FTC Proposes Updates To The Health Breach Notification Rule For Health Apps And Consumer Health Technologies

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.

Explore

On May 18, 2023, the Federal Trade Commission ("FTC") announced a Notice of Proposed Rulemaking ("Proposed Update") to amend the Health Breach Notification...

United States Food, Drugs, Healthcare, Life Sciences

Authors

To print this article, all you need is to be registered or login on Mondaq.com.

On May 18, 2023, the Federal Trade Commission ("FTC") announced a Notice of Proposed Rulemaking ("Proposed Update") to amend the Health Breach Notification Rule ("HBNR"). The FTC seeks to amend the HBNR to clarify its application to health apps, fitness trackers, and other similar direct-to-consumer health technologies. The HBNR requires certain companies not covered by the Health Insurance Portability and Accountability Act ("HIPAA") that access personal health records to notify consumers and the FTC when there is a breach of that data.

According to the FTC, these amendments are needed due to the increased amount of health data collected from consumers and new technological developments and business practices (e.g., use of marketing third party tracking technologies). Health apps, fitness watches, and other direct-to-consumer health technologies have become more common since the rule's issuance. In its Open Committee Meeting on May 18, 2023, the FTC underscored the importance of the HBNR to safeguard the collection of sensitive personal information collected by these consumer health technologies. Companies are likely to see that amendments to the HBNR result in stepped-up enforcement.

The FTC is seeking comment on a number of specific proposed changes within the Proposed Update, including:

Revising definitions to clarify the rule's application to health apps and other direct-to-consumer health technologies not covered by HIPAA.
Clarifying that a security breach includes "an unauthorized acquisition" of identifiable health information that results from a disclosure without consumer consent.
Proposing the use of email and other electronic means to provide notice of a breach to consumers.
Expanding what information companies need to include in notices to consumers.

The deadline for submitting comments will be 60 days after the notice is published in the Federal Register.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors

Alexis S. Gilroy

Lisa M. Ropple

Mary Alexander Myers

Claire Castles

Jennifer Everett

Mauricio Paez

Kerianne N. Tobitsch

Michaela Yip

Your Author LinkedIn Connections