FTC Finalizes Health Breach Notification Rule (HBNR) Changes

Data Privacy

,

Laws & Regulations

In a move to bolster the protection of consumers’ sensitive health information, the Federal Trade Commission (FTC) recently announced the finalization of changes to the Health Breach Notification Rule (HBNR). These changes aim to modernize and fortify the rule, particularly in light of the evolving landscape of health technology, including health apps and connected devices.

The HBNR, originally established to govern vendors of personal health records (PHR) and related entities not covered by HIPAA, has undergone significant revisions to address emerging challenges in the digital health space. One of the key updates involves clarifying the rule’s applicability to health apps and similar technologies, ensuring that entities operating in this sphere adhere to stringent data protection standards.

The Director of the FTC’s Bureau of Consumer Protection, emphasized the agency’s commitment to safeguarding consumers’ health data, especially with the proliferation of health-related applications and devices. The updated HBNR reflects the FTC’s dedication to keeping pace with advancements in the health marketplace while prioritizing consumer privacy and security. Thus, companies that operate in biotechnology and healthtech startups are some of the targeted data gaps that this updated rule will address.

Following a period of public comment, during which the FTC received input from various stakeholders, the Commission finalized several crucial changes to the HBNR:

  1. Revised Definitions: The definitions within the rule have been revised to explicitly encompass health apps and similar technologies, expanding the scope of entities subject to its provisions.
  2. Clarification of Security Breach: The definition of a “breach of security” has been clarified to include unauthorized acquisitions or disclosures of identifiable health information resulting from data security breaches.
  3. Expanded Notification Requirements: Entities covered by the rule are now required to provide more comprehensive notifications to consumers, including details about third parties that acquired unsecured health information as a result of a breach.
  4. Enhanced Electronic Notification: The updated rule permits the expanded use of electronic means, such as email, for notifying consumers of breaches, facilitating quicker and more efficient communication.
  5. Timing Modifications: Timing requirements for notifying affected individuals and the FTC have been modified, ensuring timely and transparent disclosure of breaches to all parties involved.
  6. Improved Readability: Changes have been made to enhance the readability of the rule, promoting better understanding and compliance among stakeholders.

These amendments to the HBNR are poised to strengthen data protection measures in the healthcare sector, offering greater clarity and accountability in the event of security breaches. By aligning regulatory standards with the evolving landscape of health technology, the FTC aims to foster trust and confidence among consumers while empowering companies to uphold the highest standards of data security and privacy.

The final rule is set to take effect 60 days after its publication in the Federal Register, signaling a significant step forward in safeguarding the privacy and security of individuals’ health information in an increasingly digital age. View a copy of the finalized HBNR here. As companies navigate the complexities of the modern healthcare landscape, adherence to these regulations will be paramount to maintaining consumer trust and compliance with regulatory requirements. Check out our tips on complying with the updated HBNR.

Share this