Health Breach Notification, 31085-31087 [2020-10263]

Download as PDF Federal Register / Vol. 85, No. 100 / Friday, May 22, 2020 / Proposed Rules from a manufacturer, the instructions must be accomplished using a method approved by the Manager, Large Aircraft Section, International Validation Branch, FAA; or EASA; or Airbus SAS’s EASA Design Organization Approval (DOA). If approved by the DOA, the approval must include the DOA-authorized signature. (3) Required for Compliance (RC): For any service information referenced in EASA AD 2020–0077 that contains RC procedures and tests: Except as required by paragraph (i)(2) of this AD, RC procedures and tests must be done to comply with this AD; any procedures or tests that are not identified as RC are recommended. Those procedures and tests that are not identified as RC may be deviated from using accepted methods in accordance with the operator’s maintenance or inspection program without obtaining approval of an AMOC, provided the procedures and tests identified as RC can be done and the airplane can be put back in an airworthy condition. Any substitutions or changes to procedures or tests identified as RC require approval of an AMOC. (j) Related Information (1) For information about EASA AD 2020– 0077, contact the EASA, Konrad-AdenauerUfer 3, 50668 Cologne, Germany; telephone +49 221 89990 6017; email ADs@ easa.europa.eu; Internet www.easa.europa.eu. You may find this EASA AD on the EASA website at https:// ad.easa.europa.eu. You may view this material at the FAA, Airworthiness Products Section, Operational Safety Branch, 2200 South 216th St., Des Moines, WA. For information on the availability of this material at the FAA, call 206–231–3195. This material may be found in the AD docket on the internet at https://www.regulations.gov by searching for and locating Docket No. FAA–2020–0456. (2) For more information about this AD, contact Vladimir Ulyanov, Aerospace Engineer, Large Aircraft Section, International Validation Branch, FAA, 2200 South 216th St., Des Moines, WA 98198; telephone and fax 206–231–3229; email vladimir.ulyanov@faa.gov. Rule’’ or the ‘‘Rule’’). The Commission is soliciting comment as part of the FTC’s systematic review of all current Commission regulations and guides. DATES: Written comments must be received on or before August 20, 2020. ADDRESSES: Interested parties may file a comment online or on paper by following the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Health Breach Notification Rule, 16 CFR part 318, Project No. P205405,’’ on your comment and file your comment online at https:// www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Elisa Jillson (202–326–3001), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: I. Background Federal Trade Commission. Regulatory review; request for public comment. The Commission typically reviews its rules every ten years to ensure that the rules have kept up with changes in the marketplace, technology, and business models.1 The Commission issued the HBN Rule in 2009, and companies were subject to enforcement beginning in 2010. The Commission now requests comment on the HBN Rule, including the costs and benefits of the Rule, and whether particular sections should be retained, eliminated, or modified. All interested persons are hereby given notice of the opportunity to submit written data, views, and arguments concerning the Rule. The HBN Rule, issued pursuant to section 13407 of the American Recovery and Reinvestment Act of 2009 (‘‘Recovery Act’’ or ‘‘the Act’’),2 became effective on August 25, 2009,3 and companies were subject to FTC enforcement beginning on February 22, 2010. Section 13407 of the Recovery Act created certain protections for ‘‘personal health records’’ or ‘‘PHRs,’’ electronic The Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’) requests public comment on its Health Breach Notification Rule (the ‘‘HBN 1 See current ten-year schedule for review of FTC rules and guides at 85 FR 20889 (Apr. 15, 2020). 2 Public Law 111–5, 123 Stat. 115 (2009). 3 74 FR 42962 (Aug. 25, 2009). Issued on May 15, 2020. Lance T. Gant, Director, Compliance & Airworthiness Division, Aircraft Certification Service. [FR Doc. 2020–10978 Filed 5–21–20; 8:45 am] BILLING CODE 4910–13–P FEDERAL TRADE COMMISSION 16 CFR Part 318 Health Breach Notification AGENCY: ACTION: SUMMARY: VerDate Sep<11>2014 16:20 May 21, 2020 Jkt 250001 PO 00000 Frm 00024 Fmt 4702 Sfmt 4702 31085 records of identifiable health information that can be drawn from multiple sources and that are managed, shared, and controlled by or primarily for the individual. Specifically, the Recovery Act recognized that vendors of personal health records and PHR related entities (i.e., companies that offer products and services through PHR websites or access information in or send information to PHRs) were collecting consumers’ health information but were not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (‘‘HIPAA’’).4 The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information. Accordingly, the HBN Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission. The Rule also requires third party service providers (i.e., those companies that provide services such as billing or data storage) to vendors of PHRs and PHR related entities to provide notification to such vendors and entities following the discovery of a breach. The Rule requires notice ‘‘without unreasonable delay and in no case later than 60 calendar days’’ after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided ‘‘as soon as possible and in no case later than ten business days’’ after discovery of the breach. The FTC makes available a standard form for companies to use to notify the Commission of a breach.5 The FTC posts a list of breaches involving 500 or more individuals on its website.6 This list only includes two breaches, because the Commission has predominantly received notices about breaches affecting fewer than 500 individuals. Importantly, the Rule does not apply to health information secured through technologies specified by the Department of Health and Human Services (‘‘HHS’’) and it does not apply to businesses or organizations covered by HIPAA. HIPAA-covered entities and 4 Health Insurance Portability & Accountability Act, Public Law 104–191, 110 Stat. 1936 (1996). 5 Notice of Breach of Health Information, https:// www.ftc.gov/system/files/documents/plainlanguage/2017_5_2_breach_notification_form.pdf. 6 Breach Notices Received by the FTC, https:// www.ftc.gov/system/files/documents/plainlanguage/draft_breach_notices_received_by_ftc_ 2015.pdf. E:\FR\FM\22MYP1.SGM 22MYP1 31086 Federal Register / Vol. 85, No. 100 / Friday, May 22, 2020 / Proposed Rules their ‘‘business associates’’ must instead comply with HHS’s breach notification rule.7 The FTC has not had occasion to enforce its Rule because, as the PHR market has developed over the past decade, most PHR vendors, related entities, and service providers have been HIPAA-covered entities or ‘‘business associates’’ subject to HHS’s rule.8 However, as consumers turn towards direct-to-consumer technologies for health information and services (such as mobile health applications, virtual assistants, and platforms’ health tools), more companies may be covered by the FTC’s Rule. II. Rule Review The Commission periodically reviews all of its rules and guides. These reviews seek information about the costs and benefits of the Commission’s rules and guides and their regulatory and economic impact. The information obtained assists the Commission in identifying those rules and guides that warrant modification. Therefore, the Commission solicits comments on, among other things, the economic impact and benefits of the Rule; possible conflict between the Rule and state, local, or other federal laws or regulations; and the effect on the Rule of any technological, economic, or other industry changes. III. Questions Regarding the HBN Rule The Commission invites members of the public to comment on any issues or concerns they believe are relevant or appropriate to the Commission’s review of the HBN Rule, and to submit written data, views, facts, and arguments addressing the Rule. All comments should be filed as prescribed in the ADDRESSES section of this document, and must be received by August 20, 2020. If your comment proposes any modifications to the Rule, please also address whether your proposed modification may conflict with the statutory provisions of the Recovery Act and, if so, whether you propose seeking legislative changes to the Recovery Act. The Commission is particularly interested in comments addressing the following questions: A. General Issues 1. Is there a continuing need for specific provisions of the Rule? Why or why not? 7 HIPAA Breach Notification Rule, 45 CFR 164.400–414, available at https://www.hhs.gov/ hipaa/for-professionals/breach-notification/ index.html. 8 Id. VerDate Sep<11>2014 16:20 May 21, 2020 Jkt 250001 2. What benefits has the Rule provided to consumers? What evidence supports the asserted benefits? 3. What modifications, if any, should be made to the Rule to increase the benefits to consumers? a. What evidence supports the proposed modifications? b. How would these modifications affect the costs the Rule imposes on businesses, including small businesses? 4. What significant costs, if any, has the Rule imposed on consumers? What evidence supports the asserted costs? 5. What modifications, if any, should be made to the Rule to reduce any costs imposed on consumers? a. What evidence supports the proposed modifications? b. How would these modifications affect the benefits provided by the Rule? 6. What benefits, if any, has the Rule provided to businesses, including small businesses? What evidence supports the asserted benefits? 7. What modifications, if any, should be made to the Rule to increase its benefits to businesses, including small businesses? a. What evidence supports the proposed modifications? b. How would these modifications affect the costs the Rule imposes on businesses, including small businesses? c. How would these modifications affect the benefits to consumers? 8. What significant costs, if any, including costs of compliance, has the Rule imposed on businesses, including small businesses? What evidence supports the asserted costs? 9. What modifications, if any, should be made to the Rule to reduce the costs imposed on businesses, including small businesses? a. What evidence supports the proposed modifications? b. How would these modifications affect the benefits the Rule provides to consumers? 10. What evidence is available concerning the degree of industry compliance with the Rule? 11. What modifications, if any, should be made to the Rule to account for changes in relevant technology, economic conditions, or laws? For example, as the healthcare industry adopts standardized application programming interfaces (‘‘APIs’’) to help individuals to access their electronic health information with smartphones and other mobile devices (as required by rules implementing the 21st Century Cures Act 9), will the number of entities 9 45 PO 00000 CFR parts 170 and 171. Frm 00025 Fmt 4702 Sfmt 4702 subject to the Commission’s HBN Rule increase? a. What evidence supports the proposed modifications? 12. Are there modifications or changes the Commission should make to the Rule to address any developments in health care products or services related to COVID–19? 13. Does the Rule overlap or conflict with other federal, state, or local laws or regulations? If so, how? a. What evidence supports the asserted conflicts? b. With reference to the asserted conflicts, should the Rule be modified? If so, why, and how? If not, why not? B. Specific Issues 1. What evidence exists that the Rule has resulted in under-notification, overnotification, or an efficient level of notification? 2. Section 318.1 provides that the Rule does not apply to HIPAA-covered entities or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity. Has this limitation helped to harmonize the Commission’s HBN Rule with HHS’s rule? Why or why not? 3. Do the definitions set forth in § 318.2 of the Rule accomplish the Recovery Act’s goal of advancing the use of health information technology while strengthening the privacy and security protections for health information? 4. Are the definitions in § 318.2 clear and appropriate? If not, how can they be improved, consistent with the Act’s requirements? 5. Should the definition of ‘‘PHR identifiable health information’’ in § 318.2(d) be modified in light of technological advances in methods of de-identification and re-identification? If so, how, consistent with the Act’s requirements? 6. Should the definitions of ‘‘PHR related entity’’ in § 318.2(f), ‘‘Third party service provider’’ in § 318.2(h), or ‘‘Vendor of personal health records’’ in Section 318.2(j) be modified in light of changing technological and economic conditions, such as the proliferation of mobile health applications (‘‘apps’’), virtual assistants offering health services, and platforms’ health tools? If so, how, consistent with the Act’s requirements? 7. Section 318.4 sets out the timing requirements for notification. Are these requirements clear and appropriate? If not, how can they be improved, consistent with the Act’s requirements? 8. Section 318.5 sets out the requirements for the method of notice of a breach. Are these requirements clear E:\FR\FM\22MYP1.SGM 22MYP1 Federal Register / Vol. 85, No. 100 / Friday, May 22, 2020 / Proposed Rules and appropriate? Do technological changes, such as the increased use of inapp messaging, text messages, and platform messaging, warrant any changes to this section, consistent with the Act’s requirements? 9. Section 318.6 sets out the requirements for the content of notice of a breach. Are these requirements clear and appropriate? If not, how can they be improved, consistent with the Act’s requirements? 10. What are the implications (if any) for enforcement of the Rule raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platforms’ health tools? IV. Instructions for Submitting Comments You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before August 20, 2020. Please write ‘‘Health Breach Notification Rule, 16 CFR part 318, Project No. P205405’’ on the comment. Because of the public health emergency in response to the COVID–19 outbreak and the agency’s heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comment online through the https:// www.regulations.gov website. To ensure the Commission considers your online comment, please follow the instructions on the web-based form provided by regulations.gov. Your comment, including your name and your state, will be placed on the public record of this proceeding, including the https:// www.regulations.gov website. If you file your comment on paper, please write ‘‘Health Breach Notification Rule, 16 CFR part 318, Project No. P205405’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. Because your comment will be placed on the public record, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other VerDate Sep<11>2014 16:20 May 21, 2020 Jkt 250001 state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . . is privileged or confidential’’—as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted publicly at www.regulations.gov, we cannot redact or remove your comment unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the Commission website at https://www.ftc.gov to read this document and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before August 20, 2020. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/ privacy-policy. By direction of the Commission. April J. Tabor, Acting Secretary. [FR Doc. 2020–10263 Filed 5–21–20; 8:45 am] BILLING CODE 6750–01–P PO 00000 Frm 00026 Fmt 4702 Sfmt 4702 31087 EXECUTIVE OFFICE OF THE PRESIDENT Office of National Drug Control Policy 21 CFR Part 1401 RIN 3201–AA01 Freedom of Information Act Office of National Drug Control Policy. ACTION: Proposed rule. AGENCY: The Office of National Drug Control Policy (ONDCP) is updating its Freedom of Information Act (FOIA) implementing regulation to comport with the FOIA Improvement Act of 2016 and best practices. The proposed rule describes how to make a FOIA request with ONDCP and how the Office of General Counsel, which includes the ONDCP officials authorized to evaluate FOIA requests, processes requests for records. The proposed rule also states ONDCP’s Privacy Act Policies and Procedures. The proposed rule describes how individuals can find out if an ONDCP system of records contains information about them and, if so, how to access or amend a record. ONDCP seeks comments on all aspects of the proposed rule and will thoroughly consider all comments that are submitted on time. DATES: Send comments on or before June 30, 2020. ADDRESSES: You may send comments, identified by RIN number 3201–AA01 and/or docket number ONDCP–2020– 002, by any of the following methods: • Federal eRulemaking Portal: http:// www.regulations.gov. Follow the instructions for submitting comments. • Email: OGC@ondcp.eop.gov. Include docket number ONDCP–2020– 002 and/or RIN number 3201–AA01 in the subject line of the message. • Mail: Executive Office of the President, Office of National Drug Control Policy, 1800 G Street NW, 9th Floor, Washington, DC 20006. Instructions: All submissions received must include the agency name and docket number or Regulatory Information Number (RIN) for this rulemaking. All comments received will be posted without change to http:// www.regulations.gov including any personal information provided. ONDCP strongly recommends using electronic means for submitting comments. Due to COVID–19, comments submitted through conventional mail delivery services may not be received in a timely manner. FOR FURTHER INFORMATION CONTACT: Questions concerning this notice should SUMMARY: E:\FR\FM\22MYP1.SGM 22MYP1

Agencies

[Federal Register Volume 85, Number 100 (Friday, May 22, 2020)]
[Proposed Rules]
[Pages 31085-31087]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-10263]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 318


Health Breach Notification

AGENCY: Federal Trade Commission.

ACTION: Regulatory review; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') 
requests public comment on its Health Breach Notification Rule (the 
``HBN Rule'' or the ``Rule''). The Commission is soliciting comment as 
part of the FTC's systematic review of all current Commission 
regulations and guides.

DATES: Written comments must be received on or before August 20, 2020.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the Request for Comment part of the SUPPLEMENTARY INFORMATION 
section below. Write ``Health Breach Notification Rule, 16 CFR part 
318, Project No. P205405,'' on your comment and file your comment 
online at https://www.regulations.gov by following the instructions on 
the web-based form. If you prefer to file your comment on paper, mail 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 
20024.

FOR FURTHER INFORMATION CONTACT: Elisa Jillson (202-326-3001), Division 
of Privacy and Identity Protection, Bureau of Consumer Protection, 
Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 
20580.

SUPPLEMENTARY INFORMATION: 

I. Background

    The Commission typically reviews its rules every ten years to 
ensure that the rules have kept up with changes in the marketplace, 
technology, and business models.\1\ The Commission issued the HBN Rule 
in 2009, and companies were subject to enforcement beginning in 2010. 
The Commission now requests comment on the HBN Rule, including the 
costs and benefits of the Rule, and whether particular sections should 
be retained, eliminated, or modified. All interested persons are hereby 
given notice of the opportunity to submit written data, views, and 
arguments concerning the Rule.
---------------------------------------------------------------------------

    \1\ See current ten-year schedule for review of FTC rules and 
guides at 85 FR 20889 (Apr. 15, 2020).
---------------------------------------------------------------------------

    The HBN Rule, issued pursuant to section 13407 of the American 
Recovery and Reinvestment Act of 2009 (``Recovery Act'' or ``the 
Act''),\2\ became effective on August 25, 2009,\3\ and companies were 
subject to FTC enforcement beginning on February 22, 2010. Section 
13407 of the Recovery Act created certain protections for ``personal 
health records'' or ``PHRs,'' electronic records of identifiable health 
information that can be drawn from multiple sources and that are 
managed, shared, and controlled by or primarily for the individual. 
Specifically, the Recovery Act recognized that vendors of personal 
health records and PHR related entities (i.e., companies that offer 
products and services through PHR websites or access information in or 
send information to PHRs) were collecting consumers' health information 
but were not subject to the privacy and security requirements of the 
Health Insurance Portability and Accountability Act (``HIPAA'').\4\ The 
Recovery Act directed the FTC to issue a rule requiring these entities, 
and their third-party service providers, to provide notification of any 
breach of unsecured individually identifiable health information. 
Accordingly, the HBN Rule requires vendors of PHRs and PHR related 
entities to provide: (1) Notice to consumers whose unsecured 
individually identifiable health information has been breached; (2) 
notice to the media, in many cases; and (3) notice to the Commission. 
The Rule also requires third party service providers (i.e., those 
companies that provide services such as billing or data storage) to 
vendors of PHRs and PHR related entities to provide notification to 
such vendors and entities following the discovery of a breach.
---------------------------------------------------------------------------

    \2\ Public Law 111-5, 123 Stat. 115 (2009).
    \3\ 74 FR 42962 (Aug. 25, 2009).
    \4\ Health Insurance Portability & Accountability Act, Public 
Law 104-191, 110 Stat. 1936 (1996).
---------------------------------------------------------------------------

    The Rule requires notice ``without unreasonable delay and in no 
case later than 60 calendar days'' after discovery of a data breach. If 
the breach affects 500 or more individuals, notice to the FTC must be 
provided ``as soon as possible and in no case later than ten business 
days'' after discovery of the breach. The FTC makes available a 
standard form for companies to use to notify the Commission of a 
breach.\5\ The FTC posts a list of breaches involving 500 or more 
individuals on its website.\6\ This list only includes two breaches, 
because the Commission has predominantly received notices about 
breaches affecting fewer than 500 individuals.
---------------------------------------------------------------------------

    \5\ Notice of Breach of Health Information, https://www.ftc.gov/system/files/documents/plain-language/2017_5_2_breach_notification_form.pdf.
    \6\ Breach Notices Received by the FTC, https://www.ftc.gov/system/files/documents/plain-language/draft_breach_notices_received_by_ftc_2015.pdf.
---------------------------------------------------------------------------

    Importantly, the Rule does not apply to health information secured 
through technologies specified by the Department of Health and Human 
Services (``HHS'') and it does not apply to businesses or organizations 
covered by HIPAA. HIPAA-covered entities and

[[Page 31086]]

their ``business associates'' must instead comply with HHS's breach 
notification rule.\7\ The FTC has not had occasion to enforce its Rule 
because, as the PHR market has developed over the past decade, most PHR 
vendors, related entities, and service providers have been HIPAA-
covered entities or ``business associates'' subject to HHS's rule.\8\ 
However, as consumers turn towards direct-to-consumer technologies for 
health information and services (such as mobile health applications, 
virtual assistants, and platforms' health tools), more companies may be 
covered by the FTC's Rule.
---------------------------------------------------------------------------

    \7\ HIPAA Breach Notification Rule, 45 CFR 164.400-414, 
available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
    \8\ Id.
---------------------------------------------------------------------------

II. Rule Review

    The Commission periodically reviews all of its rules and guides. 
These reviews seek information about the costs and benefits of the 
Commission's rules and guides and their regulatory and economic impact. 
The information obtained assists the Commission in identifying those 
rules and guides that warrant modification. Therefore, the Commission 
solicits comments on, among other things, the economic impact and 
benefits of the Rule; possible conflict between the Rule and state, 
local, or other federal laws or regulations; and the effect on the Rule 
of any technological, economic, or other industry changes.

III. Questions Regarding the HBN Rule

    The Commission invites members of the public to comment on any 
issues or concerns they believe are relevant or appropriate to the 
Commission's review of the HBN Rule, and to submit written data, views, 
facts, and arguments addressing the Rule. All comments should be filed 
as prescribed in the ADDRESSES section of this document, and must be 
received by August 20, 2020. If your comment proposes any modifications 
to the Rule, please also address whether your proposed modification may 
conflict with the statutory provisions of the Recovery Act and, if so, 
whether you propose seeking legislative changes to the Recovery Act. 
The Commission is particularly interested in comments addressing the 
following questions:

A. General Issues

    1. Is there a continuing need for specific provisions of the Rule? 
Why or why not?
    2. What benefits has the Rule provided to consumers? What evidence 
supports the asserted benefits?
    3. What modifications, if any, should be made to the Rule to 
increase the benefits to consumers?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the costs the Rule imposes 
on businesses, including small businesses?
    4. What significant costs, if any, has the Rule imposed on 
consumers? What evidence supports the asserted costs?
    5. What modifications, if any, should be made to the Rule to reduce 
any costs imposed on consumers?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the benefits provided by 
the Rule?
    6. What benefits, if any, has the Rule provided to businesses, 
including small businesses? What evidence supports the asserted 
benefits?
    7. What modifications, if any, should be made to the Rule to 
increase its benefits to businesses, including small businesses?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the costs the Rule imposes 
on businesses, including small businesses?
    c. How would these modifications affect the benefits to consumers?
    8. What significant costs, if any, including costs of compliance, 
has the Rule imposed on businesses, including small businesses? What 
evidence supports the asserted costs?
    9. What modifications, if any, should be made to the Rule to reduce 
the costs imposed on businesses, including small businesses?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the benefits the Rule 
provides to consumers?
    10. What evidence is available concerning the degree of industry 
compliance with the Rule?
    11. What modifications, if any, should be made to the Rule to 
account for changes in relevant technology, economic conditions, or 
laws? For example, as the healthcare industry adopts standardized 
application programming interfaces (``APIs'') to help individuals to 
access their electronic health information with smartphones and other 
mobile devices (as required by rules implementing the 21st Century 
Cures Act \9\), will the number of entities subject to the Commission's 
HBN Rule increase?
---------------------------------------------------------------------------

    \9\ 45 CFR parts 170 and 171.
---------------------------------------------------------------------------

    a. What evidence supports the proposed modifications?
    12. Are there modifications or changes the Commission should make 
to the Rule to address any developments in health care products or 
services related to COVID-19?
    13. Does the Rule overlap or conflict with other federal, state, or 
local laws or regulations? If so, how?
    a. What evidence supports the asserted conflicts?
    b. With reference to the asserted conflicts, should the Rule be 
modified? If so, why, and how? If not, why not?

B. Specific Issues

    1. What evidence exists that the Rule has resulted in under-
notification, over-notification, or an efficient level of notification?
    2. Section 318.1 provides that the Rule does not apply to HIPAA-
covered entities or to any other entity to the extent that it engages 
in activities as a business associate of a HIPAA-covered entity. Has 
this limitation helped to harmonize the Commission's HBN Rule with 
HHS's rule? Why or why not?
    3. Do the definitions set forth in Sec.  [thinsp]318.2 of the Rule 
accomplish the Recovery Act's goal of advancing the use of health 
information technology while strengthening the privacy and security 
protections for health information?
    4. Are the definitions in Sec.  [thinsp]318.2 clear and 
appropriate? If not, how can they be improved, consistent with the 
Act's requirements?
    5. Should the definition of ``PHR identifiable health information'' 
in Sec.  [thinsp]318.2(d) be modified in light of technological 
advances in methods of de-identification and re-identification? If so, 
how, consistent with the Act's requirements?
    6. Should the definitions of ``PHR related entity'' in Sec.  
[thinsp]318.2(f), ``Third party service provider'' in Sec.  
[thinsp]318.2(h), or ``Vendor of personal health records'' in 
Section[thinsp]318.2(j) be modified in light of changing technological 
and economic conditions, such as the proliferation of mobile health 
applications (``apps''), virtual assistants offering health services, 
and platforms' health tools? If so, how, consistent with the Act's 
requirements?
    7. Section 318.4 sets out the timing requirements for notification. 
Are these requirements clear and appropriate? If not, how can they be 
improved, consistent with the Act's requirements?
    8. Section 318.5 sets out the requirements for the method of notice 
of a breach. Are these requirements clear

[[Page 31087]]

and appropriate? Do technological changes, such as the increased use of 
in-app messaging, text messages, and platform messaging, warrant any 
changes to this section, consistent with the Act's requirements?
    9. Section 318.6 sets out the requirements for the content of 
notice of a breach. Are these requirements clear and appropriate? If 
not, how can they be improved, consistent with the Act's requirements?
    10. What are the implications (if any) for enforcement of the Rule 
raised by direct-to-consumer technologies and services such as mobile 
health apps, virtual assistants, and platforms' health tools?

IV. Instructions for Submitting Comments

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before August 20, 2020. 
Please write ``Health Breach Notification Rule, 16 CFR part 318, 
Project No. P205405'' on the comment. Because of the public health 
emergency in response to the COVID-19 outbreak and the agency's 
heightened security screening, postal mail addressed to the Commission 
will be subject to delay. We strongly encourage you to submit your 
comment online through the https://www.regulations.gov website. To 
ensure the Commission considers your online comment, please follow the 
instructions on the web-based form provided by regulations.gov. Your 
comment, including your name and your state, will be placed on the 
public record of this proceeding, including the https://www.regulations.gov website.
    If you file your comment on paper, please write ``Health Breach 
Notification Rule, 16 CFR part 318, Project No. P205405'' on your 
comment and on the envelope, and mail your comment to the following 
address: Federal Trade Commission, Office of the Secretary, 600 
Pennsylvania Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, 
or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Constitution Center, 400 7th 
Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024.
    Because your comment will be placed on the public record, you are 
solely responsible for making sure that your comment does not include 
any sensitive or confidential information. In particular, your comment 
should not include any sensitive personal information, such as your or 
anyone else's Social Security number; date of birth; driver's license 
number or other state identification number, or foreign country 
equivalent; passport number; financial account number; or credit or 
debit card number. You are also solely responsible for making sure that 
your comment does not include any sensitive health information, such as 
medical records or other individually identifiable health information. 
In addition, your comment should not include any ``trade secret or any 
commercial or financial information which . . . . is privileged or 
confidential''--as provided by section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--including in 
particular competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. Your comment will be kept confidential only if the 
General Counsel grants your request in accordance with the law and the 
public interest. Once your comment has been posted publicly at 
www.regulations.gov, we cannot redact or remove your comment unless you 
submit a confidentiality request that meets the requirements for such 
treatment under FTC Rule 4.9(c), and the General Counsel grants that 
request.
    Visit the Commission website at https://www.ftc.gov to read this 
document and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before August 20, 2020. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2020-10263 Filed 5-21-20; 8:45 am]
 BILLING CODE 6750-01-P