FTC Updates the Health Breach Notification Rule: Health-Related Websites & Mobile Apps Beware

Introduction

In 2009, the FTC passed the Health Breach Notification Rule (HBNR). You may not have been aware of the HBNR because it has rarely been used to penalize companies for breaches; however, in the last month, the FTC finalized updates to the HBNR which bring it front and center for health-related websites and mobile applications.

What Are the Updates?

In short, the changes to the HBNR make it clear that it applies to websites and mobile apps and, perhaps most importantly, to the disclosure of health-related information frequently gathered through the use of cookies and other tracking technologies.

The main changes to the HBNR include the following:

• Revised definitions: The Rule revised several definitions to clarify that the Rule applies to health apps and similar technologies not covered by HIPAA.
• Clarifying breach of security: The Rule clarifies that a “breach of security” includes not only unauthorized acquisition of identifiable health information that occurs as a result of a data security breach, but also unauthorized disclosures.
• Revised definition of PHR related entity: The revised definition makes it clear that the Rule covers entities that offer products and services through online services, including mobile applications.
• New timing requirements: Similar to HIPAA requirements, for breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay, and in no case later than 60 calendar days, after the discovery of a breach of security.

Conclusion

The revised HBNR makes it clear that health-related websites and apps have a bullseye on their backs. We have already seen class action lawsuits, many of them against HIPAA covered entities, alleging unlawful disclosure of PHI to Google and Meta through tracking technologies. The information gathered through these tracking technologies is then used for marketing and selling ad space.

The HBNR will provide fuel for plaintiffs’ attorneys to file more class action lawsuits against companies with health-related websites and apps alleging violations of the HBNR. The class actions we have seen so far, unfortunately, only represent the tip of the iceberg for the lawsuits to come.

Please reach out to our Data Privacy & Cybersecurity team with any questions regarding these changes.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.