Last week, the Federal Trade Commission (“FTC”) released two guidance documents to aid in compliance with its Health Breach Notification Rule (“the Rule”), which requires “vendors of personal health records” or “PHR related entities” to notify consumers, the FTC, and, sometimes the media, when they discover a breach of security of “unsecured” personal health record identifiable health information. Last year, the FTC released a policy statement, signaling its commitment to enforce the Rule and clarifying (and from the perspective of many, broadening) the types of entities that would come under the Rule’s purview.
This latest set of guidance reinforces that the FTC is increasing its attention on health apps and health data breaches in particular. Violations of the Rule are treated as unfair or deceptive acts or practices under the FTC Act and could lead to civil penalties of up to $46,517 per violation. Health app companies that offer products that may fall within this clarified and broadened definition of “personal health records” should be aware of the Rule’s requirements and take steps to comply in the event of a security incident.
Health Breach Notification Rule: The Basics for Business
The shorter of the guidance—“Health Breach Notification Rule: The Basics for Business”—provides a high-level overview of the Rule and the notification requirement. The guidance opens with a series of questions meant to highlight who the Rule likely covers, asking if your business has an app or website that holds consumers’ health information, or if you deal with health information while providing products or services to companies that offer products that hold this type of information. In both cases, you would likely be covered by the Rule. And notably, the guidance reiterates that the rule does not apply to entities covered by the Health Insurance Portability & Accountability Act (HIPAA), as these entities are governed by a separate breach notification rule.
Complying with FTC’s Health Breach Notification Rule
In its second guidance document—“Complying with FTC’s Health Breach Notification Rule”—the FTC offers a more comprehensive overview of how it will enforce the Rule, providing examples of the types of entities covered by the Rule and the types of events that would trigger a notification requirement; prescribing how to satisfy the notice requirement; and providing answers to questions that have been asked about the Rule.
Who Is Covered by the Rule: The Rule applies to “vendors” of “personal health records,” “PHR related entities,” and “third party service providers.” The Rule defines a “personal health record” as an “electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”
In the new guidance, the FTC provides examples to clarify what these terms encompass. For example, a “vendor of personal records” will likely include a health app that collects consumer information and syncs with a fitness tracker. Similarly, if a fitness tracker sends information to health apps, it will likely be a “PHR related entity.” And a company is covered by the Rule as a “third party service provider” if it provides services—such as billing, debt collection, or data storage services related to health information—to a vendor of personal health records.
What Triggers the Notification Requirement: Entities subject to the Rule must provide appropriate notice if a breach of security of unsecured PHR identifiable health information occurs—in other words, when that data has been acquired without the impacted individual’s authorization. And the recent FTC policy statement reiterated that a breach also extends to unauthorized access and doesn’t just entail cybersecurity intrusions.
The new guidance shows that the FTC will continue to view the trigger broadly. The Rule would likely be triggered, for instance, by the theft of an employee’s laptop with unsecured personal health records, or by an employee downloading personal health records without approval. Additionally, if the disclosed information could readily identify an individual consumer—even if names aren’t disclosed—it would be considered PHR identifiable health information. But if your breach only involves paper health records, or if a stolen company laptop only contains encrypted health records, the guidance assures you that you would not fall under the notification requirement.
What to do if a Breach Occurs: When a breach occurs, the Rule requires you to notify the affected people, the FTC, and in certain situations, (i.e., when the breach involves more than 500 residents of a particular state or territory) relevant media outlets in that location. The new guidance emphasizes that a company must notify affected persons within 60 calendar days, but that the notification must be made “without unreasonable delay.” In some situations, waiting to notify affected persons on the sixtieth day may constitute an unreasonably delay if the necessary information is collected before then.
The best practice is to find out from customers in advance if they would prefer to hear about a security breach by email or by first-class mail. A customer can only be notified by email if you give them an opportunity, through a clear and conspicuous option, to choose first-class mail notification instead. The FTC also suggests that if you only collect emails from customers, you should notify them that you intend to provide notice of security breaches via email. And if a customer prefers email notification, the FTC further suggests that you provide information on spam filters.
If you fail to contact 10 or more affected persons—even after having made reasonable efforts—the FTC requires substitute notice, either on your website home page or in major print or broadcast media. Notices to individuals should be easy to understand and should include: a) a brief description of the breach (including the date of the breach and date of discovery); the type of PHR identifiable health information involved; c) suggested steps people can take to protect themselves if the breach puts them at risk (note that the FTC has said that the advice must be relevant to the type of information that was compromised); d) a description of what you will do to investigate the breach, protect against future ones, and mitigate harm; and e) your contact information and procedures.
The FTC suggests that the notice include a referral to the FTC’s page within IdentityTheft.gov and lists other potential suggestions to give consumers depending on the type of breach; for example, if health insurance information has been breached, you should suggest that consumers contact their healthcare providers if their bills don’t arrive in a timely fashion, or suggest that consumers request a copy of their credit report if the breach included Social Security numbers.
Answers to Questions about the Health Breach Notification Rule
Most notably, the guidance clarifies that the Rule preempts contradictory state breach notification laws, but it doesn’t preempt state laws that impose additional, non-contradictory breach notification requirements. For example, the Rule would not preempt state laws that require notices to include advice on credit monitoring or information about consumer reporting agencies. The guidance also clarifies that if law enforcement officials determine that notification would be contrary to law enforcement goals (such as impeding an investigation or hurting national security), then the Rule allows companies to delay notification.
The questions and answers provided also explain that disclosure of pertinent information without consumer authorization will likely constitute a breach, including accidentally sending user health information to a social media platform, or having someone access a database without your consent. This broad interpretation of what constitutes a breach is consistent with the position the FTC took in the Policy Statement it released last September. The FTC also explained that HIPAA business associates that also provide personal health record services to the public might be subject to both the HHS and the FTC Rules.
We will continue to track developments concerning the Rule. Please reach out if you have any questions.