FTC Health Breach Notification Final Rule
In August of 2023 the US Federal Trade Commission (FTC) proposed rule addressed the Commission's Health Breach Notification Rule (the “HBN Rule” or the “Rule”) (.pdf). The HBN Rule requires vendors of personal health records (“PHRs”) and related entities that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data.
In the comment letter, APA applauded FTC’s efforts to increase consumer health data protections. These included their steps to enhance definition of “healthcare services or supplies” to include "wellness" data such as sleep, fitness or diet information. APA advocated for expansion of the definition of what constitutes user consent to privacy policies, stricter privacy protections for those with lower digital literacy and those with significant mental health needs by undertaking public awareness campaigns and establish a framework for data privacy and security before a breach occurs.
In April 2024, FTC finalized the HBN rule and tightened regulations on digital health apps sharing consumers' sensitive medical data with other entities. While the FTC’s final rule aligns with much of APA’s perspective on patients’ and consumers’ protection of personal identifiable data, there is room for improvement on key components including definition of privacy and what constitutes consent and more effort for consumer education and transparency and clear definition of unfair or deceptive practices. APA will continue to work closely with members and advocate for the rights and protection of consumers’ and patients’ protected health information.