The recent announcement by the Federal Trade Commission (FTC) regarding the finalization of changes to the Health Breach Notification Rule (HBNR) underscores the importance of robust data protection measures, particularly for entities outside the purview of HIPAA. Here are some tips on how and why healthcare-adjacent and health-information companies need to adjust quickly (like yesterday) in order to be compliant with the HBNR. There is sixty day (60) grace period before it comes into effect, but sixty days might be enough to get your company’s regulatory side in order with these tips and HONOS’ Regulatory Readiness.
The FTC’s Recent Actions under the HBNR
The FTC has recently taken action against companies for violating the HBNR, including GoodRx and Easy Healthcare (publisher of the Premom app). Companies operating in the healthcare sector, such as health apps, personal health record vendors, and related entities, need to be aware that they are on the FTC’s radar. The FTC is actively taking action against non-compliant entities, indicating the necessity for affected companies to have a compliant system in place. Companies operating in the healthcare sector should also be mindful of potential FTC penalties, which can range from stringent orders preventing core app functions to fines of up to $100,000 or even higher, such as the $1.5 million penalty imposed on GoodRx for violating the HBNR. With the expanded scope of the rule now encompassing health apps and similar technologies, these companies face heightened compliance requirements and obligations, making it imperative for them to prioritize data privacy and security measures.
Tips to start upgrading compliance under the HBNR
With the expanded scope of the rule now encompassing health apps and similar technologies, companies handling personal health information (PHI) face heightened compliance requirements and obligations. Here are some key tips and action items for affected companies to ensure they adapt to these changes in HBNR and remain compliant with FTC regulations:
- Review and Update Policies and Procedures: Conduct a thorough review of existing data protection policies and procedures to ensure alignment with the revised definitions and requirements outlined in the updated HBNR. Update internal protocols to reflect any changes and provide comprehensive guidance to employees on handling health data securely.
- Enhance Data Security Measures: Strengthen data security measures to mitigate the risk of unauthorized access or disclosure of PHI. Implement encryption, access controls, and monitoring systems to safeguard sensitive information from breaches and cyber threats.
- Revise Breach Notification Processes: Update breach notification processes to comply with the expanded notification requirements under the revised HBNR. Ensure timely and transparent communication with affected individuals, the FTC, and, where necessary, the media in the event of a security breach involving PHI.
- Educate Employees: Provide ongoing training and education to employees on data privacy and security best practices. Foster a culture of compliance within the organization by raising awareness of regulatory requirements and the importance of safeguarding health information.
- Implement Electronic Notification Systems: Adopt electronic notification systems, such as email or secure messaging platforms, to streamline the notification process and expedite communication with affected individuals. Ensure that these systems adhere to industry standards for data encryption and security.
- Partner with Compliance Experts: Seek guidance from compliance experts, such as HONOS, a data privacy and protection company specializing in regulatory compliance and risk management. Leverage their expertise to navigate the complexities of the updated HBNR and implement tailored solutions to address compliance challenges.
How HONOS Can Help
These tips for upgrading your company’s compliance with the updated HBNR are just that: tips. Your company needs to utilize better systems, improved teams and partners to actually be compliant with the HBNR over the long term and avoid the FTC’s wrath. HONOS offers comprehensive solutions to assist companies in adapting to the regulatory changes introduced by the FTC’s updated HBNR.
The FTC’s tightening of regulations regarding health information not covered by HIPAA through their updated HBNR underscores the importance of prioritizing data privacy and protection in the healthcare sector. By taking proactive steps to enhance data security measures, revise breach notification processes, and collaborate with compliance experts like HONOS, companies can navigate these changes effectively and mitigate the risk of non-compliance.