This article was co-authored with Shane M. Duer, associate at Nelson Mullins.
Although the HIPAA Privacy and Security rules became effective in 2003 and 2005, only in 2009 did Congress direct the U.S. Department of Health and Human Services to create the HIPAA Breach Notification Rule, which describes reporting obligations for HIPAA-covered entities and business associates who discover that they have impermissibly used or disclosed patients’ protected health information.
However, because HIPAA applies only to PHI maintained by covered entities and business associates, it does not protect all individually identifiable health-related information. Recognizing the need to safeguard health information outside the scope of HIPAA and to strengthen privacy and security protections for health information being processed by a growing number of personal health record (PHR) vendors and related companies, Congress separately directed the Federal Trade Commission to issue the Health Breach Notification Rule.
In 2009, a PHR was widely understood to be a patient-owned and -controlled repository of the patient’s health information, including records created by different providers and the patient. The rule defines a PHR as an electronic record of an individual’s “PHR identifiable health information [IHI] that can be drawn from multiple sources and is managed, shared and controlled by or primarily for the individual.”
The rule requires vendors of PHRs, PHR-related entities and third-party service providers (akin to business associates) to provide notification of any “breach of security” of PHR IHI, which occurs when a person’s PHR IHI is acquired without the individual’s authorization.
After discovering a breach, the vendor or entity must notify the FTC and each individual whose PHR IHI was acquired by an unauthorized person. Similar to the breach notification obligations of HIPAA business associates, third-party service providers must give notice of a security breach to the PHR vendor or related entity, including the identity of each customer whose unsecured PHR IHI was, or is reasonably believed to have been, acquired through the breach.
How and when to notify of a breach
The reporting time limits and notification methodologies generally mirror those of the HIPAA Breach Notification Rule. Under the rule, all breach notifications must be sent without unreasonable delay and in no case more than 60 days after the breach is discovered.
Written notice must be sent by first-class mail or email to each individual whose PHR IHI was acquired by an unauthorized person. If contact information for 10 or more individuals is out of date, the entity may provide substitute notice through a conspicuous posting on the home page of its website for 90 days or through a posting in major print or broadcast media. Substitute notice must include a toll-free phone number for individuals to call to determine if their PHR IHI was included in the breach.
Security breaches involving the PHR IHI of 500 or more individuals within a state or jurisdiction must be reported to the FTC within 10 business days – substantially shorter than HIPAA’s 60-day requirement – as well as to prominent media outlets serving the state or jurisdiction (no reporting period is specified).
If a breach involves the records of fewer than 500 people, entities may maintain a log of all such breaches during a calendar year and submit the log to the FTC within 60 days after the end of the year in which the breach occurred.
Potential impact of proposed changes
Unlike the HIPAA Breach Notification Rule, which has been enforced with increasing frequency since its inception, not a single enforcement action arose under the rule until February 2023. Three months later, in response to the ever-increasing prevalence of health and wellness mobile applications and direct-to-consumer health technologies, most of which are not subject to HIPAA, the FTC proposed numerous significant changes to the proposed rule to clarify that the rule applies directly to such apps and technologies.
By creating new definitions and revising others, the proposed rule targets health and wellness technology companies operating outside of HIPAA and qualitatively expands the scope of what constitutes a PHR or a vendor of PHRs far beyond the original prototype of a PHR as a patient-controlled repository of health information. The following are significant features of the proposed rule.
Application to health apps and similar technologies not covered by HIPAA. The proposed rule adds a definition of “health care provider” to include an “entity furnishing health care services or supplies.”
Such services or supplies would include “any online service, such as a website, mobile application or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet or that provides other health-related services or tools.”
Under these new definitions, developers of health and wellness apps would be considered “health care providers,” thereby subjecting them to the rule and making them analogous to health care providers that are covered entities under HIPAA. Likewise, mobile health apps would be PHRs, and app developers would become PHR vendors. As a result, these entities would become subject to rule enforcement in the event of a security breach. Due to the broad definition of “health care services or supplies,” a much broader range of health-related information than PHI would be protected under the rule.
Scope of conduct that may be considered a “breach of security” is extraordinarily wide-ranging. As defined by the rule, a security breach is an acquisition of PHR IHI without the individual’s authorization. This is problematic because the FTC does not define what constitutes an individual’s authorization.
Unlike HIPAA – which specifies what uses and disclosures of PHI are permitted or required without authorization, the limited circumstances under which an individual’s authorization is required to use or disclose his or her PHI, and the required contents of an authorization – the proposed rule would require an individual’s authorization whenever the use of PHR IHI is inconsistent with “the entity’s disclosures and individuals’ reasonable expectations.”
Health technology companies are left to guess whether such authorizations must be memorialized in writing, require an individual to do more than click on a button indicating agreement, or contain electronic signatures; for how long such authorizations must be maintained; and whether the entities must enter into business-associate type agreements with or audit any third parties with whom they share PHR IHI to ensure PHR IHI is not being used in a manner inconsistent with the entity’s disclosures and individuals’ reasonable expectations.
Also unlike HIPAA, the proposed rule does not suggest de-identification of PHR IHI as a legitimate way to avoid a security breach, nor does it provide either exceptions to what constitutes a “breach of security” or a risk assessment framework to assist entities in determining whether an incident rises to the level of a reportable security breach.
Effect on tech companies and consumers
Before issuing the proposed rule, the FTC already had started to bring enforcement actions against developers of health apps and other entities under the rule. If finalized, the proposed rule changes would both remove any previous uncertainty about whether the rule applies to such entities and dramatically increase the likelihood that a use or disclosure of consumer health-related information for which specific individual authorization is not obtained will result in a security breach requiring notification and potentially resulting in enforcement activity.
At the same time, the FTC’s proposed updates create substantial uncertainty for health and wellness technology companies. Guidance on some or all of these concepts in a final rule likely would allow such companies to focus on identifying what health-related information they maintain and use and how to appropriately secure that information from improper uses or disclosures.
Absent such guidance, organizations covered by the Rule may believe they are required to – and may – issue breach notifications in a broad range of circumstances where they reasonably should not be required. This could become expensive and time-consuming for subject entities and result in “breach fatigue” for consumers. In any event, companies that process consumer health information should see the proposed amendments as a warning of forthcoming increased enforcement.
Consumers, on the other hand, could feel more secure in sharing their health-related information with health and wellness technologies due to the increased regulatory scrutiny. Despite the potential for “breach fatigue,” an expanded Rule combined with increased enforcement should lead to expanded consumer protections. Health technology companies and consumers alike will have to wait for the final Rule, expected to be issued in the coming months, to better understand what enforcement will look like.
Trish Markus is a partner at Nelson Mullins. She represents healthcare providers and technology firms on regulatory compliance, reimbursement, licensure and operations, with a focus on privacy and security.