2020, GoodRx, as a vendor of personal health records, disclosed more
than 500 consumers' unsecured PHR identifiable health information to
third party advertising platforms like Facebook and Google, without the
authorization of those consumers. As charged in the complaint, these
disclosures violated explicit privacy promises the company made to its
users about its data sharing practices (including about its sharing of
PHR identifiable health information). The Commission alleged GoodRx
broke these promises and disclosed its users' prescription medications
and personal health conditions, personal contact information, and
unique advertising and persistent identifiers. The Commission charged
GoodRx with violating the Rule by failing to provide the required
notifications, as prescribed by the Rule, to (1) individuals whose
unsecured PHR identifiable health information was acquired by an
unauthorized person, (2) the Federal Trade Commission, and (3) media
outlets. 16 CFR 318.3 through 318.6. The Commission entered into a
settlement that imposed injunctive relief and required GoodRx to pay a
$1.5 million civil penalty for its alleged violation of the Rule.\34\
---------------------------------------------------------------------------
\34\ In addition, the Commission alleged GoodRx's data sharing
practices were deceptive and unfair, in violation of section 5 of
the FTC Act.
---------------------------------------------------------------------------
Similarly, on May 17, 2023, the Commission brought its second
enforcement action under the Rule against Easy Healthcare Corporation
(``Easy Healthcare''), a company that publishes an ovulation and period
tracking mobile application called Premom, which allows its users to
input and track various types of health and other sensitive data.
Similar to the conduct alleged against GoodRx, Easy Healthcare
disclosed PHR identifiable health information to third party companies
such as Google and AppsFlyer, contrary to its privacy promises, and did
not comply with the Rule's notification requirements. The Commission
entered into a settlement that imposed injunctive relief and required
Easy Healthcare to pay a $100,000 civil penalty for its alleged
violation of the Rule.\35\
---------------------------------------------------------------------------
\35\ United States v. Easy Healthcare Corporation, No. 1:23-cv-
3107 (N.D. Ill. June 22, 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v">https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v</a>.
---------------------------------------------------------------------------
C. Notice of Proposed Rulemaking
Having considered the public comments on the regulatory review
notification and its Policy Statement, on June 9, 2023, the Commission
issued a notice of proposed rulemaking (``NPRM'') \36\ proposing to
revise the Rule, 16 CFR part 318, in seven ways:
---------------------------------------------------------------------------
\36\ 88 FR 37819 (``2023 NPRM'').
---------------------------------------------------------------------------
<bullet> First, the Commission proposed to revise several
definitions in order to clarify the Rule and better explain its
application to health apps and similar technologies not covered by
HIPAA. Consistent with this objective, the NPRM modified the definition
of ``PHR identifiable health information'' and added two new
definitions (``health care provider'' and ``health care services or
supplies''). These proposed changes were consistent with a number of
public comments supporting the Rule's coverage of these technologies.
<bullet> Second, the Commission proposed to revise the definition
of ``breach of security'' to clarify that a breach of security includes
an unauthorized acquisition of PHR identifiable health information in a
personal health record that occurs as a result of a data security
breach or an unauthorized disclosure.
<bullet> Third, the Commission proposed to revise the definition of
``PHR related entity'' in two ways. Consistent with its proposal to
clarify that the Rule applies to health apps, the Commission first
proposed clarifying the definition of ``PHR related entity'' to make
clear that the Rule covers entities that offer products and services
through the online services, including mobile applications, of vendors
of personal health records. In addition, the Commission proposed
revising the definition of ``PHR related entity'' to provide that
entities that access or send unsecured PHR identifiable health
information to a personal health record--rather than entities that
access or send any information to a personal health record--are PHR
related entities.
<bullet> Fourth, the Commission proposed to clarify what it means
for a personal health record to draw PHR identifiable health
information from multiple sources.
<bullet> Fifth, in response to public comments expressing concern
that mailed notice is costly and not consistent with how consumers
interact with online technologies like health apps, the Commission
proposed to revise the Rule to authorize electronic notice in
additional circumstances. Specifically, the proposed Rule adjusted the
language in the ``method of notice section'' and added a new definition
of the term ``electronic mail.'' The proposed Rule also required that
any notice delivered by electronic mail be ``clear and conspicuous,'' a
newly defined term, which aligns closely with the definition of ``clear
and conspicuous'' codified in the FTC's Financial Privacy Rule.\37\
---------------------------------------------------------------------------
\37\ 16 CFR 313.3(b). The FTC's Financial Privacy Rule requires
financial institutions to provide particular notices and to comply
with certain limitations on disclosure of nonpublic personal
information. Using a comprehensive definition of ``clear and
conspicuous'' based on the Financial Privacy Rule definition aims to
ensure consistency across the Commission's privacy-related rules.
---------------------------------------------------------------------------
<bullet> Sixth, the Commission proposed to expand the required
content of the notice to individuals, to require that consumers whose
unsecured PHR identifiable health information has been breached receive
additional important information, including information regarding the
potential for harm from the breach and protections that the notifying
entity is making available to affected consumers. In addition, the
proposed Rule included exemplar notices, which entities subject to the
Rule could use to notify consumers in terms that are easy to
understand.
<bullet> Seventh, in response to public comments, the Commission
proposed to make a number of changes to improve the Rule's readability.
Specifically, the Commission proposed to include explanatory
parentheticals for internal cross-references, add statutory citations
in relevant places, consolidate notice and timing requirements in
single sections, respectively, of the Rule, and add a new section that
plainly states the penalties for non-compliance.
The NPRM also included a section discussing several alternatives
the
[[Page 47031]]
Commission considered but did not propose. Although the Commission did
not put forth any proposed modifications on those issues, the
Commission nonetheless sought public comment on them.
The Commission received approximately 120 comments in response to
the NPRM from a wide spectrum of stakeholders, including consumers,
consumer groups, trade associations, think tanks, policy organizations,
private sector entities, and members of Congress.\38\ As discussed in
detail below, commenters addressed the seven topics on which the
Commission proposed changes, responded to particular points on which
the Commission requested comment, offered additional comment on
alternatives that the Commission considered but did not propose, and
provided comment on other topics. The majority of commenters expressed
support for the Commission's proposed changes.
---------------------------------------------------------------------------
\38\ Comments are available at <a href="https://www.regulations.gov/document/FTC-2023-0037-0001/comment">https://www.regulations.gov/document/FTC-2023-0037-0001/comment</a>.
---------------------------------------------------------------------------
The Commission believes the amendments are consistent with the
language and intent of the Recovery Act, address the concerns raised by
the public comments in response to the NPRM, and will ensure the Rule
remains current in the face of changing business practices and
technological developments.
II. Analysis of the Final Rule
The following discussion analyzes the amendments to the Rule.
A. Clarification of Entities Covered
1. The Commission's Proposal To Clarify the Entities Covered
The Commission proposed changes to several definitions in Sec.
318.2 to clarify the Rule's application to health apps and similar
technologies not covered by HIPAA. First, the proposed Rule revised the
definition of ``PHR identifiable health information'' to remove a
cross-reference and instead import language from section 1171(6) of the
Social Security Act, 42 U.S.C. 1320d(6), which is also referenced
directly in section 13407 of the Recovery Act. The proposed Rule
defined ``PHR identifiable health information'' as information (1) that
is provided by or on behalf of the individual; (2) that identifies the
individual or with respect to which there is a reasonable basis to
believe that the information can be used to identify the individual;
(3) relates to the past, present, or future physical or mental health
or condition of an individual, the provision of health care to an
individual, or the past, present, or future payment for the provision
of health care to an individual; and (4) is created or received by a
health care provider, health plan (as defined in 42 U.S.C. 1320d(5)),
employer, or health care clearinghouse (as defined in 42 U.S.C.
1320d(2)).
The Commission explained that this proposed definition covers
traditional health information (such as diagnoses or medications),
health information derived from consumers' interactions with apps and
other online services (such as health information generated from
tracking technologies employed on websites or mobile applications or
from customized records of website or mobile application interactions),
as well as emergent health data (such as health information inferred
from non-health-related data points, such as location and recent
purchases). The Commission sought comment as to whether any further
amendment of the definition was needed to clarify the scope of data
covered.
Second, the NPRM proposed to define the term ``health care
provider'' that appears in the proposed definition of ``PHR
identifiable health information'' (``is created or received by a health
care provider''). The Commission proposed to define this term in a
manner similar to the definition of ``health care provider'' found in
42 U.S.C. 1320d(3) (and referenced in 42 U.S.C. 1320d(6), which is
directly referenced in section 13407 of the Recovery Act), to mean a
provider of services (as defined in 42 U.S.C. 1395x(u)), a provider of
medical or other health services (as defined in 42 U.S.C. 1395x(s)), or
any other entity furnishing health care services or supplies. The
Commission observed that this proposed definition, which is consistent
with the statutory scheme, differs from, but does not contradict, the
definitions or interpretations adopted by HHS. The Commission sought
comment on defining this term more broadly than the term is used in
other contexts.
Third, the NPRM proposed to define ``health care services or
supplies'' (the final term in the definition of ``health care
provider'') to include any online service, such as a website, mobile
application, or internet-connected device that provides mechanisms to
track diseases, health conditions, diagnoses or diagnostic testing,
treatment, medications, vital signs, symptoms, bodily functions,
fitness, fertility, sexual health, sleep, mental health, genetic
information, diet, or that provides other health-related services or
tools. The Commission explained that this change clarified that the
Rule applies generally to online services, including websites, apps,
and internet-connected devices that provide health care services or
supplies, and clarified that the Rule covers online services related
not only to medical issues (by including in the definition terms such
as ``diseases, diagnoses, treatment, medications'') but also wellness
issues (by including in the definition terms such as ``fitness, sleep,
and diet'').
The Commission explained that these proposed changes to the
definitions clarified that developers of health apps and similar
technologies providing ``health care services or supplies'' qualify as
``health care providers,'' such that any individually identifiable
health information these products collect or use would constitute ``PHR
identifiable health information'' covered by the Rule. The Commission
explained that these proposed changes further clarified that a mobile
health application can be a ``personal health record'' covered by the
Rule and the developers of such applications can be ``vendors of
personal health records.''
2. Public Comments Regarding the Commission's Proposal To Clarify the
Entities Covered
The Commission received numerous comments on the application of the
Rule to health apps and similar technologies. A substantial number of
commenters supported the Rule's application to health apps and similar
technologies not covered by HIPAA as necessary in light of the
explosion of health apps and the associated dangers to the privacy and
security of consumers' health information.\39\ Notably, support for the
[[Page 47032]]
Commission's proposals came from a variety of commenters--industry
associations,\40\ businesses,\41\ members of Congress,\42\ consumer or
patient advocacy groups,\43\ individual consumers,\44\ and anonymous
sources.\45\ Many commenters argued that safeguards for non-HIPAA
covered health data are essential,\46\ particularly because consumers
generally are not aware of varying legal protections for health
data.\47\ Indeed, according to some commenters, requiring notification
to consumers of the breach of health information not protected by HIPAA
is precisely what Congress intended by authorizing the FTC to issue
this Rule; the Commission's proposed changes are, therefore, consistent
with the goals of the Recovery Act.\48\ Some commenters argued that
Federal privacy legislation is needed to protect non-HIPAA covered
health data, but, in the interim, the Commission should strengthen its
Rule to protect consumer health data to the extent possible.\49\ Other
commenters urged the Commission to take even broader measures in this
Rule, such as imposing breach prevention measures,\50\ banning health-
based surveillance technologies or targeted advertising,\51\ banning
selling or sharing of health data not necessary to provide patient care
or mandating data retention limits and deletion,\52\ or requiring
adherence to standardized terms of service with strong privacy
protections.\53\
---------------------------------------------------------------------------
\39\ See generally, Am. Acad. of Fam. Physicians (``AAFP'');
AHIP; AHIMA; Ass'n of Health Info. Outsourcing Serv.'s (``AHIOS'');
AMA; Am. Med. Informatics Ass'n (``AMIA''); ANI; Anonymous 1;
Anonymous 2; Anonymous 3; Anonymous 4; Anonymous 9; Anonymous 10;
Anonymous 11 ; Anonymous 14; Am. Osteopathic Ass'n (``AOA''); Ella
Balasa; Beth Barnett; Lauren Batchelor; Bipartisan Pol'y Ctr.
(``BPC''); Alan Brewington; Ctr. for Democracy & Tech. (``CDT'');
Ctr. for Digit. Democracy (``CDD''); Confidentiality Coal.; Consumer
Rep.'s; Elec. Frontier Found. (``EFF''); Elec. Priv. Info. Ctr.
(``EPIC''); Dave K.; Members of the House of Representatives; MRO
Corp. (``MRO''); Omada Health; Pharmed Out; Planned Parenthood
Federation of Amer. (``Planned Parenthood''); CB Sanders; Robb
Streicher; SYNGAP1 Foundation and SYNGAP1 Foundation 2; Devin
Thompson; Janice Tufte; Michael Turner; U.S. Public Interest
Research Group (``U.S. PIRG''); UL Sol.'s; Grace Vinton; WEDI; Anli
Zhou. Some commenters elaborated on the nature of the risks to
consumers' health data and on the importance to consumers. Two
commenters, for example, described research they had performed
regarding mental health and/or reproductive health apps' disclosure
of consumers' health data to third parties. Mozilla at 3-4; Consumer
Reports at 2. Another commenter, a public interest group and
advocacy organization, attached a petition containing 9,659
signatures asking for strong rules to protect digital health
privacy. US PIRG at 5-230.
\40\ E.g., AAFP, AHIMA, AHIOS, AMA, AMIA, AOA; Network Advert.
Initiative (``NAI'').
\41\ E.g., Mozilla; MRO; Omada Health; UL Sol.'s.
\42\ See Members of the House of Representatives (six members of
Congress expressing support for the proposed changes).
\43\ E.g., CDD; CDT; EFF; U.S. PIRG.
\44\ Ella Balasa; Beth Barnett; Lauren Batchelor; Alan
Brewington; Sean Castillo; Dave K.; CB Sanders; Robb Streicher;
Devin Thompson; Janice Tufte; Michael Turner; Grace Vinton; Anli
Zhou.
\45\ Anonymous 1; Anonymous 2; Anonymous 3; Anonymous 4;
Anonymous 5; Anonymous 6; Anonymous 9; Anonymous 10; Anonymous 11;
Anonymous 14.
\46\ See, e.g., AAFP at 1-2; AHIMA at 2; AHIOS at 2; Anonymous 5
at 1; AOA at 1; Am. Speech-Language-Hearing Ass'n (``ASHA'') at 1;
Am. Psychiatric Ass'n (``APA'') at 1; CDT at 3-4; CHIME at 2; EFF at
1; Generation Patient at 1; HIMSS at 2; HIMSS Elec. Health Rec.
Ass'n (``HIMSS EHR Ass'n'') at 1; MRO at 1-2; Omada Health at 2;
PharmedOut at 1; Planned Parenthood at 2-3; Michael Turner at 1;
WEDI at 1-4.
\47\ AHIMA at 2; Anonymous 5 at 1; ASHA at 1; EFF at 1; WEDI at
2. One commenter, a software company that assists digital health
companies with legal compliance, argued that three factors, in
particular, support greater protection for digital health data: (1)
consumers mistakenly believe HIPAA covers all health data; (2) there
is a culture within some digital health companies that favors rapid
adoption of products to secure venture capital even when compliance
infrastructure is lacking; and (3) digital health products deal with
sensitive data and inherently present a greater privacy risk given
their heavy reliance on data and data exchange compared to
traditional medicine. Tranquil Data at 1.
\48\ Confidentiality Coal. at 2; Consumer Rep.'s at 4.
\49\ See, e.g., AAFP at 2. One commenter, an industry coalition
focused on health IT and health care information exchange,
emphasized a significant privacy problem adjacent to the Rule:
whether HIPAA covered entities should warn patients about the
privacy risks associated with health apps and what the Federal
government can do to apply equal privacy protections to health data,
notwithstanding HIPAA's limitations. See WEDI at 3. One commenter
supported the proposed changes but argued the Commission should work
with Congress to update antiquated terms like ``personal health
record.'' HIMSS at 3.
\50\ Ella Balasa at 2; PharmedOut at 1.
\51\ Light Collective at 5.
\52\ EFF at 2.
\53\ Texas Med. Ass'n (``TMA'') at 1-2.
---------------------------------------------------------------------------
Although many commenters expressed support for the proposed
changes, several business coalitions, industry associations and
individual firms opposed the changes, which, they argued, are
inconsistent with Congress's intent in the Recovery Act to address a
narrow subset of ``personal health records'' and therefore exceed the
FTC's statutory authority.\54\ According to some comments, Congress
should address any privacy issues that exceed the narrow scope of the
Recovery Act. These commenters also contend that if the Commission
believes there has been a violation of section 5, then the Commission
needs to engage in an FTC Act section 18 rulemaking.\55\ One commenter
argued further that consumers have different privacy expectations for
an electronic health record offered by their physician versus a fitness
app (for example) that they download themselves, and the Commission's
Rule should respect those differing expectations.\56\
---------------------------------------------------------------------------
\54\ See, e.g., Ass'n of Nat'l Advertisers, Inc. (``ANA'') at 4-
5; Comput. & Commc'n's Indus. Ass'n (``CCIA'') at 2-3; Chamber of
Com. (``Chamber'') at 1-3; CHI at 2; Consumer Tech. Ass'n (``CTA'')
at 2; Lab'y Access and Benefits Coal. (``LAB'') at 1; Priv. for Am.
at 1-2; TechNet at 2.
\55\ Priv. for Am. at 2-3; Chamber at 6-7; Health Innovation
All. (``HIA'') at 1. See also Advanced Med. Tech. Ass'n
(``AdvaMed'') at 1 (recommending the Commission adopt a privacy
framework pursuant to the advanced notice of proposed rulemaking
(R111004) regarding commercial surveillance and data security (87 FR
51273, Aug. 22, 2022)).
\56\ CCIA at 4.
---------------------------------------------------------------------------
Some commenters opposed to the changes also argued that the revised
definitions would reduce choice and access in the marketplace,\57\
stifle innovation,\58\ or create disincentives for advertising \59\
because (1) firms would risk initiating breaches by sharing user data
with their partners and (2) in accepting data from health apps,
partners such as advertising and analytics firms would risk being
covered by the Rule.\60\ According to some commenters, placing such
strictures on the advertising and service provider ecosystem would
raise prices (by, for example, undermining ad-supported services) and
thereby harm competition.\61\ One commenter argued that while robust
protections for consumer health data are needed, the Rule should not be
a vehicle for such protections, because it will result in over-
notification of consumers (who have largely learned to disregard breach
notices) and be a barrier to legislative change on privacy and data
security issues more generally.\62\ Another commenter argued against a
breach notification rule altogether, asserting that the Commission
should instead focus on requiring robust data security practices to
prevent breaches in the first instance.\63\
---------------------------------------------------------------------------
\57\ Am. Telemedicine Ass'n (``ATA Action'') at 1.
\58\ TechNet at 1-2; CTA at 5.
\59\ ANA at 3.
\60\ Priv. for Am. at 3.
\61\ E.g., ANA at 3; Priv. for Am. at 1, 3-4.
\62\ World Priv F. (``WPF'') at 4.
\63\ HIA at 2.
---------------------------------------------------------------------------
Some commenters specifically addressed the proposed changes to the
definitions of ``PHR identifiable health information'' and the new
definitions of ``health care provider'' and ``health care services or
supplies.'' First, a number of comments addressed the scope of ``PHR
identifiable health information.'' Some commenters urged greater
breadth, arguing, for example, that the definition of ``PHR
identifiable health information'' should be expanded to include other
types of data, such as data about an individual--not just data provided
by or on behalf of an individual.\64\ Other commenters urged the
Commission to state expressly that its definition encompasses
particular types of information, such as unique persistent identifiers
\65\ or information about sexual health \66\ or substance use or
treatment.\67\ By contrast, some commenters urged the Commission to
narrow the definition or otherwise clarify its limits, by, for example,
exempting data relating to clinical research or trials \68\ or data
that has been de-identified.\69\
---------------------------------------------------------------------------
\64\ Consumer Rep.'s at 3.
\65\ Id.
\66\ BPC at 1-2; Planned Parenthood at 5.
\67\ Legal Action Ctr. & Opioid Pol'y Inst. at 1-2.
\68\ Soc'y for Clinical Rsch. Sites (``SCRS'') at 1.
\69\ Future of Priv. F. (``FPF'') at 3.
---------------------------------------------------------------------------
Relatedly, some commenters urged the Commission to create a
definition of or standard for ``identifiable data,'' ``de-
identification'' or ``de-identified
[[Page 47033]]
data,'' \70\ such as by adopting HHS's de-identification standard,\71\
or by stating that information is identifiable if it is ``reasonably
linkable to an identified or identifiable individual.'' \72\ Commenters
argued that clarifying what constitutes ``identifiable'' data is
necessary both because of the increasing ability for de-identified data
to be re-identified \73\ and because the market needs clarity to enable
uninhibited flow of de-identified health data for research, public
health, and commercial activities.\74\ Indeed, according to one
commenter, failure to clarify the standard could complicate or chill
public health research and other innovation.\75\ One commenter argued
that an objective standard of ``reasonable linkability'' is better than
what the commenter described as the Rule's knowledge-based standard
(i.e., whether the company has a reasonable basis to believe it can be
used to identify an individual).\76\ One commenter urged the Commission
to issue a new notice of proposed rulemaking on the issue of de-
identification alone.\77\
---------------------------------------------------------------------------
\70\ SCRS at 2; Chamber at 7; EPIC at 7-9; FPF at 3-4, LAB at 2;
MRO at 4; Network for Pub. Health L. and Texas A&M Univ.
(``Network'') at 3.
\71\ LAB at 2; Network at 3; SCRS at 2.
\72\ FPF at 3.
\73\ SCRS at 2.
\74\ FPF at 3; Network at 3-4.
\75\ Network at 3.
\76\ FPF at 3.
\77\ Chamber at 7.
---------------------------------------------------------------------------
Second, many commenters specifically addressed the Commission's
proposed new definition of ``health care provider.'' One commenter
applauded the Commission's revised definition of ``health care
provider,'' arguing that taking a crabbed view of that or related terms
would lead to further fragmentation of health data, which is already
fragmented by HIPAA's limited purview.\78\ Another commenter noted the
Commission's definition of ``health care provider'' is simply a logical
outgrowth of how consumers interact with health apps: consumers look to
health apps to provide health-related services--the quintessential
function of a health care provider.\79\
---------------------------------------------------------------------------
\78\ CDT at 11.
\79\ Confidentiality Coal. at 3-4.
---------------------------------------------------------------------------
Other commenters, however, raised concerns that the proposed
definition of ``health care provider'' is confusing in its departure
from HIPAA's terminology or is otherwise overbroad.\80\ Some commenters
argued this departure from the traditional meaning of the term is not
what Congress intended.\81\ A few commenters suggested reducing the
confusion with the traditional term by re-naming the definition. These
commenters suggested the Commission instead use one of the following
terms: ``non-HIPAA-regulated health care provider,'' \82\ ``PHR
provider,'' \83\ ``Health-related vendor,'' \84\ ``HIPAA covered
entity,'' \85\ or ``health-related service provider.'' \86\ Another
commenter recommended eliminating the confusion by stating within the
definition that it excludes HIPAA-covered entities and their business
associates.\87\ Another commenter urged the Commission to affirm that
its definition would have no impact on the term ``health care
provider'' as used in other regulations.\88\
---------------------------------------------------------------------------
\80\ AAFP at 2-3; AdvaMed at 3-4; AHIP at 2; AMA at 2-3; ATA
Action at 1; CARIN Alliance at 2-3; CCIA at 3; CTA at 4, 6-9;
Datavant at 2; Invitae Corp. (``Invitae'') at 4; NAI at 3-4;
Software & Info. Indus. Ass'n (``SIIA'') at 1-2; TechNet at 2; TMA
at 2-3; WPF at 7.
\81\ ANA at 5; ATA Action at 1; Invitae at 4-5; Priv. for Am. at
4.
\82\ Planned Parenthood at 6.
\83\ WPF at 7.
\84\ AHIP at 2.
\85\ AMA at 3.
\86\ AHIP at 2.
\87\ Datavant at 2.
\88\ AAFP at 2-3.
---------------------------------------------------------------------------
Several comments also expressed concern with the final phrase of
the definition of ``health care provider'' (``any other entity
furnishing health care services or supplies''), as overly broad and
confusing. Commenters argued its breadth (and the breadth of the
accompanying definition of ``health care services or supplies'') would
have perverse results, turning retailers of tennis shoes, shampoo, or
vitamins into entities covered by the Rule, which is not what Congress
intended.\89\ Moreover, it would result not only in compliance burdens
for companies (with the downstream effect of raising prices for
consumers) but also in massive over-notification of consumers, who will
become desensitized to the onslaught of notices.\90\
---------------------------------------------------------------------------
\89\ ANA at 7-8; CCIA at 4; CHI at 3-4; CTA at 7-8; SIIA at 2.
\90\ ANA at 3; SIIA at 1.
---------------------------------------------------------------------------
Several commenters urged the Commission to address this problem by
dropping the phrase ``any other entity furnishing health care services
or supplies'' entirely--or at least excising the word ``supplies''--
from the definition of ``health care provider.'' \91\ One commenter
recommended replacing the phrase with a different phrase: ``any other
person or organization who furnishes, bills, or is paid for health care
in the normal course of business.'' \92\ Another commenter recommended
expressly excluding retailers.\93\ Commenters requested further
clarification of certain terms within the definition of ``health care
provider,'' including the terms ``furnishing'' \94\ and ``health
care.'' \95\ And another commenter argued a better approach would be to
jettison the definitions of ``health care provider'' and ``health care
services and supplies'' entirely and instead apply the Rule to any
entity that ``promotes its offering as addressing, improving, tracking
or informing matters about a consumer's health.'' \96\
---------------------------------------------------------------------------
\91\ AdvaMed at 4; CHI at 4; CTA at 9; TechNet at 2.
\92\ AdvaMed at 4.
\93\ CTA at 8-9.
\94\ EPIC at 2.
\95\ AdvaMed at 3 (urging the Commission to define ``health
care'' and ``health care provider'' as in 45 CFR 160.103).
\96\ WPF at 10.
---------------------------------------------------------------------------
Third, some commenters addressed the proposed definition of
``health care services or supplies.'' \97\ Several commenters requested
more clarity as to what constitutes an ``online service,'' \98\ as
nearly all commercial activities have some online presence.\99\ Several
commenters recommended deleting the final phrase of the definition
(``or that provides other health-related services or tools'') to limit
the definition's breadth.\100\ Conversely, some commenters urged the
Commission to reinforce its breadth, by expressly stating that ``health
care services or supplies'' include services related to ``wellness''
\101\ or to specific health conditions, such as substance abuse
disorder diagnosis, treatment, medication, recurrence of use
(``relapse'') and recovery.\102\
---------------------------------------------------------------------------
\97\ AdvaMed at 3; AAFP at 3; AHIP at 3; Priv. for Am. at 6-7.
\98\ MRO at 2; WPF at 7-8.
\99\ WPF at 8.
\100\ NAI at 4.
\101\ EPIC at 4.
\102\ Legal Action Ctr. & Opioid Pol'y Inst. at 3.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes To Clarify the Entities
Covered
After considering the comments received, the Commission adopts the
proposed changes to the Rule (with only non-substantive, organizational
improvements noted below) to clarify that the Rule applies to mobile
health applications and similar technologies. The Commission agrees
with the substantial number of comments, from many different types of
entities and individuals, who argued that such clarification is
necessary in light of changing technology (i.e., the mass adoption of
health apps) and the privacy and data security risks to consumer health
data collected by that technology. The Commission also agrees with
[[Page 47034]]
commenters who argued that the proposed changes to the Rule are
consistent with the Recovery Act, which was intended to bolster breach
notifications for consumer health data that falls outside HIPAA.
Although the Commission agrees with commenters who argue that consumer
health data should enjoy substantial and unfragmented privacy
protections, this Rule addresses breach notification, not omnibus
privacy protections. While this rulemaking does not address omnibus
privacy protections, the Commission observes that companies collecting
or holding consumers' sensitive health data should engage in many of
the practices commenters described, such as imposing data retention
limits, enabling deletion options, and preventing breaches through
robust privacy and data security practices.\103\
---------------------------------------------------------------------------
\103\ In the 2009 Final Rule, the Commission similarly
underscored the importance of maintaining protections for health
information, stating: ``In addition, as noted in the NPRM, the
Commission expects entities that collect and store unsecured PHR
identifiable health information to maintain reasonable security
measures, including breach detection measures, which should assist
them in discovering breaches in a timely manner.'' 74 FR 42971 n.93
(2009).
---------------------------------------------------------------------------
The Commission is not persuaded that applying the Rule to health
apps and similar technologies will have deleterious consequences for
individual firms or competition or result in over-notification of
consumers. Importantly, the only obligation the Rule imposes is to
notify the Commission, consumers, and, in some cases, the media of a
breach of unsecured PHR identifiable health information. As noted in
the NPRM, many State laws already impose similar, or significantly
broader, data breach obligations.\104\ Moreover, firms can avoid
notification costs entirely by avoiding breaches--by reducing the
amount of unsecured PHR identifiable health information they access and
maintain (which can be achieved by securing PHR identifiable health
information), by de-identifying health information, and by implementing
other privacy and data security measures appropriate to the sensitivity
of the data. Congress intended for consumers to learn of breaches of
their unsecured PHR identifiable health information that fall outside
HIPAA; the changes to the Rule help ensure consumers will receive the
notification Congress intended.
---------------------------------------------------------------------------
\104\ 88 FR 37832 n.103.
---------------------------------------------------------------------------
The Commission carefully considered the arguments commenters raised
that the definitional changes depart from the language or spirit of the
Recovery Act. The Commission does not agree. The definitions hew
closely to the language of the Recovery Act and to the definitions
directly referenced by the Recovery Act in section 1171(6) of the
Social Security Act, 42 U.S.C. 1320d(6). As many commenters noted,
while health apps did not exist when Congress passed the Recovery Act,
they function in a similar manner to the personal health records that
existed at the time.
For these reasons, the Commission is adopting the proposed
definitions, with minor clarifications. First, the Commission has
retained the definition of ``PHR identifiable health information'' as
set out in the NPRM, with non-substantive organizational changes noted
below. In response to comments that the definition of ``PHR
identifiable health information'' should be broader, the Commission
notes the definition, which closely follows the statutory language,
already encompasses most of the categories of data that commenters
identified. For example, unique, persistent identifiers (such as unique
device and mobile advertising identifiers), when combined with health
information, constitute ``PHR identifiable health information,'' if
these identifiers can be used to identify or re-identify an individual.
Moreover, ``PHR identifiable health information'' encompasses
information about sexual health and substance abuse disorders, because
the information ``relates to the past, present, or future physical or
mental health or condition of an individual, the provision of health
care to an individual, or the past, present, or future payment for the
provision of health care to an individual.'' The Recovery Act states
PHR identifiable health information is information provided ``by or on
behalf of the individual,'' so the Commission declines to change this
phrase to ``about,'' as one commenter suggested.\105\ The Commission
notes, however, that information provided ``by or on behalf of the
individual'' will encompass much information ``about'' an individual,
as the consumer is the original source of most data; many inferences
``about'' the individual originate from information provided ``by or on
behalf of the individual.''
---------------------------------------------------------------------------
\105\ Consumer Rep.'s at 4.
---------------------------------------------------------------------------
The Commission does not agree with commenters who sought to narrow
the definition of PHR identifiable health information out of concern
for the Rule's overall breadth. The Commission notes that liability
under the Rule does not arise from a single definition. While data used
for public health research, for example, may, in some instances, meet
the definition of ``PHR identifiable health information,'' the firm
using that data is subject to the Rule only if other conditions are met
(i.e., the firm is an entity covered by the Rule).
The Commission declines to create a new definition of ``de-
identified data'' or another similar term, because the definition of
de-identification is already embedded in the second part of the
definition of PHR identifiable health information (``that identifies
the individual or with respect to which there is a reasonable basis to
believe that the information can be used to identify the individual'').
Where there is no ``reasonable basis to believe that the information
can be used to identify the individual,'' the information is not
identifiable; rather, it is de-identified. If data has been de-
identified according to standards set forth by HHS, then there is not a
``reasonable basis to believe that the information can be used to
identify the individual,'' as the definition of PHR identifiable health
information requires. Because the Commission's standard is consistent
with HHS's, the Commission's Rule poses no impediment to health-related
research or other flows of de-identified data. The Commission does not
view the existing language as a subjective standard that turns on a
company's knowledge, as one commenter suggested; by requiring a
``reasonable basis to believe'' that the information is not
identifiable, the Rule creates an objective standard. Whether such
reasonable basis exists will depend on whether the data can reasonably
be linked to an individual consumer. There is no need for a
supplemental notice of proposed rulemaking on this issue, as the
Commission is not changing this aspect of the Rule, which closely
follows the statute.\106\
---------------------------------------------------------------------------
\106\ 42 U.S.C. 17937(f)(2).
---------------------------------------------------------------------------
Second, the Commission is modifying the proposed definition of
``health care provider'' to ``covered health care provider'' to
distinguish that term from interpretations of the term ``health care
provider'' in other contexts, which may be more limited in scope. As
commenters requested, the Commission affirms its definition of
``covered health care provider'' is unique to the Rule; it does not
bear on the meaning of ``health care provider'' as used in other
regulations enforced by other government agencies. The Commission
adopts this change merely to dispel confusion in terminology; the
Commission is not making any substantive change from the definition as
proposed. The Commission does not need to state expressly, either in
this definition or elsewhere, that the Rule's notification requirements
do not apply to HIPAA-covered entities and their business associates,
as Sec. 318.1 of the
[[Page 47035]]
Rule already includes this proviso. The Commission declines to remove
the phrase ``any other entity furnishing health care services or
supplies'' from the definition of ``health care provider,'' because
this phrase is nearly identical to the language that appears in 42
U.S.C. 1320d(3), which is referenced in the definition of individually
identifiable health information in 42 U.S.C. 1320d(6), which is in turn
referenced in the definition of PHR identifiable health information in
section 13407(f)(2) of the Recovery Act, 42 U.S.C. 17937.\107\ The
Commission declines to define the terms ``furnish'' and ``health care''
as the Commission believes the plain meaning of the term ``furnish''
(to supply someone with something) is already clear and adding a
definition of ``health care'' is unnecessary in light of the definition
of ``covered health care provider'' and ``health care services and
supplies.'' Differences from HHS's regulations pursuant to HIPAA are
appropriate, as the Recovery Act differs from HIPAA, and the Recovery
Act's mandate is specifically to cover entities not covered by HIPAA.
---------------------------------------------------------------------------
\107\ The definition of ``covered health care provider'' in
Sec. 318.2 substitutes ``entity'' for ``person''--i.e., ``any other
entity furnishing health care services or supplies''--because the
rest of the Rule speaks in terms of ``entities,'' but the definition
in Sec. 318.2 is otherwise identical to the statutory definition in
42 U.S.C. 1320d(3).
---------------------------------------------------------------------------
Third, the Commission is adopting the proposed definition of
``health care services or supplies,'' with one minor modification: the
Commission has substituted the word ``means'' for ``includes'' to avoid
implying greater breadth than the Commission intends. The Commission
adopts this change merely to dispel confusion about undue breadth; the
Commission does not intend any substantive change from the definition
proposed. The Commission otherwise affirms the proposed definition
without change. The Commission believes the term ``online service'' in
the definition of ``health care services or supplies'' is sufficiently
clear because of the examples of ``online services'' given within the
definition itself: website, mobile application, or internet-connected
device. Providing an exhaustive list of what constitutes an online
service would prevent the definition from being sufficiently flexible
to account for future innovation in types of online services. The
Commission also retains the catch-all ``or that provides other health-
related services or tools'' for the same reason: to ensure the Rule's
language can accommodate future changes in technology. There is no
undue breadth, because that phrase's meaning is in the context of the
preceding phrase (``provides mechanisms to track diseases, health
conditions, diagnoses or diagnostic testing, treatment, medications,
vital signs, symptoms, bodily functions, fitness, fertility, sexual
health, sleep, mental health, genetic information, diet'').
In response to some commenters' concerns that the proposed Rule's
definition of ``health care provider'' and ``health care services or
supplies'' would impermissibly cause the Rule to cover retailers of
general-purpose items like tennis shoes, shampoo, or vitamins, the
Commission disagrees this would necessarily be the case. A threshold
inquiry under the Rule is whether an entity is a ``vendor of personal
health records,'' which the Recovery Act defines as ``an entity . . .
that offers or maintains a personal health record.'' \108\ The Recovery
Act usage of the term ``vendor of'' in connection with ``personal
health records'' underscores that entities that are not in the business
of offering or maintaining (e.g., selling, marketing, providing, or
promoting) a health-related product or service are not covered--in
other words, they are not ``vendors'' of personal health records. Thus,
to be a vendor of personal health records under the Rule, an app,
website, or online service must provide an offering that relates more
than tangentially to health.\109\
---------------------------------------------------------------------------
\108\ 42 U.S.C. 17921(18); see also 42 U.S.C. 17937.
\109\ At least one commenter urged a somewhat similar
interpretation, contending that a relevant inquiry in determining
whether a service offers a personal health record is ``the terms
under which a product or service is offered to consumers. If an
entity promotes its offering as addressing, improving, tracking, or
informing matters about a consumer's health, then that entity's
offering would be subject to the rule. Thus, any product or services
that tracks or addresses physical activity, blood pressure, heart
rate, digestion, strength, genetics, sleep, weight, allergies, pain,
and similar characteristics would be subject to a PHR rule.'' See
WPF at 10.
---------------------------------------------------------------------------
The Commission notes a general retailer (one that sells food
products, children's toys, garden supplies, healthcare products (such
as pregnancy tests), or apparel (such as maternity clothes)) offering
consumers an app to purchase and access purchases of these products--by
itself--would not make the retailer a vendor of personal health
records. In this scenario, purchase information relating to certain
items--such as a pregnancy test or maternity clothes from a retailer--
may reveal information about that person's health. While this purchase
information may be PHR identifiable health information, the retailer in
this scenario is not a vendor of personal health records because the
app is only tangentially related to health. The Commission notes,
however, there may be scenarios where a general-purpose retailer
described above may become a vendor of personal health records under
the Rule, such as where the retailer offers an app with features or
functionalities that are sold, marketed, or promoted as more than
tangentially relating to health.
In addition, the Commission reiterates a personal health record
must be an electronic record of PHR identifiable health information on
an individual, must have the technical capacity to draw information
from multiple sources, and must be managed, shared, and controlled by
or primarily for the individual. The Commission also notes that
purchases of items at a brick and mortar retailer where there is no
app, website, or online service to access or track that purchase
information electronically is not a personal health record, because
there is no electronic record at issue. Contrary to the assertions of
some commenters, these definitions do not result in undue breadth,
because they do not function in isolation. The Commission provides the
following examples to illustrate the interplay of these definitions
with the definition of ``personal health record'':
<bullet> Example 1: Health advice app or website A, which is not
covered by HIPAA, provides information to consumers about various
medical conditions. Its function is purely informational; it does not
provide any mechanism through which the consumer may track or record
information. Health advice app or website A is not a personal health
record, because it is not an electronic record of PHR identifiable
health information on an individual.
<bullet> Example 2: Health advice app or website B, which is not
covered by HIPAA, provides information to consumers about various
medical conditions and provides a symptom tracker, available to
consumers who log into the site with a username and password, in which
consumers may input symptoms and receive potential diagnoses. Health
advice app or website B is an electronic record of PHR identifiable
health information on an individual, because its information is
provided by the individual, it identifies the individual (via username
and password), it relates to the individual's health conditions (the
symptoms), and is received by a health care provider (i.e., the entity
providing the site itself, as that entity is furnishing the health care
service of an online service that provides mechanisms to track
symptoms). However, health advice app or website B is not a personal
health
[[Page 47036]]
record to the extent the site does not have the technical capacity to
draw information from multiple sources (i.e., if the consumer is its
only source of information).
<bullet> Example 3: Health advice website C, which is not covered
by HIPAA, functions in the same way as health advice app or website B,
except that it collects geolocation data via an application programming
interface (``API''). For the reasons stated in Example 2, it is an
electronic record of PHR identifiable health information on an
individual. It also has the technical capacity to draw information from
multiple sources (consumer inputs and collection of geolocation data
through the API. It is managed primarily for the individual (i.e., to
provide the individual health advice). Therefore, health advice app or
website C is a personal health record.
<bullet> Example 4: Health advice app or website D, which is not
covered by HIPAA, functions in the same way as health advice app or
website B, except that it also draws information from a data broker and
connects that information to some of its individual users to provide
them with more accurate diagnostic suggestions. For the reasons stated
in Example 2, it is an electronic record of PHR identifiable health
information on an individual. It also has the technical capacity to
draw information from multiple sources (the consumer and the data
broker) and is managed by or primarily for the individual. Therefore,
health advice app or website D is a personal health record.
Whether a health app or other electronic record constitutes a
personal health record (and is therefore subject to the Rule) is a
fact-intensive inquiry whose outcome depends not only on the nature of
the information contained in that record, but also on numerous other
factors, such as its ``technical capacity,'' its source(s) of
information, and its relationship to the individual.
Finally, the Commission notes a non-substantive, organizational
change relating to the definition of ``PHR identifiable health
information.'' In the 2023 NPRM, the Commission proposed revising ``PHR
identifiable health information'' by importing language from section
1171(6) of the Social Security Act, 42 U.S.C. 1320d(6), which is
referenced directly in section 13407 of the Recovery Act. To hew more
closely to the organization of the Recovery Act, and to preserve the
word ``includes'' in the phrase ``includes information that is provided
by or on behalf of the individual,'' the Commission revised slightly
the order of the elements in the definition of ``PHR identifiable
health information.''
B. Clarification of What It Means for a Personal Health Record To Draw
Information From Multiple Sources
1. The Commission's Proposal Regarding What It Means for a Personal
Health Record To Draw Information From Multiple Sources
The Commission proposed amending the definition of the term
``personal health record'' to clarify what it means for a personal
health record to draw information from multiple sources. Under the 2009
Rule, a personal health record is defined as an electronic record of
PHR identifiable health information that can be drawn from multiple
sources and that is managed, shared, and controlled by or primarily for
the individual. Under the Commission's proposed definition, a
``personal health record'' would be defined as an electronic record of
PHR identifiable health information on an individual that has the
technical capacity to draw information from multiple sources and that
is managed, shared, and controlled by or primarily for the individual.
Changing the phrase ``that can be drawn from multiple sources'' to
``has the technical capacity to draw information from multiple
sources'' serves several purposes. First, it clarifies a product is a
personal health record if it can draw information from multiple
sources, even if the consumer elects to limit information to a single
source only, in a particular instance. For example, a depression
management app that accepts consumer inputs of mental health states and
has the technical capacity to sync with a wearable sleep monitor is a
personal health record, even if some customers choose not to sync a
sleep monitor with the app. Thus, whether an app qualifies as a
personal health record would not depend on the prevalence of consumers'
use of a particular app feature, like sleep monitor-syncing. Instead,
the analysis of the Rule's application would be straightforward: either
the app has the technical means (e.g., the application programming
interface or API) to draw information from multiple sources, or it does
not. Next, adding the phrase ``technical capacity to draw information''
clarifies a product is a personal health record if it can draw any
information from multiple sources, even if it only draws health
information from one source. This change further clarifies the
Commission's interpretation of the Recovery Act, as explained in the
Policy Statement.\110\
---------------------------------------------------------------------------
\110\ Policy Statement at 2.
---------------------------------------------------------------------------
The Commission sought public comment as to whether this revised
language sufficiently clarifies the Rule's application to developers
and purveyors of products that have the technical capacity to draw
information from more than one source. The Commission invited comment
on its interpretation that an app is a personal health record because
it has the technical capacity to draw information from multiple
sources, even if particular users of the app choose not to enable the
syncing features. The Commission also requested comment about whether
an app (or other product) should be considered a personal health record
even if it only draws health information from one place (in addition to
non-health information drawn elsewhere); or only draws identifiable
health information from one place (in addition to non-identifiable
health information drawn elsewhere). The Commission further requested
comment about whether the Commission's bright-line rule (apps with the
``technical capacity to draw information'' are covered) should be
adjusted to take into account consumer use, such as where no consumers
(or only a de minimis number) use a feature, and about the likelihood
of such scenarios. For example, the Commission offered an example of an
app that might have the technical capacity to draw information from
multiple sources, but its API is entirely or mostly unused, either
because it remains a Beta feature, has not been publicized, or is not
popular.
2. Public Comments Regarding What It Means for a Personal Health Record
To Draw Information From Multiple Sources
Many commenters supported the Commission's proposal amending the
definition of a ``personal health record.'' \111\ Commenters noted, for
instance, this change would help to ensure that many services that
collect PHR identifiable health information are covered by the
Commission's Rule,\112\ and would help to promote greater privacy and
security for health information,\113\ while still ``hewing to
[[Page 47037]]
the limitations of the statute.'' \114\ Some commenters noted without
this change, developers of personal health records (such as app
developers) might have incentives to design their products in ways that
would intentionally skirt the Rule's requirements (such as by
restricting a consumer's ability to import data from other
sources).\115\ Others noted the importance of the Rule covering apps
with the technical capacity to draw information from multiple sources
even where such capacity is not used by the consumer.\116\
---------------------------------------------------------------------------
\111\ Ella Balasa at 1; TMA at 4 (arguing that ``PHRs include
applications with the technical capacity to draw information from
multiple sources, regardless of the patient's preference to activate
the technical capability.''); Consumer Rep.'s at 6; AAFP at 3; AHIMA
at 4-5; AMA at 4; CHIME at 4; CDT at 13; AOA at 3.
\112\ AHIMA at 4-5.
\113\ AAFP at 3.
\114\ Consumer Reports at 5-6.
\115\ AHIP at 2-3; CDT at 13 (arguing that changes remove
``incentives for companies to technically design products and
services to not trigger the HBNR to avoid any need to provide
consumer notice.'').
\116\ AHIOS at 4; CARIN Alliance at 4.
---------------------------------------------------------------------------
Other commenters opposed this proposal.\117\ Some argued the
proposed clarification regarding what drawing information from multiple
sources means runs counter to Congress's statutory intent,\118\ because
virtually every app has some sort of integration (e.g., for analytics)
through which it draws information other than from the consumer.\119\
One commenter asserted the change would broaden the scope of the Rule
to the point that it would sweep in online services that should not be
thought of as a personal health record (such as email apps),\120\ or
otherwise create confusing standards for app developers or reduce
innovation.\121\ In addition, commenters expressed concern this change
would sweep in apps or online services that have the technical capacity
to draw from multiple sources during the development or testing phase
of the product, or would sweep in products with unused, unavailable, or
unpublicized APIs or integrations that count as a source.\122\ One
commenter expressed concern about lack of clarity, such as in scenarios
where a user is required to pay for an upgrade to access a feature or
integration that draws information from another source.\123\ Some
commenters also expressed concern that apps and online services that
are subject to HIPAA (i.e., HIPAA-covered entities or business
associates) should be carved out of the definition of a personal health
record.\124\ Other commenters expressed broader concern with the
definition of ``personal health record,'' urging the Commission to, for
example, abandon the purportedly outdated term in favor of a more
modern one.\125\ For instance, some commenters urged that the
Commission abandon or tweak the requirement that the personal health
record be ``managed, shared, and controlled by or primarily for the
individual.'' \126\
---------------------------------------------------------------------------
\117\ NAI at 6 (urging that the Commission make clear that a
personal health record is one that ``not only has the technical
capacity to draw PHR identifiable health information from multiple
sources, but that it also has the functionality and actually does
incorporate data from multiple sources.''); ANA at 7; ACLA at 1-2.
\118\ NAI at 6.
\119\ Chamber at 4-5; Priv. for Am. at 5-6; NAI at 6.
\120\ CCIA at 6.
\121\ CTA at 11; AdvaMed at 5; CHI at 5.
\122\ CHI at 5 (asking the Commission to clarify that an ``app
having the ability to draw from multiple sources with some changes
to the app's coding/APIs is not within this definition's
threshold.''); ACLA at 1 (arguing ``[i]f a feature is unused by
individuals `because it remains a Beta feature,' then in fact it
does not have the `technical capacity' to draw an individual's
information from other sources, unless and until its functionality
has been enabled by the vendor. The mere possibility that an
application vendor might sometime in the future enable that
functionality should not bring the electronic record within the
scope of the definition of `personal health record.' '') (emphasis
in original); CTA at 11 (arguing Rule should instead have bright-
line test that assesses whether the app actually draws health
information from multiple sources); AdvaMed at 5 (arguing the
Commission should decline to adopt multiple sources changes because
it could cause confusion and potentially sweep in apps or services
with features that have not been made available to consumers, such
as APIs connected to the PHR that have not been publicized).
\123\ WPF at 9.
\124\ Omada at 5; Datavant at 3.
\125\ HIMSS at 3 (urging the Commission to work with Congress to
craft a definition more consonant with technological realities).
\126\ AHIOS at 4; MRO at 4.
---------------------------------------------------------------------------
Another commenter expressed concern the proposed change could sweep
in services that draw any information from multiple sources, regardless
of whether that information is identifiable health information.\127\
---------------------------------------------------------------------------
\127\ NAI at 6.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes Clarifying What It Means
for a Personal Health Record To Draw Information From Multiple Sources
After considering the comments received, the Commission adopts the
proposed amendment without change. This amendment will help clarify the
types of entities covered by the Rule. The definition does not create
undue breadth or deviate from Congressional intent; rather, the changes
are consistent with the language of the Recovery Act, and only serve to
give meaning to the phrase ``can be drawn'' in the Recovery Act in a
way that is consistent with the current state of technology. They are
also necessary to keep pace with technological change, which has
enabled firms to offer consumers mobile electronic records of their
health information that contain numerous integrations. To illustrate
the intended meaning of the proposed revisions to the term ``personal
health record,'' the Commission reiterates examples from the 2023 NPRM
of two non-HIPAA covered diet and fitness apps available for consumer
download in an app store. Under the amended Rule, each is a personal
health record.
<bullet> Example 1: Diet and fitness app Y allows users to sync
their app with third-party wearable fitness trackers. Diet and fitness
app Y has the technical capacity to draw identifiable health
information both from the user (e.g., name, weight, height, age) and
the fitness tracker (e.g., user's name, miles run, heart rate), even if
some users elect not to connect the fitness tracker.
<bullet> Example 2: Diet and fitness app Y has the ability to pull
information from the user's phone calendar via the calendar API to
suggest personalized healthy eating options. Diet and fitness app Y has
the technical capacity to draw identifiable health information from the
user (e.g., name, weight, height, age) and non-health information
(e.g., calendar entry info, location, and time zone) from the user's
calendar.
As these examples make clear, and in response to one commenter's
concern that the changes would sweep in services that do not draw any
health information,\128\ the Commission notes the Rule still requires
drawing PHR identifiable health information from at least one source to
count as a personal health record.
---------------------------------------------------------------------------
\128\ NAI at 6.
---------------------------------------------------------------------------
The Commission declines to make other requested changes to the
definition of personal health record. First, the Commission declines to
include an express exemption for HIPAA-covered entities within the
definition of personal health record because Sec. 318.1 of the Rule
already specifically exempts businesses or organizations covered by
HIPAA.\129\ Second, the Commission declines to exempt apps and services
where there are available but unused or unpublicized APIs or
integrations. Similarly, the Commission declines to exempt apps and
services from the definition just because they are drawing information
from multiple sources while undergoing product or beta testing and are
not yet in their final form.\130\ The Commission notes a product
feature or integration that exists
[[Page 47038]]
and that is able to draw PHR identifiable health information counts as
a source under the Rule. Exempting such instances would be contrary to
the purpose of the Rule and would impermissibly limit notification of
breaches just because a product feature is not widely disseminated,
used, or in its final form. The Commission notes under the Rule, a
covered entity that experienced a breach of security of unsecured PHR
identifiable health information triggering the Rule would not be exempt
because the breach occurred in the context of such scenarios.
---------------------------------------------------------------------------
\129\ See, e.g., 16 CFR 318.1(a) (Rule ``does not apply to
HIPAA-covered entities, or to any other entity to the extent that it
engages in activities as a business associate of a HIPAA-covered
entity.''); see also 16 CFR 318.2 (exempting business associates and
HIPAA-covered entities from the Rule's definitions of ``PHR related
entity'' and ``vendor of personal health records.'').
\130\ ACLA at 1-2; CTA at 11; AdvaMed at 5.
---------------------------------------------------------------------------
Further, and importantly, the Rule is triggered only by breaches of
unsecured PHR identifiable health information and does not apply to
information that is protected or ``secured'' through the use of a
technology or methodology specified by the Secretary of Health and
Human Services in the guidance issued under section 13402(h)(2) of the
American Reinvestment and Recovery Act of 2009, 42 U.S.C.
17932(h)(2).\131\ The Rule, therefore, creates appropriate incentives
for product testing with de-identified data or that secures information
through certain specifications, such as through specified encryption
methods.
---------------------------------------------------------------------------
\131\ Per HHS guidance, electronic health information is
``secured'' if it has been encrypted according to certain
specifications set forth by HHS, or if the media on which electronic
health information has been stored or recorded is destroyed
according to HHS specifications. See 74 FR 19006; see also U.S.
Dep't of Health & Human Servs., Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable
to Unauthorized Individuals (July 26, 2013), <a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html">https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html</a>. PHR
identifiable health information would be considered ``secured'' if
such information is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third party service
provider, in an encrypted format meeting HHS specifications, and the
PHR related entity or third party service provider stores the data
in an encrypted format that meets HHS specifications and also stores
the encryption and/or decryption tools on a device or at a location
separate from the data.
---------------------------------------------------------------------------
Third, the Commission declines, as one commenter requested,\132\ to
expressly exempt scenarios where a change is required to an app's
coding to draw information from another source. The Commission notes,
however, it does not intend to cover instances where an app can draw
from multiple sources only through changes to the design or underlying
software code and where the app developer does not implement those
changes.
---------------------------------------------------------------------------
\132\ CHI at 5 (asking the Commission to clarify that an ``app
having the ability to draw from multiple sources with some changes
to the app's coding/APIs is not within this definition's
threshold.'').
---------------------------------------------------------------------------
In addition, the Commission declines to remove from the definition
of personal health record the requirement that it be ``managed, shared,
and controlled by or primarily for the individual.'' This language
mirrors the Recovery Act's statutory definition of personal health
record.\133\ Further, this language provides a boundary to the
definition. Even if a website or app has the technical capacity to draw
information from multiple sources (for example, because it has
integrations for advertising or analytics), it must still be ``managed,
shared, and controlled by or primarily for the individual'' to be
covered by the Rule.
---------------------------------------------------------------------------
\133\ 42 U.S.C. 17921(11).
---------------------------------------------------------------------------
Generally, a personal health record is an electronic record of an
individual's health information by which the individual maintains
access to the information and may have, for example, the ability to
manage, track, control, or participate in his or her own health care.
If these elements are not present, the website or app may not be
``managed, shared, and controlled by or primarily for the individual,''
and would not, therefore, constitute a personal health record.
C. Clarification Regarding Types of Breaches Subject to the Rule
1. The Commission's Proposals
a. The Commission's Proposal Regarding ``Breach of Security''
The Commission proposed a definitional change to clarify that a
breach of security under the Rule encompasses unauthorized acquisitions
that occur as a result of a data breach or an unauthorized disclosure.
The Commission's proposal underscores that a breach of security is not
limited to data exfiltration, and includes unauthorized disclosures
(such as, but not limited to, a company's unauthorized sharing or
selling of consumers' information to third parties that is inconsistent
with the company's representations to consumers). The Rule previously
defined ``breach of security'' as the acquisition of unsecured PHR
identifiable health information of an individual in a personal health
record without the authorization of the individual, which language
mirrored the definition of ``breach of security'' in section
13407(f)(1) of the Recovery Act.
Accordingly, consistent with the Recovery Act definition, the
Policy Statement, FTC enforcement actions under the Rule, and public
comments received, the Commission proposed amending the definition of
``breach of security'' in Sec. 318.2 by adding the following sentence
to the end of the existing definition: ``[a] breach of security
includes an unauthorized acquisition of unsecured PHR identifiable
health information in a personal health record that occurs as a result
of a data breach or an unauthorized disclosure.'' The change was
intended to make clear to the marketplace that a breach includes an
unauthorized acquisition of identifiable health information that occurs
as a result of a data breach or an unauthorized disclosure, such as a
voluntary disclosure made by the PHR vendor or PHR related entity where
such disclosure was not authorized by the consumer.
The NPRM, like the 2009 Rule, continued to include a rebuttable
presumption for unauthorized access to an individual's data; it stated
when there is unauthorized access to data, unauthorized acquisition
will be presumed unless the entity that experienced the breach ``has
reliable evidence showing that there has not been, or could not
reasonably have been, unauthorized acquisition of such information.''
b. The Commission's Related Proposal To Not Define the Term
``Authorization'' in the Rule
In the 2023 NPRM, the Commission stated it had considered defining
the term ``authorization,'' which appears in Sec. 318.2's definition
of ``breach of security,'' but did not propose any such change in the
NPRM.
The Commission considered defining ``authorization'' to mean the
affirmative express consent of the individual and then defining
``affirmative express consent'' consistent with State laws that define
consent, such as the California Consumer Privacy Rights Act, Cal. Civ.
Code 1798.140(h).\134\ Such changes would have ensured notification is
required anytime there is acquisition of
[[Page 47039]]
unsecured PHR identifiable health information without the individual's
affirmative express consent for that acquisition--such as when an app
discloses unsecured PHR identifiable health information to another
company, having obtained nominal ``consent'' from the individual by
using a small, greyed-out, pre-selected checkbox following a page of
dense legalese.
---------------------------------------------------------------------------
\134\ As noted in the 2023 NPRM, the Commission considered
defining ``affirmative express consent'' as any freely given,
specific, informed, and unambiguous indication of an individual's
wishes demonstrating agreement by the individual, such as by a clear
affirmative action, following a clear and conspicuous disclosure to
the individual, apart from any ``privacy policy,'' ``terms of
service,'' ``terms of use,'' or other similar document, of all
information material to the provision of consent. Acceptance of a
general or broad terms of use or similar document that contains
descriptions of agreement by the individual along with other,
unrelated information, does not constitute affirmative express
consent. Hovering over, muting, pausing, or closing a given piece of
content does not constitute affirmative consent. Likewise, agreement
obtained through use of user interface designed or manipulated with
the substantial effect of subverting or impairing user autonomy,
decision-making, or choice, does not constitute affirmative express
consent. See 88 FR 37830 n.78.
---------------------------------------------------------------------------
The Commission did not, however, propose to define
``authorization'' because (1) the 2009 Rule Commentary already provided
guidance on the types of disclosures the Commission considers to be
``unauthorized''; \135\ (2) recent Commission orders, such as the
Commission's enforcement actions against GoodRx and Easy
Healthcare,\136\ also make clear that the use of ``dark patterns,''
which have the effect of manipulating or deceiving consumers, including
through use of user interfaces designed with the substantial effect of
subverting or impairing user autonomy and decision-making, do not
satisfy the standard of ``meaningful choice''; and (3) Commission
settlements establish important guidelines involving authorization (the
Commission's recent settlement with GoodRx, alleging violations of the
Rule, highlights that disclosures of PHR identifiable health
information inconsistent with a company's privacy promises constitute
an unauthorized disclosure).
---------------------------------------------------------------------------
\135\ See, e.g., 74 FR 42967.
\136\ United States v. GoodRx Holdings, Inc., No. 23-cv-460
(N.D. Cal. 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc</a>; United States v. Easy
Healthcare Corp., No. 1:23-cv-3107 (N.D. Ill. 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v">https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v</a>.
---------------------------------------------------------------------------
The Commission sought public comment about:
<bullet> Whether the commentary above and FTC enforcement actions
under the Rule provide sufficient guidance to put companies on notice
about their obligations for obtaining consumer authorization for
disclosures, or whether defining the term ``authorization'' would
better inform companies of their compliance obligations.
<bullet> To the extent that including such definitions would be
appropriate, the definitions of ``authorization'' and ``affirmative
express consent,'' as described above, and the extent to which such
definitions are consistent with the language and purpose of the
Recovery Act.
<bullet> What constitutes an acceptable method of authorization,
particularly when unauthorized sharing is occurring.\137\
---------------------------------------------------------------------------
\137\ For example, the Commission sought comment about when a
vendor of personal health records or a PHR-related entity is sharing
information covered by the Rule, is it acceptable for that entity to
obtain the individual's authorization to share that information when
an individual clicks ``agree'' or ``accept'' in connection with a
pre-checked box disclosing such sharing? Is it sufficient if an
individual agrees to terms and conditions disclosing such sharing
but that individual is not required to review the terms and
conditions? Or is it sufficient if an individual uses a health app
that discloses in its privacy policy that such sharing occurs, but
the app knows via technical means that the individual never
interacts with the privacy policy? See 88 FR 37832.
---------------------------------------------------------------------------
<bullet> Whether there are certain types of sharing for which
authorization by consumers is implied because such sharing is expected
and/or necessary to provide a service to consumers.
2. Public Comments
a. Public Comments Regarding ``Breach of Security''
Many commenters supported the Commission's proposed amendment to
the definition of ``breach of security.'' \138\ One commenter noted the
change is consistent with the broad definition of ``breach of
security'' in the Recovery Act, which refers explicitly to the
acquisition of PHR identifiable health information without the
authorization of an individual (rather than the authorization of an
entity holding the data, as is the case where a breach involves data
theft or exfiltration).\139\ Commenters also noted the amendment would
ensure notice, accountability, and regulatory oversight, regardless of
the underlying cause of the unauthorized acquisition.\140\ Commenters
noted that breaches encompass more than just cybersecurity
intrusions.\141\ Commenters also argued that a company's voluntary
unauthorized disclosure can be just as damaging as data theft.\142\ For
instance, a commenter noted that unauthorized disclosures of health
information may cause embarrassment, perpetuate stigma about patients'
conditions, deter patients from seeking care, interfere in the patient-
physician relationship, or impact patients' employment.\143\ Moreover,
voluntary, unauthorized disclosures increase the risk of additional
unauthorized acquisition and sharing of this information among bad
actors.\144\
---------------------------------------------------------------------------
\138\ See, e.g., TMA at 3; U.S. PIRG at 2-3; AAFP at 3; AHIMA at
3; AMA at 3-4; AMIA at 3; AOA at 2-3; AHIOS at 3; CDT at 11-12;
CHIME at 4; EPIC at 5-6.
\139\ Consumer Rep.'s at 4.
\140\ CDT at 11-12; U.S. PIRG at 2-3.
\141\ AMA at 4; CDT at 11-12; EPIC at 5.
\142\ AAFP at 3; CDT at 11-12.
\143\ AOA at 2.
\144\ AHIMA at 3.
---------------------------------------------------------------------------
Some commenters supported expanding or changing the definition
further. Specifically, some commenters urged the Commission to amend
the definition to encompass (1) exceeding authorized access or use of
PHR identifiable health information, such as where a company collects
data for one purpose, but later uses or discloses that data for a
second, undisclosed purpose; \145\ or (2) the collection or retention
of PHR identifiable health information beyond what is necessary to
provide the associated service to an individual consumer.\146\ One
commenter asked the Commission to clarify that the Rule would be
triggered by unauthorized use of or access to information derived from
PHR identifiable health information, and to define the phrase
acquisition.\147\
---------------------------------------------------------------------------
\145\ FPF at 12-15.
\146\ EPIC at 5-7; U.S. PIRG at 2-3.
\147\ Mozilla at 6-7.
---------------------------------------------------------------------------
Some commenters, however, urged the Commission to not amend the
definition at all. These commenters expressed concern the amendment
would cause the Rule to exceed what Congress intended in the Recovery
Act and transform the Rule into an opt-in notice and consent privacy
regime.\148\ Commenters argued further the proposed changes would cause
consumer notice fatigue,\149\ consumer panic,\150\ or over-reporting by
companies.\151\ One commenter urged the Commission to limit the
definition of ``acquisition'' to actual acquisition, and exclude
instances of access or disclosure where the information was not
actually acquired by a third party.\152\ Commenters argued the proposed
definition would be burdensome and force companies to limit certain
beneficial disclosures to certain third parties, such as disclosures to
support internal operations, detect security vulnerabilities or fraud,
for law enforcement, and other purposes.\153\
---------------------------------------------------------------------------
\148\ Chamber at 6; Priv. for Am. at 2-5; ANA at 6-7.
\149\ SIIA at 3; CTA at 13-14.
\150\ CCIA at 4-5, 7 (arguing that requiring notification for
unauthorized disclosures could cause consumers to worry in the
absence of harm, such as where it is ``typical'' to disclose such
information.)
\151\ CTA at 13-14.
\152\ Id. at 14-16.
\153\ TechNet at 3; Chamber at 7; CCIA at 5-6.
---------------------------------------------------------------------------
Some commenters also urged that the Commission adopt carve-outs so
that certain conduct would not be deemed breaches of security under the
Rule. Commenters requested exemptions consistent with or found in HIPAA
or
[[Page 47040]]
under State breach notification laws, such as exemptions for
disclosures to certain types of entities or for certain purposes, or
where there is inadvertent or unintentional access, use, or
disclosure.\154\ Commenters also proposed safe harbors for companies
that implement recognized security or privacy safeguards; \155\ and one
commenter proposed safe harbors that would apply where data is shared
with ``affiliated businesses,'' where there is inadvertent but ``good-
faith'' access by a company employee, where a company makes good faith
efforts to inform consumers of disclosures to third parties, and where
companies take steps to contractually limit downstream uses of the
data.\156\ Other commenters expressed support for exempting disclosures
of PHR identifiable health information to public health authorities for
public health purposes, noting the amended definition could discourage
such disclosures.\157\
---------------------------------------------------------------------------
\154\ CHI at 4 (stating the FTC ``should explicitly except the
same situations from disclosure that are excepted from HIPAA
disclosures, and/or try to align exceptions with those found in
State privacy statutes.''); CTA at 16; HIA at 2; TechNet at 3
(arguing the Rule should adopt exemptions that encompass ``actions
taken to prevent and detect security incidents, to comply with a
civil, criminal, or regulatory inquiry or investigation, to
cooperate with law enforcement agencies concerning conduct or
activity that the data controller reasonably and in good faith
believes may be illegal, to perform internal operations consistent
with a consumer's expectations, and to provide a product or service
that a consumer requested.''); CCIA at 5-6 (arguing the Rule should
exempt disclosures relating to a host of purposes, including:
preventing and detecting security incidents and fraud, complying
with legal process, cooperating with law enforcement, performing
internal operations consistent with consumer expectations, providing
a service requested by the consumer, protecting ``the vital
interests of the consumer,'' or processing data relating to public
health); Chamber at 7 (arguing if the Commission does amend the
definition of breach of security, it ``should provide exceptions for
legitimate and societally beneficial uses of data that other privacy
laws have for failure to honor opt-in including but not limited to
network security, prevention and detection of fraud, protection of
health, network maintenance, and service/product improvement.'');
LAB at 2.
\155\ DirectTrust at 1-2.
\156\ ATA Action at 2.
\157\ Network for Pub. Health L. and Texas A&M Univ. at 1-2.
---------------------------------------------------------------------------
b. Public Comments Regarding Defining ``Authorization''
Commenters were divided as to whether the Commission should define
``authorization.'' Some commenters supported defining ``authorization''
to provide greater guidance to companies, to promote transparency, and
to discourage buried or inconspicuous disclosures relating to health
information, or approaches to consent that are not meaningful because
they are confusing or coercive.\158\ To further regulatory consistency,
some commenters supported adding a definition of ``authorization'' that
is consistent with how that term is defined in other health-related
laws, such as under HIPAA \159\ or State health privacy laws that
define consent or authorization (such as the California Consumer
Privacy Rights Act \160\ or the Washington My Health, My Data
Act).\161\
---------------------------------------------------------------------------
\158\ AHIP at 4; Light Collective at 4; MRO at 2-3; Mozilla at
4; CARIN Alliance at 10; Consumer Rep.'s at 9; see also PharmedOut
at 3 (arguing that defining ``authorization'' is crucial but urging
the Commission go further and place substantive restrictions on what
companies can do with consumer health data.).
\159\ AdvaMed at 7 (arguing that any definition of
``authorization'' or ``affirmative express consent'' should take
into account the necessity for medical technologies and medical
technology companies to be able to operate and communicate under
standards consistent with those governing HIPAA covered entities and
others in the health care ecosystem. These standards permit certain
uses and disclosures of individually identifiable health information
without express consent where necessary for the provision of timely
and effective health care); MRO at 3; AHIMA at 7-8.
\160\ AHIOS at 3.
\161\ Consumer Rep.'s at 9.
---------------------------------------------------------------------------
By contrast, some commenters opposed defining the term--or opposed
a requirement under the Rule that entities be required to get
authorization before disclosing PHR identifiable health
information.\162\ Commenters argued that Congress had not granted the
Commission the authority to define ``authorization'' in the Recovery
Act,\163\ or that doing so would import a substantive consent
requirement that is outside the scope of the Rule, converting a breach
notice Rule into an opt-in privacy regime.\164\ Other commenters noted
that requiring a specifically defined authorization would create an
inflexible standard that would not evolve with changes in
technology.\165\ Other commenters opposed a requirement that consumers
should be required to review terms before agreeing to use a service,
contending that this would not increase consumer understanding of
terms.\166\
---------------------------------------------------------------------------
\162\ HIA at 2 (arguing that ``[r]outine disclosures of data
should be allowed in certain contexts without additional need for
authorizations''); CTA at 16-17; AdvaMed at 7-8; ACLA at 6;
Confidentiality Coal. at 4-5.
\163\ Confidentiality Coal. at 4-5.
\164\ CTA at 16-17 (arguing that the Rule does not allow the
Commission to impose ``substantive consent requirements'' that would
be burdensome and ``likely not administrable for many companies.'').
\165\ SIIA at 4.
\166\ CHI at 7.
---------------------------------------------------------------------------
Some commenters endorsed other approaches that would exempt from
any requirement of affirmative express consent certain types of
disclosures of PHR identifiable health information, such as to service
providers, data processors, and entities that assist with combatting
fraud and promoting safety.\167\ Some commenters urged a disclosure be
deemed authorized if the disclosure is consistent with a company's
privacy notices or policies or where applicable State privacy laws
require affirmative consent or provide for the right to opt-out,
without the need to define affirmative express consent under the
Rule.\168\ One commenter argued that authorization should be met when a
consumer agrees to opt-in to certain data sharing, such as by clicking
a box proximate to a disclosure of material terms.\169\
---------------------------------------------------------------------------
\167\ FPF at 10 (arguing that ``an organization may share
information with a service provider operating on their behalf to
provide storage; may share information to protect the safety or
vital interests of an individual or react to a public health
emergency; or to protect themselves against security incidents and
fraud. In each of these situations, data protection laws typically
invoke a variety of non-consent measures, including data
minimization, transparency, notice to the end-user or the regulator,
and opportunities to object.''); Chamber at 7.
\168\ Confidentiality Coal. at 4-5; SIIA at 4; CHI at 7.
\169\ CTA at 17.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes to the Definition of
``Breach of Security''
After carefully considering the public comments, the Commission
adopts the proposed amendment without change. The final rule definition
is consistent with the statutory definition in the Recovery Act, the
Policy Statement,\170\ and recent Commission enforcement actions under
the Rule. The Commission notes the statutory definition in the Recovery
Act is sufficiently broad to cover both cybersecurity intrusions as
well as a company's intentional but unauthorized disclosures of
consumers' PHR identifiable health information to third party
companies. In addition, the Commission finds persuasive the comment
noting the Recovery Act's definition of ``breach of security'' refers
to the acquisition PHR identifiable health information without the
authorization of an individual, rather than the authorization of the
entity holding the data.\171\ The definition is
[[Page 47041]]
also consistent with public comments received by the Commission in 2020
(when the Commission announced its regular, ten-year review of the Rule
and requested public comments about potential Rule changes \172\),
which urged the Commission to clarify what constitutes an unauthorized
acquisition under the Rule.\173\ Importantly, the amendment to the
definition of ``breach of security'' in Sec. 318.2 does not depart
from the 2009 Rule Commentary or the Commission's enforcement policy
under the Rule. Instead, it further underscores the 2009 Rule
Commentary and subsequent Commission enforcement actions that
unauthorized disclosures (i.e., sharing inconsistent with consumer
expectations) can be a ``breach of security'' that triggers the
Rule.\174\
---------------------------------------------------------------------------
\170\ The Commission's Policy Statement makes clear that
``[i]ncidents of unauthorized access, including sharing of covered
information without an individual's authorization, triggers
notification obligations under the Rule,'' and that a breach ``is
not limited to cybersecurity intrusions or nefarious behavior.''
Policy Statement at 2.
\171\ Consumer Rep.'s at 5 (noting ``the Recovery Act frames
breaches of security in relation to individuals, rather than to
vendors of personal health records or PHR related entities,'' and
defines breach of security as ``acquisition of such information
without the authorization of the individual.'')
\172\ 85 FR 31085 (May 22, 2020).
\173\ See Public Comments in response to May 2020 Request for
Public Comments in connection with regular, ten-year review of Rule:
AMA at 5-6 (``The FTC should define `unauthorized access' as
presumed when entities fail to disclose to individuals how they
access, use, process, and disclose their data and for how long data
are retained. Specifically, an entity should disclose to individuals
exactly what data elements it is collecting and the purpose for
their collection''; ``[T]he FTC should define `unauthorized access'
as presumed when an entity fails to disclose to an individual the
specific secondary recipients of the individual's data.''); AMIA at
2 (recommending the FTC ``[e]xpand on the concept of `unauthorized
access' under the definition of `Breach of security,' to be presumed
when a PHR or PHR related entity fails to adequately disclose to
individuals how user data is accessed, processed, used, reused, and
disclosed.''); OAG-CA at 5-6 (urging the FTC to include
``impermissible acquisition, access, use, disclosure'' under the
definition of breach.). These comments can be found at <a href="https://www.regulations.gov/docket/FTC-2020-0045">https://www.regulations.gov/docket/FTC-2020-0045</a>.
\174\ The 2009 Rule Commentary noted other examples illustrating
that unauthorized sharing or transferring of information constitutes
a breach of security, including that the unauthorized downloading or
transfer of information by an employee can constitute a breach of
security; that inadvertent access by an unauthorized employee
reading or sharing information triggers the Rule's notification
obligations; and notes that given the highly personal nature of
health information, ``the Commission believes that consumers would
want to know if such information was read or shared without
authorization.'' See 74 FR 42966-67.
---------------------------------------------------------------------------
The Commission declines to adopt any specific exemptions or safe
harbors to the definition of breach of security. Unlike the section of
the Recovery Act that governs breach notifications under HIPAA,\175\
Congress did not provide for any specific, enumerated exemptions for
breaches under the Commission's Rule. Moreover, the Commission's Rule
provides for a rebuttable presumption for certain types of access: when
there is unauthorized access to data, unauthorized acquisition will be
presumed unless the entity that experienced the breach ``has reliable
evidence showing that there has not been, or could not reasonably have
been, unauthorized acquisition of such information.'' That is,
companies can rebut the presumption of acquisition in instances of
unauthorized access by providing reliable evidence disproving
acquisition. The Commission has previously offered guidance on what
counts as unauthorized access and reiterates that guidance here.\176\
---------------------------------------------------------------------------
\175\ 42 U.S.C. 17921; see also U.S. Dep't of Health & Human
Servs., Breach Notification (July 26, 2013), <a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html">https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html</a>. Under the
Recovery Act's definition of ``breach of security'' for the Rule
governing HIPAA-covered entities and business associates, the
statute explicitly provides for three exceptions: (1) unintentional
acquisition, access, or use of protected health information by a
workforce member or person acting under the authority of a covered
entity or business associate, if such acquisition, access, or use
was made in good faith and within the scope of authority; (2) the
inadvertent disclosure of protected health information by a person
authorized to access protected health information at a covered
entity or business associate to another person authorized to access
protected health information at the covered entity or business
associate, or organized health care arrangement in which the covered
entity participates; and (3) if the covered entity or business
associate has a good faith belief that the unauthorized person to
whom the impermissible disclosure was made, would not have been able
to retain the information. See 45 CFR 164.400 through 164.414. In
the first two cases, the information cannot be further used or
disclosed in a manner not permitted by the Privacy Rule. These
exceptions are not found in the provisions of the Recovery Act
authorizing the FTC's Health Breach Notification Rule; this makes
sense, given there is no analogous Privacy Rule, Security Rule, or
required Business Associate agreements outside the HIPAA sphere
governing entities covered by the FTC's Health Breach Notification
Rule.
\176\ The Rule continues to provide that, when there is
unauthorized access to data, unauthorized acquisition will be
presumed unless the entity that experienced the breach ``has
reliable evidence showing that there has not been, or could not
reasonably have been, unauthorized acquisition of such
information.'' As noted in the 2009 Rule Commentary, the presumption
was intended to address the difficulty of determining whether access
to data (i.e., the opportunity to view the data) did or did not lead
to acquisition (i.e., the actual viewing or reading of the data). In
these situations, the Commission stated that the entity that
experienced the breach is in the best position to determine whether
unauthorized acquisition has taken place. In describing the
rebuttable presumption, the Commission provided several examples. It
noted that no breach of security has occurred if an unauthorized
employee inadvertently accesses an individual's PHR and logs off
without reading, using, or disclosing anything. If the unauthorized
employee read the data and/or shared it, however, he or she
``acquired'' the information, thus triggering the notification
obligation in the Rule. Similarly, the Commission provided an
example of a lost laptop: If an entity's employee loses a laptop in
a public place, the information would be accessible to unauthorized
persons, giving rise to a presumption that unauthorized acquisition
has occurred. The entity can rebut this presumption by showing, for
example, that the laptop was recovered, and that forensic analysis
revealed that files were never opened, altered, transferred, or
otherwise compromised. See 74 FR 42966.
---------------------------------------------------------------------------
4. The Commission Affirms Its Proposal Not To Define ``Authorization''
After carefully considering the public comments, the Commission
declines to define ``authorization,'' as that term appears in Sec.
318.2's definition of ``breach of security.'' The Commission finds
persuasive the public comments suggesting that imposing an affirmative
express consent requirement would not be appropriate or warranted in
all cases.
The Commission believes whether a disclosure is authorized under
the Rule is a fact-specific inquiry that will depend on the context of
the interactions between the consumer and the company; the nature,
recipients, and purposes of those disclosures; the company's
representations to consumers; and other applicable laws. The Commission
reiterates the 2009 Rule Commentary, which states a use of data is
``authorized'' only where it is consistent with a company's disclosures
and consumers' reasonable expectations and where there is meaningful
choice in consenting to sharing--buried disclosures do not
suffice.\177\
---------------------------------------------------------------------------
\177\ The 2009 Rule Commentary states: ``[g]iven the highly
personal nature of health information, the Commission believes that
consumers would want to know if such information was read or shared
without authorization.'' It further states that data sharing to
enhance consumers' experience with a PHR is authorized only ``as
long as such use is consistent with the entity's disclosures and
individuals' reasonable expectations'' and that ``[b]eyond such
uses, the Commission expects that vendors of personal health records
and PHR related entities would limit the sharing of consumers'
information, unless the consumers exercise meaningful choice in
consenting to such sharing. Buried disclosures in lengthy privacy
policies do not satisfy the standard of `meaningful choice.' '' 74
FR 42967.
---------------------------------------------------------------------------
The Commission's recent enforcement actions alleging violations of
the Rule against GoodRx and Easy Healthcare further highlight that
disclosures of PHR identifiable health information inconsistent with a
company's privacy promises constitute an unauthorized disclosure. These
recent Commission orders also make clear that the use of ``dark
patterns,'' which have the effect of manipulating or deceiving
consumers, including through use of user interfaces designed with the
substantial effect of subverting or impairing user autonomy and
decision-making, undercut an entity's assertion that consumers
exercised ``meaningful choice.''
In response to public comments seeking more guidance on what
constitutes an unauthorized disclosure under the Rule,\178\ the
Commission
[[Page 47042]]
offers the following, non-exhaustive examples relating to
authorization:
---------------------------------------------------------------------------
\178\ TechNet at 4; Tranquil Data at 4.
---------------------------------------------------------------------------
<bullet> Example 1--Unauthorized Disclosure (Affirmative
Misrepresentation): A medication app offers a personal health record
(not covered by HIPAA) which allows users to track information about
their prescription medication history, such as prescription names,
dosages, pharmacy and refill information, and the user's health
conditions. The app voluntarily discloses PHR identifiable health
information to third party companies for advertising and advertising-
related analytics, in violation of the app's privacy representations to
its users. The third parties that receive the PHR identifiable health
information are able to use the information for their own business
purposes, such as to improve the third party's own products and
services, to infer information about consumers, or to compile profiles
about consumers to use for targeted advertising. These disclosures are
not authorized under the Rule because they are inconsistent with
consumer expectations--the disclosures violate the app's privacy
representations, and consumers would also not expect their PHR
identifiable health information (which they input into the app to track
their medications and health conditions) would be disclosed to, and
used by, third party companies that use the data for their own economic
benefit.
<bullet> By contrast, disclosures of PHR identifiable health
information by the app in Example 1 would be authorized if made to
service providers in the following circumstances: (1) the service
providers assist with functions that are necessary to the operation and
functioning of the medication app, or with services the consumer
requested; (2) the service providers are contractually prohibited from
using, sharing, or disclosing the PHR identifiable health information
for any purpose beyond providing services to the medication app; and
(3) the medication app's privacy notice clearly and conspicuously
discloses the specific purposes for which it shares users' PHR
identifiable health information with these service providers. Such
authorized disclosures could include those to cloud storage providers
that host user data in the health record in a secure fashion; payment
processors who process user payments to the app; vendors that
facilitate refill reminders or other communications from the app
developer that directly relate to the provision of the personal health
record or services the consumer requested; analytics providers that
assist with tracking analytics relating to the app's functionality;
\179\ or companies that help to detect, prevent, or mitigate fraud or
security vulnerabilities. Such disclosures are authorized because they
are consistent with consumer expectations. Importantly, this sharing is
disclosed to consumers in a clear and conspicuous manner, and is
essential, and limited to, sharing the PHR identifiable health
information with service providers solely to provide users with a safe
and reliable personal health record experience.
---------------------------------------------------------------------------
\179\ This would include an analytics provider whose services
are essential to the proper functioning of the app and not tied to
marketing or advertising--this includes analytics tools to assist
with crash reporting or to assess usage patterns (such as the
frequency of use of certain features).
---------------------------------------------------------------------------
<bullet> Example 2--Unauthorized Disclosure (Deceptive Omission).
The medication app from Example 1 shares PHR identifiable health
information with a third party for purposes of targeting consumers with
ads. The app does not disclose the sharing and also fails to obtain
affirmative express consent from users whose information it shares. The
third party company can use the PHR identifiable health information to
market and advertise--on behalf of the medication app, on behalf of
other companies, or on behalf of itself. It can also use the
information to improve its own products and services. Such disclosures
are not authorized because they are not consistent with consumer
expectations (i.e., without disclosure and without affirmative express
consent, consumers would not expect that their PHR identifiable health
information would be shared, sold, or otherwise exploited for a purpose
other than providing the user with a personal health record, and are
neither essential nor limited to sharing the PHR identifiable health
information solely to provide users with a safe and reliable personal
health record experience). This conclusion is also consistent with
Commission enforcement actions relating to the sharing of health
information (e.g., GoodRx and Easy Healthcare), and those relating to
the sharing of other types of sensitive information.\180\
---------------------------------------------------------------------------
\180\ Fed. Trade Comm'n et al. v. Vizio, Inc. et al., No. 17-cv-
00758 (D.N.J. 2017), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc">https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc</a>.
---------------------------------------------------------------------------
<bullet> Example 3--Authorized Disclosure (Public Health
Reporting): A COVID-19 contact tracing app not covered by HIPAA allows
users to self-report their COVID-19 diagnosis, and to notify the user's
contacts of their diagnosis, or others with whom the individual may
have come into physical contact. PHR identifiable health information
about the individual's COVID-19 diagnosis is transmitted to public
health authorities for public health-related purposes, such as public
health reporting and analysis or to track areas where the virus is
spreading the most rapidly. The contact tracing app discloses to users
clearly and conspicuously the specific purposes for which it shares
their PHR identifiable health information with public health
authorities. These disclosures are authorized, and consistent with
consumer expectations, because they are consistent with the company's
relationship with the consumer (a PHR that allows a user to report
their COVID-19 diagnosis in order to notify others) and are also
appropriately disclosed.
Examples 1 and 3 provide guidance about scenarios in which limited
disclosures of PHR identifiable health information are permitted
without opt-in consent because it is necessary to provide a personal
health record to a consumer, is consistent with consumer expectations,
the sharing is disclosed to consumers, and (in the case of Example 1)
the sharing is subject to protections like service provider agreements
that limit the use of the data only for the purpose of providing that
service to the consumer. Examples 1 and 3 are also consistent with
HIPAA and State health privacy laws.\181\ For instance, HIPAA permits
disclosures for treatment, payment, and operations without patient
authorization.
---------------------------------------------------------------------------
\181\ For example, Washington State's My Health, My Data Act
permits sharing consumer health data to the ``extent necessary to
provide a product or service that the consumer to whom such consumer
health data relates has requested from such regulated entity or
small business.'' See Revised Code of Washington (RCW) 19.373.030
(1)(b)(ii).
---------------------------------------------------------------------------
The Commission notes ``breach of security'' could cover more than
just an unauthorized disclosure to a third party. For example,
depending on the facts and scope of the authorizations, such as in the
company's promises and disclosures to consumers, a ``breach of
security'' could include unauthorized uses. There may be a ``breach of
security'' where an entity exceeds authorized access to use PHR
identifiable health information, such as where it obtains the data for
one legitimate purpose, but later uses that data for a secondary
purpose that was not originally authorized by the individual.
Finally, the Commission notes unauthorized access or use of derived
PHR identifiable health information may also constitute a breach of
security. The Commission noted in its 2023 NPRM that PHR identifiable
health information includes ``health
[[Page 47043]]
information derived from consumers' interactions with apps and other
online services (such as health information generated from tracking
technologies employed on websites or mobile applications or from
customized records of website or mobile application interactions), as
well as emergent health data (such as health information inferred from
non-health-related data points, such as location and recent
purchases).'' \182\
---------------------------------------------------------------------------
\182\ 88 FR 37823.
---------------------------------------------------------------------------
D. Clarification of What Constitutes a ``PHR Related Entity''
1. The Commission's Proposal Regarding ``PHR Related Entity''
The NPRM proposed to revise the definition of ``PHR related
entity'' in two ways. Consistent with its clarification that the Rule
applies to health apps, the Commission proposed amending the definition
of ``PHR related entity'' to make clear the Rule covers entities that
offer products and services through the online services, including
mobile applications, of vendors of personal health records. In
addition, the Commission proposed revising the definition of ``PHR
related entity'' to provide that entities that access or send unsecured
PHR identifiable health information to a personal health record--rather
than entities that access or send any information to a personal health
record--are PHR related entities.
The Commission explained the first change (to cover online
services) was necessary as websites are no longer the only means
through which consumers access health information online. The
Commission explained the second change--narrowing the scope of ``PHR
related entities'' to entities that access or send unsecured PHR
identifiable health information--was intended to eliminate potential
confusion about the Rule's breadth and promote compliance by narrowing
the scope of entities that qualify as PHR related entities.\183\ The
Commission identified remote blood pressure cuffs, connected blood
glucose monitors, and fitness trackers as examples of internet-
connected devices that could qualify as a PHR related entity when
individuals sync them with a personal health record (e.g., a health
app).\184\ The Commission explained, however, that a grocery delivery
service that sends information about food purchases to a diet and
fitness app would not be a PHR related entity if it does not access
unsecured PHR identifiable health information in a personal health
record or send unsecured PHR identifiable health information to a
personal health record.
---------------------------------------------------------------------------
\183\ The proposed definition stated that a PHR related entity
is an entity, other than a HIPAA-covered entity or an entity to the
extent that it engages in activities as a business associate of a
HIPAA-covered entity, that (1) offers products or services through
the website, including any online service, of a vendor of personal
health records; (2) offers products or services through the
websites, including any online services, of HIPAA-covered entities
that offer individuals personal health records; or (3) accesses
unsecured PHR identifiable health information in a personal health
record or sends unsecured PHR identifiable health information to a
personal health record. Although the Rule is only triggered when
there is a breach of security involving unsecured PHR identifiable
health information, the Commission explained it believed there is a
benefit to revising the third prong of PHR related entity to make
clear that only entities that access or send unsecured PHR
identifiable health information to a personal health record--rather
than entities that access or send any information to a personal
health record--are PHR related entities. Otherwise, many entities
could be a PHR related entity under the definition's third prong and
such entities would then, in the event of a breach, need to analyze
whether they experienced a reportable breach under the Rule. If an
entity, per the proposed revision, does not qualify as a PHR related
entity in the first place, there would be no need to consider
whether it experienced a reportable breach. 88 FR 37825 n.54.
\184\ The Commission explained, for example, the maker of a
wearable fitness tracker may be both a vendor of personal health
records (to the extent that its tracker interfaces with its own app,
which also accepts consumer inputs) and a PHR related entity (to the
extent that it sends information to another company's health app).
The Commission noted that regardless of whether the maker of the
fitness tracker is a vendor of personal health records or a PHR
related entity, its notice obligations are the same: it must notify
individuals, the FTC, and in some case, the media, of a breach. 16
CFR 318.3(a), 318.5(b). 88 FR 37825 n.55.
---------------------------------------------------------------------------
The proposed Rule also revised Sec. 318.3(b) by adding language
establishing that a third party service provider is not rendered a PHR
related entity when it accesses unsecured PHR identifiable health
information in the course of providing services. The Commission
explained it did not intend for any entity (such as a firm performing
attribution and analytics services for a health app) to be considered
both a PHR related entity (to the extent it accesses unsecured PHR
identifiable health information in a personal health record) and a
third party service provider, which could create competing notice
obligations and confuse consumers with notice from an unfamiliar
company. The Commission explained it considers such firms to be third
party service providers that must notify the health app developers for
whom they provide services, who in turn would notify affected
individuals.
The Commission explained that distinguishing between third party
service providers and PHR related entities would create incentives for
responsible data stewardship and for de-identification because a firm
would only become an entity covered by the Rule in relation to
unsecured PHR identifiable health information. To the extent that firms
must deal with unsecured PHR identifiable health information, PHR
vendors would have incentives to select and retain service providers
capable of treating data responsibly (e.g., by not engaging in any
onward disclosures of data that could result in a reportable breach)
and incentives to oversee their service providers to ensure ongoing
responsible data stewardship (which would avoid a breach).
The Commission observed in most cases, third party service
providers are likely to be non-consumer facing. The Commission noted
examples of PHR related entities would include, as noted above, makers
of fitness trackers and health monitors when consumers sync their
devices with a mobile health app. The Commission noted further examples
of third party service providers would include entities that provide
support or administrative functions to vendors of personal health
records and PHR related entities.
2. Public Comments Regarding ``PHR Related Entity''
The Commission received numerous public comments about the changes
to the definition of PHR related entity. Most commenters supported the
Commission's approach.\185\ One commenter, an industry association for
advertisers, noted that addition of the term ``unsecured'' in the
definition of ``PHR related entity'' created a limitation on the
definition's scope that counterbalances the breadth of including ``any
online service'' in the definition.\186\ Moreover, this commenter
noted, the addition of ``unsecured'' creates appropriate incentives for
firms to secure PHR identifiable health information and to choose
partners who will be good data stewards.\187\ This commenter noted that
limiting the definition to ``unsecured'' PHR identifiable health
information was consistent with the original intent of the Rule, to
cover only the most sensitive types of data not covered by HIPAA.\188\
---------------------------------------------------------------------------
\185\ ANI at 1; AAFP at 3; AHIMA at 3; AHIOS at 4; AOA at 3;
CARIN Alliance at 3; CDT at 12; CHIME at 3; Confidentiality Coal. at
6; Consumer Rep.'s at 6; CHI at 5; DirectTrust at 4; EFF at 2; EPIC
at 7.
\186\ NAI at 4-5.
\187\ Id. at 5.
\188\ Id. at 4.
---------------------------------------------------------------------------
A few commenters proposed changes to the definition of ``third
party service provider'' to further distinguish the term from ``PHR
related entity.'' One commenter recommended defining ``third party
service provider'' as an
[[Page 47044]]
entity that only processes data.\189\ This commenter argued the
Commission could then impose liability on service providers for further
use, sale, disclosure for incompatible purposes.\190\ Another commenter
recommended aligning the definition of ``third party service provider''
with the definition of ``business associate'' under HIPAA.\191\
---------------------------------------------------------------------------
\189\ FPF at 10.
\190\ Id.
\191\ AdvaMed at 8.
---------------------------------------------------------------------------
Some commenters raised concerns that the Commission's approach did
not provide sufficient clarity for companies trying to understand their
obligations as either a third party service provider or PHR related
entity.\192\ Some commenters requested more examples of types of firms
falling within each definition (e.g., examples clearly establishing the
status of health data brokers, health marketing firms, search engines,
email providers, cloud storage providers) \193\--to facilitate
compliance,\194\ avoid overlapping notice requirements \195\ and to
prevent a loophole through which firms may attempt to avoid obtaining
consumers' authorization for data disclosures and to avoid providing
breach notifications.\196\ One commenter urged the Commission to exempt
from the definition of ``PHR related entity'' any firm that complies
with the privacy and data security requirements of HIPAA.\197\
---------------------------------------------------------------------------
\192\ SIIA at 3; CARIN Alliance at 4.
\193\ AHIMA at 3-4; AMIA at 3-4; CHI at 5; Direct Trust at 1;
Light Collective at 4-5.
\194\ SCRS at 1.
\195\ NAI at 5.
\196\ MRO at 3.
\197\ AdvaMed at 5.
---------------------------------------------------------------------------
In response to the Commission's request for comment on whether an
analytics firm would be a third party service provider, many commenters
responded that an analytics firm should fall within that definition
\198\ for the reasons the Commission articulated: It would be confusing
to consumers to receive a notice from a back-end service provider
rather than the firm with whom the consumer has the relationship, and
categorizing analytics firms (and firms that provide other services) as
service providers will create incentives for PHR vendors and PHR
related entities to choose their service providers with care. A few
commenters, however, expressed concern about covering advertising,
analytics, and cloud firms--and health information service providers
(``HISPs'') more generally--as they are unable to determine whether the
data they receive contains unsecured PHR identifiable health
information; only the vendor of the PHR knows what their data
transmissions contain.\199\ One commenter urged the Commission to
address the data recipient's unawareness of the content of the data by
creating a safe harbor that exempts advertising, analytics and cloud
providers that contractually limit their customers, vendors, or
partners from sharing health information with them.\200\
---------------------------------------------------------------------------
\198\ NAI at 5; TMA at 3; Consumer Rep.'s at 11.
\199\ CCIA at 7-8; CTA at 9-10; SIIA at 3; Direct Trust at 5.
\200\ CTA at 13.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes to ``PHR Related Entity''
After considering the comments received, the Commission adopts the
proposed changes regarding ``PHR related entity'' without further
change. The Commission affirms that (1) PHR related entities include
entities offering products and services not only through the websites
of vendors of personal health records, but also through any online
service, including mobile applications; (2) PHR related entities
encompass only entities that access or send unsecured PHR identifiable
health information to a personal health record; and (3) while some
third party service providers may access unsecured PHR identifiable
health information in the course of providing services, this does not
render the third party service provider a PHR related entity.
In response to commenters who expressed concern that certain data
recipients will not be able to understand their obligations under the
Rule because they are unaware of the content of the data transmissions
they receive, the Commission highlights Sec. 318.3(b), which states:
``For purposes of ensuring implementation of this requirement, vendors
of personal health records and PHR related entities shall notify third
party service providers of their status as vendors of personal health
records or PHR related entities subject to this Part.'' This
requirement puts data recipients on notice about the potential content
of the data transmissions they receive.
Firms may also facilitate compliance by stipulating by contract
whether transmissions of data will contain unsecured PHR identifiable
health information. Both the sender and recipient of the data can
monitor for compliance with those contractual agreements through the
use of automated tools, internal auditing, external auditing, or other
mechanisms, as appropriate to the size and sophistication of the firms
and the sensitivity of the data. For example, a large advertising
platform that has routinely received unsecured PHR identifiable health
information, notwithstanding partners' promises not to send this
information, may have different obligations to monitor the data it
receives than small firms that do not engage in high-risk activities
where the contract precludes sending such data and there is no history
of such transmissions.
The Commission believes this approach--notice to service providers
pursuant to Sec. 318.3(b) coupled with contracts and oversight--is
more appropriate than creating a safe harbor in the Rule that exempts
firms that enter into contracts, as there is evidence from FTC cases
that firms do not always abide by contractual obligations to safeguard
data.\201\
---------------------------------------------------------------------------
\201\ Compl. at ] 21, In the Matter of Flo Health, Inc., FTC
File No. 1923133 (Jan. 13, 2021), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc</a>; Compl. at ] 14(d),
In the Matter of UPromise, Inc., FTC File No. 1023116 (Mar. 27,
2012), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc</a>; Cf. Compl. at ] 40, U.S. v. Easy
Healthcare Corporation, No. 1:23-cv-3107 (N.D. Ill. 2023), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v">https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v</a> (alleging that the defendant's
disclosures of consumers' health information violated the policies
of platforms to which it had agreed).
---------------------------------------------------------------------------
The Commission declines to change the definition of ``third party
service provider'' to distinguish it further from a ``PHR related
entity,'' for two reasons. First, the Commission notes the current
definitions of ``third party service provider'' and ``PHR related
entity'' align closely with the language prescribed by section 13407
and section 13424(b)(1)(A) of the Recovery Act. Jettisoning the current
language entirely, as some commenters suggested, would not be
consistent with the Recovery Act's requirements. Second, the Commission
believes the current language, in conjunction with the examples
provided below, will provide sufficient guidance to the market as to
which types of firms fit within each definition.
In response to comments that requested examples of the types of
firms that fall into the category of ``third party service provider''
or ``PHR related entity,'' the Commission provides the following
examples. The Commission believes these examples, in conjunction with
the language in Sec. 318.3(b), will provide sufficient clarity about
the obligations of third party service providers and PHR related
entities to promote compliance, avoid overlapping notice, and prevent
loopholes.
[[Page 47045]]
<bullet> Example 1: Four separate firms provide data security,
cloud computing, advertising and analytics services to a health app (a
personal health record), as specified by their service provider
contracts, for the health app vendor's benefit. To perform the services
specified in their respective contracts, the firms access unsecured PHR
identifiable health information. The firms are ``third party service
providers'' of the vendor of the personal health record (the maker of
the health app) because they provide services to a vendor of a personal
health record (the maker of the health app) in connection with the
offering or maintenance of the app, and they access unsecured PHR
identifiable health information as a result of these services. In the
event of a breach, they should abide by their obligations as third
party service providers.
<bullet> Example 2: An analytics firm provides analytics services
to a health app (a personal health record). The analytics firm and
health app vendor do not have a customized service provider contract,
although the health app vendor agrees to the analytics firm's standard
terms of service. The analytics firm accesses unsecured PHR
identifiable health information (device identifier and whether the
consumer has paid for therapy). The analytics firm uses that data both
to provide analytics services to the health app and for its own
benefit, for research and development and product improvement. The
analytics firm is a third party service provider to the extent that it
provides analytics services to the health app for the health app's
benefit because it is then providing services to a vendor of a PHR in
connection with the offering of the PHR and accessing unsecured PHR
identifiable health information as a result of such services. However,
the analytics firm is a PHR related entity, rather than a third party
service provider, to the extent that it offers its services through the
health app for its own purposes (i.e., for research and development and
product improvement) rather than to provide the services. In the event
of a breach, the analytics firm must fulfill its notification
obligations under the Rule according to which function it was
performing in connection with the breach. If the functions are
indistinguishable, then, pursuant to Sec. 318.3(b), the Commission
will consider the firm a third party service provider for policy
reasons: a firm that functions, at least in part, as a service provider
may not be consumer-facing, such that the consumer may be surprised by
a breach notification from that entity. As a policy matter, it is
better for the consumer to receive notice from the health app with whom
the consumer directly interacts.
<bullet> Example 3: A health tracking website (a personal health
record) integrates a search bar branded with its maker's logo, which
enables its maker (a search engine firm) to offer its services through
the website. The search engine firm is a PHR related entity because it
offers its services through the website, which is a personal health
record. The search bar branded with its maker's logo is consumer-
facing, so the consumer would not be surprised to receive a notice from
that company if it experiences a reportable breach. By contrast, if the
health tracking website had contracted with the search engine firm to
provide back-end search services to the website (rather than offering
its own branded product or service through the website), and the search
engine firm had accessed unsecured PHR identifiable health information
as a result of such services, it would be a third party service
provider. In the event of a breach, it should abide by its obligations
as a third party service provider.
<bullet> Example 4: Digital readings from a fitness tracker offered
by Company A can be integrated into a sleep app offered by Company B
(in which the consumer may input other health information). Company A
is a PHR related entity to the extent that it offers its fitness
tracker product through an online service (Company B's sleep app), and
to the extent that it sends unsecured PHR identifiable health
information (fitness tracker readings) to a personal health record (the
sleep app).
E. Facilitating Greater Opportunity for Electronic Notice
1. The Commission's Proposal Regarding Electronic Notice
The Commission proposed to authorize expanded use of email and
other electronic means of providing clear and effective notice of a
breach to consumers. In furtherance of this objective, the Commission
proposed to update Sec. 318.5 to specify that vendors of personal
health records or PHR related entities that discover a breach of
security must provide written notice at the last known contact
information of the individual. Such written notice may be sent by
electronic mail, if an individual has specified electronic mail as the
primary contact method, or by first-class mail. The Commission proposed
defining ``electronic mail'' in Sec. 318.2 to mean email in
combination with one or more of the following: text message, within-
application messaging, or electronic banner. The Commission further
specified that any notification delivered via electronic mail should be
clear and conspicuous, and the proposed Rule defined ``clear and
conspicuous.'' To assist entities that are required to provide notice
to individuals under the Rule, the Commission developed a model notice
for entities to use to notify individuals.\202\
---------------------------------------------------------------------------
\202\ This model notice was attached as appendix A to the NPRM.
88 FR 37837.
---------------------------------------------------------------------------
2. Public Comments Regarding Electronic Notice
Nearly every comment submitted on this proposed change supported
the Commission's efforts to update the Rule to allow for greater
electronic notice.\203\ One commenter noted electronic notices increase
the likelihood that individuals will receive the notice, may reduce the
time it takes for individuals to receive notice, and reduce the burden
on entities providing notice.\204\ Many commenters also supported the
Commission's efforts to provide notice via more than one channel
through the new definition of ``electronic mail.'' \205\
---------------------------------------------------------------------------
\203\ AHIP at 5; AAFP at 3; AHIMA at 5; AHIOS at 3; Anonymous 3
at 1; Anonymous 10 at 1; Beth Barnett; CARIN Alliance at 7; CHI at
5-6; CHIME at 4; Consumer Reports at 8-9; CTA at 21; EPIC at 10;
HIMSS at 4; George Mathew at 1; MRO at 3; NAI at 7; Dharini
Padmanabhan at 1; Nancy Piwowar at 1. One commenter also stated
while there are clear advantages to allowing increased use of
electronic notification of data breaches, this notification method
could also increase the likelihood that breaches escape public
scrutiny. Identity Theft Res. Ctr. (``ITRC'') at 2.
\204\ AdvaMed at 5.
\205\ AAFP at 3; AHIMA at 5; Anonymous 3 at 1; CARIN Alliance at
7; CHIME at 4; CCIA at 7; EPIC at 10; NAI at 7.
---------------------------------------------------------------------------
However, not all commenters agreed with the Commission's proposal
and some commenters offered other suggestions. Some objected to
defining ``electronic mail'' to mean anything more than ``email,''
stating that electronic mail is commonly understood to mean email and
nothing else.\206\ A few commenters noted that defining multiple forms
of electronic notice could result in entities collecting more
information than necessary (and consumers having to provide more
information than needed) in order to comply with the Rule.\207\ Others
preferred a single notice, arguing that multiple forms of notice is
burdensome
[[Page 47046]]
and could result in over-notification, confusion, and notice fatigue
among consumers.\208\ One commenter stated the Commission should revise
the definition of ``electronic mail'' to mean ``one or more of the
following that is reasonable and appropriate based on the relationship
between the individual and the relevant vendor of personal health
records or PHR related entity: email, text message, within-application
messaging, or electronic banner.'' \209\ Another commenter encouraged
the FTC to clarify the in-app messaging method must include push
notifications in the event of a breach so consumers are made aware of a
breach as soon as possible.\210\ One commenter urged the Commission to
specify in Sec. 318.5(i) that a banner notice in the affected app or a
website home page notice must be posted for a period of 90 days.\211\
Another commenter noted that the different mechanisms listed in the
proposed rule are not equivalent--this commenter noted that some are
push notifications that a consumer is likely to see without directly
interacting with the application, website, or device and some require
consumer interaction with the application, website, or device in order
to see the notification.\212\ This commenter recommended that the
requirement be selection of one push notification but that additional
options like in-app notifications and website banners be supported as
additional, secondary notice options.\213\ One commenter stated the FTC
may want to consider adding a provision allowing an individual to
request a copy of the notice in other accessible formats, such as for
hearing- or vision-impaired people, or in a non-English language.\214\
Another commenter argued the Commission should take into consideration
TCPA and CAN-SPAM compliance regarding the delivery of electronic
notification. Another commenter stated the Commission's proposal to
require two contact methods imposes a higher requirement than HIPAA and
State breach notification laws.\215\
---------------------------------------------------------------------------
\206\ ACLA at 5; Mass. Health Data Forum (``MHDF'') at 9.
\207\ Consumer Rep.'s at 7-8; CTA at 22. Consumer Reports
further suggested the Commission clarify that substitute notice may
be effectuated under the Rule via text message, in-app messaging, or
electronic banners for consumers that do not wish to share a mailing
or email address. Consumer Rep.'s at 8.
\208\ AdvaMed at 6; ACLA at 5; AHIP at 5; CTA at 21-22;
\209\ AdvaMed at 6.
\210\ AHIMA at 5.
\211\ TechNet at 5.
\212\ MHDF at 10.
\213\ Id.
\214\ AHIP at 5.
\215\ CHI at 6.
---------------------------------------------------------------------------
Many commenters endorsed the Commission's proposal that any
notification delivered via electronic mail should be ``clear and
conspicuous,'' a newly defined term in the Rule.\216\ One commenter
stated that consistent with FTC's desire for entities to provide a
clear and conspicuous notice, the Commission should consider requiring
an email subject line that starts with ``Breach of Your Health
Information'' so that attention is appropriately drawn to the
importance of the message content.\217\ One commenter disagreed with
the new definition, arguing that the definition is unnecessary and
confusing, and urged the Commission to insert the ``clear and
conspicuous'' definition directly into Sec. 318.5 of the Rule.\218\
---------------------------------------------------------------------------
\216\ AMA at 5; CHIME at 5; EPIC at 9.
\217\ TMA at 4.
\218\ NAI at 7.
---------------------------------------------------------------------------
Regarding the model notice, nearly all who commented on this topic
urged the Commission to make the model notice voluntary.\219\ One
commenter suggested that using the model should be a safe harbor that
shields entities from enforcement.\220\
---------------------------------------------------------------------------
\219\ AdvaMed at 6; AHIP at 6; AMA at 6; CCIA at 7; CHI at 6;
Consumer Rep.'s at 8-9; NAI at 7-8. One commenter stated that making
the model notice mandatory can lead to industry consistency and it
may be easier for consumers to understand the message and the
contents if they are familiar with a uniform, standardized notice.
AHIMA at 5. While the Commission generally agrees that uniform,
consistent notices assist with consumer comprehension, the
Commission declines to make the model notice compulsory because the
facts and circumstances of each breach will vary. Plus, Sec. 318.6
sets forth certain required elements of the content of the notice,
so the presence of these elements in all breach notices achieves
some degree of consistency across notices.
\220\ AHIP at 6.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes Regarding Electronic
Notice
The Commission adopts without change the modifications regarding
Sec. 318.5 involving electronic notice and adopts without change the
definition of ``electronic mail'' in Sec. 318.2. The Commission
declines to make the other changes commenters requested. First, the
Commission believes it is critical, especially given how consumers are
accessing information today, to modernize the methods of notice to
facilitate greater opportunities for electronic notice. The Commission
believes the changes to Sec. 318.5 and the new definition of
``electronic mail'' \221\ in Sec. 318.2 accomplish this objective.
---------------------------------------------------------------------------
\221\ The Commission disagrees with the commenters who urged the
Commission to avoid defining ``electronic mail'' to mean anything
more than ``email.'' ACLA at 5; MHDF at 9. The definition in Sec.
318.2 is clear and unambiguous. Plus, section 13402(e)(1) of the
Recovery Act requires that notification be provided via ``written
notification by first-class mail'' or ``electronic mail.''
Accordingly, the Commission must use ``electronic mail.''
---------------------------------------------------------------------------
In response to concerns raised about the two-part electronic
notice, the Commission agrees with commenters who stated it increases
the likelihood that individuals will encounter such notices.\222\ The
Commission does not agree that it is burdensome for entities to comply
with this requirement. For example, an entity who complies with the
notice requirement by notifying consumers via email plus posting a
website notice likely would not need to expend significant additional
time and resources by issuing the second part of the notice (i.e., the
website notice), and any ``cost'' of posting such a notice is
outweighed by the benefit to consumers of learning of a breach
involving their health information. The Commission also is not
persuaded that consumers who, for example, receive an email about a
breach coupled with an in-app notice about the same breach will be
confused. The Commission believes consumers will understand that such
notices relate to the same incident, especially given the Rule's
requirement that the notices be ``clear and conspicuous.'' The
Commission also does not find it problematic that the Rule requires
notice effectuated via ``electronic mail'' to occur via two methods
while other breach notice laws require one method. The Commission also
notes while these amendments are intended to facilitate greater
electronic notice, the Rule still permits notice via first-class mail.
Accordingly, the contention that this Rule requires two methods of
electronic notice is incorrect.
---------------------------------------------------------------------------
\222\ AAFP at 3-4 (noting AAFP appreciates ``the proposed
structure of providing notice in two different electronic formats to
increase the likelihood individuals will see them''); CHIME at 5
(``CHIME is supportive of the FTC's approach to revise the ``method
of notice section'' and to structure the breach notification in two
parts in order to increase the likelihood that consumers encounter
the notice.''); EPIC at 10 (``By requiring email and an in-app or
website notice option, the expanded definition enables entities to
have the best chance at notifying consumers regardless of whether
they reliably check their email or continue to use the entity's app
or website.''). The Commission also disagrees with the commenter who
recommended that the Commission abandon the two-part notice and
create a new definition of ``electronic mail'' where, for example,
only a website notice alone would satisfy the notice requirement if
such a notice was ``reasonable and appropriate.'' AdvaMed at 6. The
Commission disagrees with this approach and declines to adopt it.
---------------------------------------------------------------------------
The Commission also declines, in response to public comments,\223\
to mandate how notifications are effectuated when sent via ``electronic
mail,'' as the Commission believes it is important to not be overly
prescriptive given rapidly changing technologies.
[[Page 47047]]
The Commission emphasizes though, as described below, that the notice
must satisfy the Rule's definition of ``clear and conspicuous.''
---------------------------------------------------------------------------
\223\ See supra notes 210-213.
---------------------------------------------------------------------------
Nor does the Commission believe, as some commenters argued, the
two-part electronic notification will result in additional collections
of information by notifying entities. The Commission agrees with
commenters who stated entities are generally already collecting the
information needed for notice via ``electronic mail'' and a data
minimization issue does not exist.\224\
---------------------------------------------------------------------------
\224\ CARIN Alliance at 6; EPIC at 10.
---------------------------------------------------------------------------
In response to the commenter who suggested the FTC consider adding
a provision allowing an individual to request a copy of the notice in
other accessible formats, such as for hearing- or vision-impaired
people, or in non-English languages,\225\ the Commission previously
addressed a similar comment in the 2009 Rule Commentary. There, the
Commission noted that section 13402(e)(l) of the Recovery Act requires
that notification be provided via ``written notification by first-class
mail'' or ``electronic mail.'' The Commission emphasized then, as we do
today, that the Rule does not preclude notifications in accessible
formats. The Commission supports their use in appropriate
circumstances, in addition to the forms of notice prescribed by the
Rule.\226\
---------------------------------------------------------------------------
\225\ See supra note 214.
\226\ 74 FR 42972.
---------------------------------------------------------------------------
The Commission also adopts without modification the definition of
``clear and conspicuous.'' The Commission agrees with the commenter who
indicated it is imperative that a breach notice be reasonably
understandable and call attention to the significance of the
information that is included in the notice.\227\ The Commission
believes its definition of ``clear and conspicuous'' will assist in
achieving this objective. The Commission declines, however, to mandate
specific language for the email subject line to satisfy the Rule's
``clear and conspicuous'' requirement, as one commenter had
suggested.\228\ The Commission emphasizes, however, that the clear and
conspicuous requirement would require a notifying entity to use an
email subject line that draws the reader's attention to the email
notice. The Commission also declines to adopt the suggestion that the
definition of ``clear and conspicuous'' be incorporated directly into
Sec. 318.5. The Commission believes the entities seeking information
on what ``clear and conspicuous'' means will find it clearer to consult
the definition in Sec. 318.2.
---------------------------------------------------------------------------
\227\ AMA at 5.
\228\ See supra note 217.
---------------------------------------------------------------------------
Turning to the model notice,\229\ as the Commission noted in the
NPRM, the model was intended for entities to use, in their discretion,
to notify individuals, and the Commission adopts the same position
here.\230\ The model is voluntary and while the Commission believes it
represents a best practice, using the model is not required to achieve
compliance with the Rule.
---------------------------------------------------------------------------
\229\ The model notice is found in appendix A.
\230\ 88 FR 37827.
---------------------------------------------------------------------------
The Commission declines to adopt the position that use of the model
notice provides a safe harbor, although the Commission would take into
consideration in an enforcement action an entity who follows the model
notice. Further, the Commission notes an entity who follows the model
notice can nevertheless violate the Rule in other ways. For example, an
entity could follow the model notice but fail to provide timely notice.
In such instances, providing a safe harbor because the entity utilized
the model notice would be inappropriate.
F. Revisions to the Required Content of Notice
1. The Commission's Proposal Regarding Content of Notice
The Commission proposed five changes to the content of the notice.
First, in Sec. 318.6(a), as part of relaying what happened regarding
the breach, the Commission proposed the notice to individuals also
include a brief description of the potential harm that may result from
the breach, such as medical or other identity theft. Second, the
Commission proposed to amend the requirements for the notice under
Sec. 318.6(a) to include the full name, website, and contact
information (such as a public email address or phone number) of any
third parties that acquired unsecured PHR identifiable health
information as a result of a breach of security, if this information is
known to the vendor of personal health records or PHR related entity
(such as where the breach resulted from disclosures of users' sensitive
health information without authorization). Third, the Commission
proposed modifications to Sec. 318.6(b), which requires that the
notice include a description of the types of unsecured PHR identifiable
health information that were involved in the breach. The Commission
proposed this exemplar list be expanded to include additional types of
PHR identifiable health information, such as health diagnosis or
condition, lab results, medications, other treatment information, the
individual's use of a health-related mobile application, and device
identifier. Fourth, the Commission proposed revising Sec. 318.6(d) of
the Rule to require the notice to individuals include additional
information providing a brief description of what the entity that
experienced the breach is doing to protect affected individuals, such
as offering credit monitoring or other services. Fifth, the Commission
proposed modifying Sec. 318.6(e) so the contact procedures specified
by the notifying entity must include two or more of the following:
toll-free telephone number; email address; website; within-application;
or postal address.
2. Public Comments Regarding Content of Notice
a. Proposal That Notice Include Description of Potential Harm That May
Result From a Breach
The Commission's proposal to modify Sec. 318.6(a) to include in
the notice to individuals a brief description of the potential harm
that may result from a breach drew a wide range of comments. On the one
hand, many commenters supported the Commission's proposal.\231\ For
example, one commenter noted this proposal would help individuals
better understand the connection between the information breached and
the potential harm that could result from the breach of such
information.\232\ Other commenters stated that providing the potential
harms from a breach better equips consumers to address injuries and
mitigate harms from it.\233\ One commenter stated including some
potential harms would be helpful, but notifying entities should also
include language in the notice stating that other harms may occur.\234\
This same commenter suggested the Commission consider selecting the
most common types of breaches and listing some but not all of the
potential consequences from each.\235\
---------------------------------------------------------------------------
\231\ AAFP at 4; AMA at 6; AOA at 5; Anonymous 3; AHIOS at 3;
CARIN Alliance at 7-8; CHIME at 3, 6; Consumer Reports at 9-10; EFF
at 2; EPIC at 10-11; HIMSS at 3-4; ITRC at 2; Members of the House
of Representatives at 1-2; Dharini Padmanabhan at 1.
\232\ AMA at 6.
\233\ Consumer Rep.'s at 9-10; EPIC at 10-11.
\234\ MHDF at 10-11.
\235\ Id.
---------------------------------------------------------------------------
On the other hand, many commenters criticized this proposal.\236\
Some
[[Page 47048]]
commenters argued this proposal will result in notifying entities
having to speculate about potential harms that may never occur or
providing a list of harms that may be incomplete.\237\ Others pointed
out that notifying individuals about potential harms could cause
consumer anxiety, consumer confusion, and detract from actions the
individuals should take.\238\ One commenter noted the Commission's
proposal might lead consumers to believe the harms listed in the notice
are the only possible harms from a breach, when in fact consumers may
suffer other harms not disclosed in the notice.\239\ This same
commenter also noted it is opposed to entities stating there are no
known harms that may result from a breach solely because a notifying
entity is unaware of any specific bad outcomes.\240\
---------------------------------------------------------------------------
\236\ AdvaMed at 6-7; AHIP at 6; ACLA at 4-5; Confidentiality
Coal. at 7; CTA at 23-24; MHDF at 10; NAI at 9.
\237\ AdvaMed at 6-7; AHIP at 6; MHDF at 10; NAI at 9.
\238\ ACLA at 4-5; AMIA at 5; NAI at 9.
\239\ MHDF at 10.
\240\ Id. at 10-11.
---------------------------------------------------------------------------
b. Proposal That Notice Include Full Name, Website and Contact
Information of Third Parties That Acquired Unsecured PHR Identifiable
Health Information
Next, the Commission proposed to amend the requirements for the
notice under Sec. 318.6(a) to include the full name, website, and
contact information (such as a public email address or phone number) of
any third parties that acquired unsecured PHR identifiable health
information as a result of a breach of security. Although several
commenters supported this proposal,\241\ many others pointed out it is
problematic in certain circumstances.\242\ A few commenters noted the
proposal is ill-suited for security breaches, such as a hacking, where
providing consumers with the name and contact information of an actor
who committed a security breach (e.g., a hacker) could result in
further malicious action against the target entity.\243\ One commenter
noted for security breaches, the malicious actor or hacker would not be
responsive to consumers.\244\ Further, one commenter noted this
requirement could hamper law enforcement efforts.\245\ One commenter
also indicated this requirement could frustrate investigative efforts
or have a chilling effect on an inadvertent recipient from reporting a
wrongful disclosure.\246\
---------------------------------------------------------------------------
\241\ AAFP at 4; AHIMA at 5-6; AMA at 6; AMIA at 5; AOA at 5;
CARIN Alliance at 7; Consumer Rep.'s at 9-10; EFF at 2; EPIC at 10-
11; HIMSS at 3-4; ITRC at 2; Members of the House of Representatives
at 1-2.
\242\ ACLA at 4-5; AHIP at 6; CHI at 6; Confidentiality
Coalition at 7; CTA at 24.
\243\ ACLA at 4-5; Confidentiality Coal. at 7.
\244\ Confidentiality Coal. at 7.
\245\ CTA at 24.
\246\ AHIP at 6.
---------------------------------------------------------------------------
c. Proposal That Notice Include Description of Types of Unsecured PHR
Identifiable Health Information Involved in a Breach
Third, the Commission proposed modifications to Sec. 318.6(b),
which requires the notice to individuals include a description of the
types of unsecured PHR identifiable health information that were
involved in the breach. The Commission proposed this exemplar list be
expanded to include additional types of PHR identifiable health
information, such as health diagnosis or condition, lab results,
medications, other treatment information, the individual's use of a
health-related mobile application, and device identifier. Several
commenters supported this proposal.\247\ One commenter noted it is
important for consumers to receive notice of the specific types of PHR
identifiable health information involved in a breach, given that the
exposure of health information can lead to a wide spectrum of
harms.\248\ Another commenter stated providing individuals with a more
expansive list of exposed data points will also give them a more
complete picture of the risks they face.\249\
---------------------------------------------------------------------------
\247\ AAFP at 4; AHIMA at 6; AMA at 6; AOA at 5; CARIN Alliance
at 7; Consumer Rep.'s at 9-10; Ella Balasa at 2; HIMSS at 3-4; ITRC
at 2; NAI at 9.
\248\ Light Collective at 2.
\249\ ITRC at 2.
---------------------------------------------------------------------------
d. Proposal That Notice Include Description of What Entity Is Doing To
Protect Affected Individuals
Fourth, the Commission proposed revising Sec. 318.6(d) of the Rule
to require that the notice to individuals include additional
information providing a brief description of what the entity that
experienced the breach is doing to protect affected individuals, such
as offering credit monitoring or other services. This proposal
attracted support from multiple commenters.\250\ One commenter stated
that informing individuals about these steps is important so that they
know what additional actions they should take to protect themselves
from potential harm.\251\ Another similarly stated that knowing what
the notifying entity is doing to protect affected individuals can help
consumers who are considering making purchase decisions for fraud
detection or credit monitoring.\252\ One commenter stated that
requiring notifying entities to share this information will incentivize
them to take proactive measures to mitigate harms to consumers.\253\
---------------------------------------------------------------------------
\250\ AAFP at 4; AMA at 6; AOA at 4; CARIN Alliance at 7-8;
HIMSS at 3-4; ITRC at 2.
\251\ AMA at 6.
\252\ AHIMA at 5-6.
\253\ Consumer Rep.'s at 9-10.
---------------------------------------------------------------------------
Some commenters, however, raised concerns about this proposal. For
instance, one commenter believed the Rule already encompasses this
requirement and therefore the Commission's proposal could result in
duplicative information being provided in the notice.\254\ Another
commenter stated the FTC needs to go further in ensuring that
notification requirements help consumers understand what remedies are
available when their health information is breached.\255\
---------------------------------------------------------------------------
\254\ Confidentiality Coal. at 7.
\255\ Light Collective at 6-7.
---------------------------------------------------------------------------
e. Proposal That Notice Include Two or More Contact Procedures
Fifth, the Commission proposed amendments to Sec. 318.6(e) so the
contact procedures specified by the notifying entity in its breach
notification must include two or more of the following: toll-free
telephone number; email address; website; within-application; or postal
address. Many commenters expressed support for this proposal.\256\ One
commenter noted multiple contact options ensures that victims of all
backgrounds and technical capabilities are able to contact the
notifying entity to learn more about how to protect themselves after a
breach.\257\ Another commenter noted that providing multiple contact
options encourages and facilitates communication between the individual
and the notifying entity.\258\ One commenter, however, expressed
concern the proposal is burdensome, the HIPAA breach notice rule
requires only one method of contact, and HHS has not identified any
concerns with individuals having difficulty obtaining information from
covered entities using one contact method under HIPAA's breach notice
rule.\259\
---------------------------------------------------------------------------
\256\ AAFP at 4; AHIMA at 6; AHIP at 5; Anonymous 3 at 1; AOA at
5; CARIN Alliance at 8; Consumer Rep.'s at 9-10; EPIC at 9-10; HIMSS
at 3-4; ITRC at 2; Dharini Padmanabhan at 1.
\257\ AHIMA at 6.
\258\ AMA at 6.
\259\ AdvaMed at 6-7.
---------------------------------------------------------------------------
[[Page 47049]]
3. The Commission Changes Regarding Content of Notice
a. The Commission Declines To Adopt Proposal That Notice Include
Description of Potential Harm That May Result From a Breach
The Commission believes, in light of the public comments, that the
downsides of requiring in the notice a description of the potential
harms that may result from a breach outweigh the upsides. The
Commission is concerned about requiring a consumer notice to include
possible harms that may never materialize. In such cases, consumers may
experience needless anxiety and take actions that are not necessary,
leading to consumer frustration. The Commission also is concerned this
proposal may result in entities describing potential harms so
generically that the description provides minimal value to consumers,
or, alternatively, that entities will provide a laundry list of
potential harms, making such a list meaningless to consumers. The
Commission also agrees with one commenter who noted this proposal might
lead consumers to believe the harms listed in the notice are the only
possible harms from a breach, when in fact consumers may suffer other
harms not disclosed in the notice.\260\
---------------------------------------------------------------------------
\260\ MHDF at 10.
---------------------------------------------------------------------------
Accordingly, the Commission declines to adopt this proposal.\261\
The Commission believes the remaining elements of the content of the
notice will supply individuals with sufficient information about a
breach, especially given the other modifications to Sec. 318.6. The
Commission also emphasizes in certain cases where harms are concrete
and known, notifying entities should as a best practice inform
individuals about those harms in the notice.
---------------------------------------------------------------------------
\261\ The Commission has updated the model notice in appendix A
to reflect this change.
---------------------------------------------------------------------------
b. The Commission Modifies Proposal That Notice Include Full Name,
Website, and Contact Information of Third Parties That Acquired
Unsecured PHR Identifiable Health Information
In light of the public comments, the Commission is modifying Sec.
318.6(a) to require notifying entities to provide the full name or
identity (or where providing name or identity would pose a risk to
individuals or the entity providing notice, a description) of the third
parties that acquired the PHR identifiable health information as a
result of a breach of security.\262\ The Commission believes it is
important for consumers to know who acquired their PHR identifiable
health information as a result of a breach. At the same time, the
Commission acknowledges in some scenarios it could be problematic to
require notifying entities to provide the contact information of those
who acquired PHR identifiable health information.
---------------------------------------------------------------------------
\262\ The Commission has updated the model notice in appendix A
to reflect this change.
---------------------------------------------------------------------------
Accordingly, this revised provision is intended to still provide
individuals with information about who acquired their health
information. Under Sec. 318.6(a), notifying entities are required to
provide the full name or identity of the third parties that acquired
the PHR identifiable health information as a result of a breach of
security, except where providing the full name or identity of the third
parties would pose a risk to affected individuals or the entity
providing notice. In cases where providing the name or identity of the
third parties that acquired the PHR identifiable health information as
a result of a breach of security would pose a risk to affected
individuals or the entity providing notice (e.g., providing the name of
hacker could subject affected individuals or the entity providing
notice to further harm), Sec. 318.6(a) permits notifying entities to
describe the type of third party (e.g., hacker) who acquired
individuals' PHR identifiable health information.
c. The Commission Adopts Proposal That Notice Include Description of
Types of Unsecured PHR Identifiable Health Information Involved in a
Breach
The Commission agrees with the many public comments supporting this
proposal.\263\ The Commission concurs with the commenter who noted it
is important for consumers to receive notice of the specific types of
PHR identifiable health information involved in a breach,\264\ and the
commenter who stated that providing affected individuals with a more
expansive list of health data points implicated in a breach will help
them better understand the risks they face.\265\ The Commission adopts
this proposal without modification.
---------------------------------------------------------------------------
\263\ See supra note 247.
\264\ See supra note 248.
\265\ See supra note 249.
---------------------------------------------------------------------------
d. The Commission Adopts Proposal That Notice Include Description of
What Entity Is Doing To Protect Affected Individuals
Several commenters supported the Commission proposal that the
notice to individuals include a description of what the notifying
entity is doing to protect affected individuals.\266\ The Commission
concurs with the commenter who stated that informing affected
individuals about the steps notifying entities are taking to protect
them is important so that affected individuals know what additional
actions they should take to protect themselves from potential
harm.\267\ The Commission similarly agrees with the commenter who
stated that knowing what the notifying entity is doing to protect
affected individuals can help consumers who are considering making
purchase decisions like fraud detection or credit monitoring.\268\ The
Commission also agrees with the commenter who stated that requiring
notifying entities to share information about what they are doing to
protect affected individuals will incentivize notifying entities to
take proactive measures to mitigate harms to consumers.\269\
---------------------------------------------------------------------------
\266\ See supra note 250.
\267\ See supra note 251.
\268\ See supra note 252.
\269\ See supra note 253.
---------------------------------------------------------------------------
In response to the one commenter who noted the 2009 Rule already
includes this proposed requirement,\270\ the Commission notes Sec.
318.6(d) from the 2009 Rule requires notifying entities to include in
the notice to individuals what the entity is doing to investigate the
breach, to mitigate any losses, and to protect against any further
breaches. Accordingly, under the 2009 Rule, there is no explicit
requirement for the notifying entity to state in the individual notice
what the entity is doing to protect affected individuals. Given this,
the Commission does not believe individuals will receive duplicative
information.
---------------------------------------------------------------------------
\270\ See supra note 254.
---------------------------------------------------------------------------
In response to the commenter who argued the Commission needs to
help consumers understand post-breach remedies,\271\ the Commission
believes this concern is addressed by the combination of Sec.
318.6(c), which requires notifying entities to include in the notice
steps individuals should take to protect themselves from potential harm
resulting from the breach, and Sec. 318.6(d), which requires notifying
entities to include in the notice the steps the notifying entity is
taking to protect affected individuals following the breach.
---------------------------------------------------------------------------
\271\ See supra note 255.
---------------------------------------------------------------------------
The Commission adopts proposed Sec. 318.6(d) without modification.
e. The Commission Adopts Proposal That Notice Include Two or More
Contact Procedures
In response to the comment that providing two or more contact
[[Page 47050]]
procedures in the notice is burdensome,\272\ the Commission believes if
this proposal results in any burden to notifying entities, such burden
will be minimal given the ease with which compliance with this
provision can be achieved, and outweighed by the benefits to consumers
who will have increased options to communicate with notifying entities.
Second, in response to the comment that the HIPAA Breach Notification
Rule requires only one contact method,\273\ the Commission notes while
there are many similarities between the FTC's and HHS's respective
breach notification rules and the agencies have consulted to harmonize
the two rules, there are differences between them, and the Commission
believes it is important to update this provision to reflect new modes
of communication and facilitate greater opportunities for communication
between affected individuals and notifying entities.
---------------------------------------------------------------------------
\272\ See supra note 259.
\273\ Id.
---------------------------------------------------------------------------
The Commission notes multiple commenters supported this
proposal.\274\ Specifically, the Commission agrees with the commenter
who stated multiple contact procedures enables greater opportunities
for affected individuals to communicate with notifying entities.\275\
The Commission also agrees with the commenter who noted multiple
contact options ensures that affected individuals from all backgrounds
and technical capabilities are able to contact the notifying entity
following a breach.\276\ The Commission therefore adopts proposed Sec.
318.6(e) without modification.
---------------------------------------------------------------------------
\274\ See supra note 256.
\275\ See supra note 258.
\276\ See supra note 257.
---------------------------------------------------------------------------
G. Timing of Notice to the FTC
1. The Commission's Proposal Regarding Timing of Notice
Although the Commission did not propose any timing changes in the
NPRM, the Commission requested comments on several issues related to
timing, including the timing of the notification to the FTC. Regarding
the notification timeline to the FTC, the Commission sought comment on
whether it should extend the timeline to give entities more time to
investigate breaches and better ascertain the number of affected
individuals or whether an extension would simply facilitate dilatory
action and minimize the opportunity for an important dialogue with
Commission staff during the fact-gathering stage immediately following
a breach.
2. Public Comments Regarding Timing of Notice
Several commenters expressed support for extending the notification
timeline to the FTC.\277\ Commenters provided several reasons why the
existing requirement of notice to the FTC ``as soon as possible and in
no case later than ten business days following the date of discovery of
the breach'' for breaches involving 500 or more individuals should be
amended. For example, commenters noted that ten days does not provide
entities with sufficient time to adequately investigate incidents and
fully understand the facts, possibly leading to notices that may be
incomplete and require amendment or correction.\278\ Others commented
that the existing requirement diverts key resources from investigating
potential breaches, indicating when a breach is suspected or has been
discovered, the target entity's focus should be responding to the
incident, conducting a thorough investigation of what may have
occurred, and addressing and mitigating vulnerabilities to ensure
additional information is not compromised.\279\
---------------------------------------------------------------------------
\2
[…truncated; see source link]Indexed from Federal Register on May 30, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.