Health Breach Notification Rule, 37819-37839 [2023-12148]
Download as PDF
<![CDATA[
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
§ 400.42
[Amended]
21. In § 400.42, remove and reserve
paragraph (b).
■
§ 400.43
[Amended]
22. In § 400.43, remove paragraph (i).
23. In § 400.44:
a. Revise paragraphs (a), (b)(5), and
(e); and
■ b. Remove paragraph (f).
The revisions read as follows:
■
■
■
undertaking of those functions. The
Board may rely on best estimates, as
necessary. The Board will also give
consideration to any extra costs
incurred relative to non-zone
operations, including return on
investment and reasonable out-of-pocket
expenses.
■ 25. In § 400.52, revise paragraph (b)(2)
to read as follows:
§ 400.52
§ 400.44
Zone schedule.
(a) The zone grantee shall submit to
the Executive Secretary (electronic copy
or as specified by the Executive
Secretary) a zone schedule which sets
forth the elements required in this
section. No element of a zone schedule
(including any amendment to the zone
schedule) may be considered to be in
effect until such submission has
occurred. If warranted, the Board may
subsequently amend the requirements of
this section by Board Order.
(b) * * *
(5) Information identifying any
operator which offers services to the
public and which has requested that its
information be included in the zone
schedule; and
*
*
*
*
*
(e) A complete copy of the zone
schedule shall be freely available for
public inspection at the offices of the
zone grantee. The Board shall make
copies of zone schedules available on its
website.
■ 24. In § 400.45, revise paragraph (b) to
read as follows:
Notices and hearings.
*
*
*
*
*
(b) * * *
(2) The request must be made within
30 days of the beginning of the initial
period for public comment (see
§ 400.32) and must be accompanied by
information establishing the need for
the hearing and the basis for the
requesting party’s interest in the matter.
*
*
*
*
*
■ 26. In § 400.61, revise paragraphs (a)
and (c) to read as follows:
§ 400.61
Revocation of authority.
(a) In general. As provided in this
section, the Board can revoke in whole
or in part authority for a zone (see
§ 400.2(h)) whenever it determines that
the zone grantee has violated,
repeatedly and willfully, the provisions
of the Act.
*
*
*
*
*
(c) Appeals. As provided in section 18
of the Act (19 U.S.C. 81r(c)), the grantee
of the zone in question may appeal an
order of the Board revoking authority.
[FR Doc. 2023–12123 Filed 6–8–23; 8:45 am]
BILLING CODE 3510–DS–P
§ 400.45 Complaints related to public
utility and uniform treatment.
lotter on DSK11XQN23PROD with PROPOSALS1
*
*
*
*
*
(b) Objections to rates and charges. A
zone participant showing good cause
may object to any rate or charge related
to the zone on the basis that it is not fair
and reasonable by submitting to the
Executive Secretary a complaint in
writing with supporting information. If
necessary, such a complaint may be
made on a confidential basis pursuant to
paragraph (a) of this section. The
Executive Secretary shall review the
complaint and issue a report and
decision, which shall be final unless
appealed to the Board within 30 days.
The Board or the Executive Secretary
may otherwise initiate a review for
cause. The primary factor considered in
reviewing fairness and reasonableness is
the cost of the specific services
rendered. Where those costs incorporate
charges to the grantee by one or more
parties undertaking functions on behalf
of the grantee, the Board may consider
the costs incurred by those parties or
evidence regarding market rates for the
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
FEDERAL TRADE COMMISSION
16 CFR Part 318
Health Breach Notification Rule
37819
Interested parties may file a
comment online or on paper by
following the Request for Comment part
of the SUPPLEMENTARY INFORMATION
section below. Write ‘‘Health Breach
Notification Rule, Project No. P205405’’
on your comment and file your
comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex H), Washington, DC
20580.
ADDRESSES:
FOR FURTHER INFORMATION CONTACT:
Ryan Mehm (202) 326–2918, Elisa
Jillson, (202) 326–3001, Ronnie
Solomon, (202) 326–2098, Division of
Privacy and Identity Protection, Bureau
of Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Avenue
NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: The
amendments would: (1) clarify the
Rule’s scope, including its coverage of
developers of many health applications
(‘‘apps’’); (2) amend the definition of
breach of security to clarify that a
breach of security includes data security
breaches and unauthorized disclosures;
(3) revise the definition of PHR related
entity; (4) clarify what it means for a
vendor of personal health records to
draw PHR identifiable health
information from multiple sources; (5)
modernize the method of notice; (6)
expand the content of the notice; and (7)
improve the Rule’s readability by
clarifying cross-references and adding
statutory citations, consolidating notice
and timing requirements, and
articulating the penalties for noncompliance.
AGENCY:
I. Background
ACTION:
Congress enacted the American
Recovery and Reinvestment Act of 2009
(‘‘Recovery Act’’ or ‘‘the Act’’),1 in part,
to advance the use of health information
technology and, at the same time,
strengthen privacy and security
protections for health information.
Recognizing that certain entities that
hold or interact with consumers’
personal health records were not subject
to the privacy and security requirements
of HIPAA,2 Congress created
requirements for such entities to notify
individuals, the Commission, and, in
some cases, the media of the breach of
Federal Trade Commission.
Notice of proposed rulemaking;
request for public comment.
The Federal Trade
Commission (‘‘FTC’’ or ‘‘Commission’’)
proposes to amend the Commission’s
Health Breach Notification Rule (the
‘‘HBN Rule’’ or the ‘‘Rule’’) and requests
public comment on the proposed
changes. The HBN Rule requires
vendors of personal health records
(‘‘PHRs’’) and related entities that are
not covered by the Health Insurance
Portability and Accountability Act
(‘‘HIPAA’’) to notify individuals, the
FTC, and, in some cases, the media of
a breach of unsecured personally
identifiable health data.
DATES: Written comments must be
received on or before August 8, 2023.
SUMMARY:
PO 00000
Frm 00020
Fmt 4702
Sfmt 4702
1 American Recovery and Reinvestment Act of
2009, Public Law 111–5, 123 Stat. 115 (2009).
2 Health Insurance Portability and Accountability
Act, Public Law 104–191, 110 Stat. 1936 (1996).
E:\FR\FM\09JNP1.SGM
09JNP1
37820
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
unsecured identifiable health
information from those records.
Specifically, section 13407 of the
Recovery Act created certain protections
for ‘‘personal health records’’ or
‘‘PHRs,’’ 3 electronic records of PHR
identifiable health information on an
individual that can be drawn from
multiple sources and that are managed,
shared, and controlled by or primarily
for the individual.4 Congress recognized
that vendors of personal health records
and PHR related entities (i.e., companies
that offer products and services through
PHR websites or access information in
or send information to personal health
records) were collecting consumers’
health information but were not subject
to the privacy and security requirements
of HIPAA. Accordingly, the Recovery
Act directed the FTC to issue a rule
requiring these non-HIPAA covered
entities, and their third party service
providers, to provide notification of any
breach of unsecured PHR identifiable
health information. The Commission
issued its Rule implementing these
provisions in 2009.5 FTC enforcement of
the Rule began on February 22, 2010.
The Rule requires vendors of personal
health records and PHR related entities
to provide: (1) notice to consumers
whose unsecured PHR identifiable
health information has been breached;
(2) notice to the Commission; and (3)
notice to prominent media outlets 6
serving a State or jurisdiction, in cases
where 500 or more residents are
confirmed or reasonably believed to
have been affected by a breach.7 The
Rule also requires third party service
providers (i.e., those companies that
provide services such as billing, data
storage, attribution, or analytics) to
vendors of personal health records and
PHR related entities to provide
notification to such vendors and entities
following the discovery of a breach.8
The Rule requires notice to
individuals ‘‘without unreasonable
delay and in no case later than 60
calendar days’’ after discovery of a data
breach.9 If the breach affects 500 or
3 42
U.S.C. 17937.
U.S.C. 17921(11).
5 74 FR 42962 (Aug. 25, 2009) (‘‘2009 Final
Rule’’).
6 The Recovery Act does not limit this notice to
particular types of media. Thus, an entity can
satisfy the requirement to notify ‘‘prominent media
outlets’’ by, for example, disseminating press
releases to a number of media outlets, including
internet media in appropriate circumstances, where
most of the residents of the relevant state or
jurisdiction get their news. This will be a factspecific inquiry that will depend upon what media
outlets are ‘‘prominent’’ in the relevant jurisdiction.
74 FR 42974.
7 16 CFR 318.3, 318.5.
8 Id. 318.3.
9 Id. 318.4.
lotter on DSK11XQN23PROD with PROPOSALS1
4 42
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
more individuals, notice to the FTC
must be provided ‘‘as soon as possible
and in no case later than ten business
days’’ after discovery of the breach.10
The FTC makes available a standard
form for companies to use to notify the
Commission of a breach,11 and posts a
list of breaches involving 500 or more
individuals on its website.12
The Rule applies only to breaches of
‘‘unsecured’’ health information, which
the Rule defines as health information
that is not secured through technologies
or methodologies specified by the
Department of Health and Human
Services (‘‘HHS’’) and it does not apply
to businesses or organizations covered
by HIPAA.13 HIPAA-covered entities
and their ‘‘business associates’’ must
instead comply with HHS’s breach
notification rule.14
Since the Rule’s issuance, apps and
other direct-to-consumer health
technologies, such as fitness trackers
and wearable blood pressure monitors,
have become commonplace.15 Further,
as an outgrowth of the COVID–19
10 Id.
318.5(c).
Trade Comm’n, Notice of Breach of Health
Information, https://www.ftc.gov/system/files/
documents/rules/health-breach-notification-rule/
health_breach_form.pdf.
12 Fed. Trade Comm’n, Notices Received by the
FTC Pursuant to the Health Breach Notification
Rule, Breach Notices Received by the FTC, https://
www.ftc.gov/system/files/ftc_gov/pdf/Health
%20Breach%20Notices%20Received%20by
%20the%20FTC.pdf (last visited Dec. 2, 2022).
13 Per HHS guidance, electronic health
information is ‘‘secured’’ if it has been encrypted
according to certain specifications set forth by HHS,
or if the media on which electronic health
information has been stored or recorded is
destroyed according to HHS specifications. See 74
FR 19006; see also U.S. Dep’t of Health & Human
Servs., Guidance to Render Unsecured Protected
Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals (July
26, 2013), https://www.hhs.gov/hipaa/forprofessionals/breach-notification/guidance/
index.html. PHR identifiable health information
would be considered ‘‘secured’’ if such information
is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third
party service provider, in an encrypted format
meeting HHS specifications, and the PHR related
entity or third party service provider stores the data
in an encrypted format that meets HHS
specifications and also stores the encryption and/
or decryption tools on a device or at a location
separate from the data.
14 45 CFR 164.400–414.
15 See, e.g., Tehseen Kiani, App Development in
Healthcare: 12 Exciting Facts, TechnoChops (Jan.
27, 2022), https://www.technochops.com/
programming/4329/app-development-inhealthcare/; Elad Natanson, Healthcare Apps: A
Boon, Today and Tomorrow, Forbes (July 21, 2020),
https://www.forbes.com/sites/eladnatanson/2020/
07/21/healthcare-apps-a-boon-today-andtomorrow/?sh=21df01ac1bb9; Emily Olsen, Digital
health apps balloon to more than 350,000 available
on the market, according to IQVIA report,
MobiHealthNews (Aug. 4, 2021), https://
www.mobihealthnews.com/news/digital-healthapps-balloon-more-350000-available-marketaccording-iqvia-report.
11 Fed.
PO 00000
Frm 00021
Fmt 4702
Sfmt 4702
pandemic, consumer use of such healthrelated technologies has increased
significantly.16
In May 2020, the Commission
announced its regular, ten-year review
of the Rule and requested public
comments about potential Rule
changes.17 The Commission requested
comment on, among other things,
whether changes should be made to the
Rule in light of technological changes,
such as the proliferation of apps and
similar technologies. The Commission
received 26 public comments.
Many of the commenters encouraged
the Commission to clarify that the Rule
applies to apps and similar
technologies.18 In fact, no commenter
opposed this type of clarification
regarding the Rule’s coverage of health
apps. Several commenters pointed out
examples of health apps that have
abused users’ privacy, such as by
disclosing sensitive health information
without consent.19 Several commenters
noted the urgency of this issue, as
consumers have further embraced
digital health technologies during the
COVID–19 pandemic.20 Commenters
argued that the Commission should take
additional steps to protect unsecured
PHR identifiable health information that
is not covered by HIPAA, both to
prevent harm to consumers 21 and to
16 See id.; see also Lis Evenstad, Covid-19 has led
to a 25% increase in health app downloads,
research shows, ComputerWeekly.com (Jan. 12,
2021), https://www.computerweekly.com/news/
252494669/Covid-19-has-led-to-a-25-increase-inhealth-app-downloads-research-shows (finding that
COVID–19 has led to a 25% increase in health app
downloads); Jasmine Pennic, U.S. Telemedicine
App Downloads Spikes During COVID–19
Pandemic, HIT Consultant (Sept. 8, 2020), https://
hitconsultant.net/2020/09/08/u-s-telemedicine-appdownloads-spikes-during-covid-19-pandemic/ (‘‘US
telemedicine app downloads see dramatic increases
during the COVID–19 pandemic, with some seeing
an 8,270% rise YoY.’’).
17 85 FR 31085 (May 22, 2020).
18 E.g., Amer. Health Info. Mgmt. Ass’n
(‘‘AHIMA’’) at 2; Kaiser Permanente at 3; Allscripts
at 3; Amer. Acad. of Ophthalmology at 2; All. for
Nursing Informatics at 2; Amer. Med. Ass’n
(‘‘AMA’’) at 4; Amer. College of Surgeons at 6;
Physicians’ Elec. Health Record Coal. (‘‘PEHRC’’) at
4 (‘‘Apps that collect health information, regardless
of whether or not they connect to an EHR, must be
regulated by the FTC Health Breach Notification
Rule to ensure the safety and security of personal
health information.’’); America’s Health Ins. Plans
(‘‘AHIP’’) and Blue Cross Blue Shield Ass’n
(‘‘BCBS’’) at 2; The App Ass’n’s Connected Health
Initiative (‘‘CHI’’) at 3.
19 Kaiser Permanente at 7; The Light Collective at
2; Amer. Acad. of Ophthalmology at 2; Healthcare
Info. and Mgmt. Sys. Soc’y (‘‘HIMSS’’) and the
Personal Connected Health All. (‘‘PCH Alliance’’) at
3; PEHRC at 2–3.
20 Lisa McKeen at 2–3; Kaiser Permanente at 7–
8; AMA at 3; Off. of the Att’y Gen. for the State of
Cal. (‘‘OAG–CA’’) at 4.
21 Georgia Morgan; Amer. Acad. of
Ophthalmology at 2–3 (arguing that the breach of
health information held by a non-HIPAA-covered
E:\FR\FM\09JNP1.SGM
09JNP1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
individually identifiable health
information created or received by a
health care provider,26 and that ‘‘health
care providers’’ include any entities that
‘‘furnish[] health care services or
supplies.’’ 27 Because these health app
purveyors furnish health care services to
1. The Commission’s 2021 Policy
their users through the mobile
Statement
applications they provide, the
On September 15, 2021, the
information held in the app is PHR
Commission issued a Policy Statement
identifiable health information, and
providing guidance on the scope of the
therefore many app makers likely
Rule. The Policy Statement clarified that qualify as vendors of personal health
the Rule covers most health apps and
records.28
similar technologies that are not covered
The Policy Statement further
by HIPAA.24 The Rule defines a
explained that the statute directing the
‘‘personal health record’’ as ‘‘an
FTC to promulgate the Rule requires
electronic record of PHR identifiable
that a ‘‘personal health record’’ be an
health information on an individual that electronic record that can be drawn
can be drawn from multiple sources and from multiple sources.29 Accordingly,
that is managed, shared, and controlled
health apps and similar technologies
by or primarily for the individual.’’ 25 As likely qualify as personal health records
the Commission explained in the Policy covered by the Rule if they are capable
Statement, many makers and purveyors
of drawing information from multiple
of health apps and other connected
sources. The Commission further
devices are vendors of personal health
clarified that health apps and other
records covered by the Rule because
products experience a ‘‘breach of
their products are electronic records of
security’’ under the Rule when they
PHR identifiable health information.
disclose users’ sensitive health
The Commission explained that PHR
information without authorization; 30 a
identifiable health information includes breach is ‘‘not limited to cybersecurity
intrusions or nefarious behavior.’’ 31
lotter on DSK11XQN23PROD with PROPOSALS1
level the competitive playing field
among companies dealing with the same
health information.22 To that end,
commenters not only urged the
Commission to revise the Rule, but also
to increase its enforcement efforts.23
app, for example, harms the patient-provider
relationship, because the patient erroneously
believes that the provider is the source of the
breach); CHIME at 3 (arguing that apps’ privacy
practices impact the patient-provider relationship
because providers do not know what technologies
are sufficiently trustworthy for their patients); AMA
at 2–3 (expressing concern that patients share less
health data with health care providers, perhaps
because of ‘‘spillover from privacy and security
breaches’’).
22 Kaiser Permanente at 2, 4; Workgroup for
Electronic Data Interchange (‘‘WEDI’’) at 2; AHIP &
BCBS at 3 (‘‘[HIPAA] covered entities, such as
health plans, that use or disclose protected health
information should not be subject to stricter
notification requirements than those imposed on
vendors of personal health records or other such
entities. Otherwise, the Federal government will be
providing market advantages to particular industry
segments with the effect of dampening competition
and harming consumers.’’).
23 Kaiser Permanente at 3, 4; Fred Trotter at 1;
Casey Quinlan at 1; CARIN All. at 2. At the time
of this Notice, the Commission has brought two
enforcement actions under the Rule; the first against
digital health company GoodRx Holdings, Inc., and
the second against an ovulation-tracking mobile app
marketed under the name ‘‘Premom’’ and
developed by Easy Healthcare, Inc. U.S. v. GoodRx
Holdings, Inc., Case No. 23–cv–460 (N.D. Cal. 2023),
https://www.ftc.gov/legal-library/browse/casesproceedings/2023090-goodrx-holdings-inc; U.S. v.
Easy Healthcare Corporation, Case No. 1:23-cv-3107
(N.D. Ill. 2023), https://www.ftc.gov/legal-library/
browse/cases-proceedings/202-3186-easyhealthcare-corporation-us-v.
24 Statement of the Commission on Breaches by
Health Apps and Other Connected Devices, Fed.
Trade Comm’n (Sept. 15, 2021), https://
www.ftc.gov/system/files/documents/public_
statements/1596364/statement_of_the_commission_
on_breaches_by_health_apps_and_other_
connected_devices.pdf (‘‘Policy Statement’’).
25 16 CFR 318.2(d).
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
2. Enforcement History
In 2023, the Commission has brought
its first enforcement actions under the
Rule against vendors of personal health
26 Id.
318.2(e).
318.2(e); 42 U.S.C. 1320d(6), d(3).
28 See Policy Statement at 1.
29 The Policy Statement provided this example:
‘‘[I]f a blood sugar monitoring app draws health
information only from one source (e.g., a
consumer’s inputted blood sugar levels), but also
takes non-health information from another source
(e.g., dates from your phone’s calendar), it is
covered under the Rule.’’ Id. at 2.
30 16 CFR 318.2(a).
31 Policy Statement at 2; 74 FR 42967
(Commentary to 2009 Final Rule) (‘‘On a related
issue, the final rule provides that a breach of
security means acquisition of information without
the authorization ‘of the individual.’ Some
commenters raised questions about how the extent
of individual authorization should be determined.
For example, if a privacy policy contains buried
disclosures describing extensive dissemination of
consumers’ data, could consumers be said to have
authorized such dissemination?
The Commission believes that an entity’s use of
information to enhance individuals’ experience
with their PHR would be within the scope of the
individuals’ authorization, as long as such use is
consistent with the entity’s disclosures and
individuals’ reasonable expectations. Such
authorized uses could include communication of
information to the consumer, data processing, or
Web design, either in-house or through the use of
service providers. Beyond such uses, the
Commission expects that vendors of personal health
records and PHR related entities would limit the
sharing of consumers’ information, unless the
consumers exercise meaningful choice in
consenting to such sharing.’’) (citations omitted).
27 Id.
PO 00000
Frm 00022
Fmt 4702
Sfmt 4702
37821
records. In February 2023, the
Commission brought its first
enforcement action alleging a violation
of the Rule against GoodRx Holdings,
Inc. (‘‘GoodRx’’), a digital health
company that sells health-related
products and services directly to
consumers, including prescription
medication discount products and
telehealth services through its website
and mobile applications.32
In its complaint, the Commission
alleged that between 2017 and 2020,
GoodRx as a vendor of personal health
records, disclosed more than 500
consumers’ unsecured PHR identifiable
health information to third party
advertising platforms like Facebook and
Google, without the authorization of
those consumers. As charged in the
complaint, these disclosures violated
explicit privacy promises the company
made to its users about its data sharing
practices (including about its sharing of
PHR identifiable health information).
The Commission alleged that GoodRx
broke these promises and disclosed its
users’ prescription medications and
personal health conditions, personal
contact information, and unique
advertising and persistent identifiers.
The Commission charged GoodRx with
violating the Rule by failing to provide
the required notifications, as prescribed
by the Rule, to (1) individuals whose
unsecured PHR identifiable health
information was acquired by an
unauthorized person, (2) to the Federal
Trade Commission, or (3) to media
outlets. 16 CFR 318.3–6. The
Commission entered into a settlement
that, among other injunctive relief,
required GoodRx to pay a $1.5 million
civil penalty for its violation of the
Rule.33
Similarly, on May 17, 2023, the
Commission brought its second
enforcement action under the Rule
against Easy Healthcare Corporation
(‘‘Easy Healthcare’’), a company that
publishes an ovulation and period
tracking mobile application called
Premom, which allows its users to input
and track various types of health and
other sensitive data. Similar to the
conduct alleged against GoodRx, Easy
Healthcare disclosed PHR identifiable
health information to third party
companies such as Google and
AppsFlyer, contrary to its privacy
promises, and did not comply with the
Rule’s notification requirements. The
32 U.S. v. GoodRx Holdings, Inc., Case No. 23–cv–
460 (N.D. Cal. 2023), https://www.ftc.gov/legallibrary/browse/cases-proceedings/2023090-goodrxholdings-inc.
33 In addition, the Commission alleged that
GoodRx’s data sharing practices were deceptive and
unfair, in violation of Section 5 of the FTC Act.
E:\FR\FM\09JNP1.SGM
09JNP1
37822
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
Commission entered into a settlement
that, among other injunctive relief,
required Easy Healthcare to pay a
$100,000 civil penalty for its violation
of the Rule.34
lotter on DSK11XQN23PROD with PROPOSALS1
3. Summary of Proposed Rule Changes
Having considered the public
comments, described in further detail
below, and its Policy Statement, the
Commission now proposes to revise the
Rule, 16 CFR part 318, in seven ways.
• First, the Commission proposes to
revise several definitions in order to
clarify the Rule and better explain its
application to health apps and similar
technologies not covered by HIPAA.
Consistent with this objective, the
proposed Rule would modify the
definition of ‘‘PHR identifiable health
information’’ and add two new
definitions (‘‘health care provider’’ and
‘‘health care services or supplies’’).
These changes are consistent with a
number of public comments supporting
the Rule’s coverage of these
technologies.
• Second, the Commission proposes
to revise the definition of breach of
security to clarify that a breach of
security includes an unauthorized
acquisition of PHR identifiable health
information in a personal health record
that occurs as a result of a data security
breach or an unauthorized disclosure.
• Third, the Commission proposes to
revise the definition of PHR related
entity in two ways. Consistent with its
clarification that the Rule applies to
health apps, the Commission first
proposes clarifying the definition of
‘‘PHR related entity’’ to make clear that
the Rule covers entities that offer
products and services through the
online services, including mobile
applications, of vendors of personal
health records. In addition, the
Commission proposes revising the
definition of ‘‘PHR related entity’’ to
provide that entities that access or send
unsecured PHR identifiable health
information to a personal health
record—rather than entities that access
or send any information to a personal
health record—are PHR related entities.
• Fourth, the Commission proposes to
clarify what it means for a personal
health record to draw PHR identifiable
health information from multiple
sources.
• Fifth, in response to public
comments expressing concern that
mailed notice is costly and not
consistent with how consumers interact
34 U.S. v. Easy Healthcare Corporation, Case No.
1:23–cv–3107 (N.D. Ill. 2023), https://www.ftc.gov/
legal-library/browse/cases-proceedings/202-3186easy-healthcare-corporation-us-v.
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
with online technologies like health
apps, the Commission proposes to
revise the Rule to authorize electronic
notice in additional circumstances.
Specifically, the proposed Rule would
adjust the language in the ‘‘method of
notice section’’ and add a new
definition of the term ‘‘electronic mail.’’
The proposed Rule also requires that
any notice delivered by electronic mail
be ‘‘clear and conspicuous,’’ a newly
defined term, which aligns closely with
the definition of ‘‘clear and
conspicuous’’ codified in the FTC’s
Financial Privacy Rule.35
• Sixth, the proposed Rule would
expand the required content of the
notice to individuals, to require that
consumers whose unsecured PHR
identifiable information has been
breached receive additional important
information, including information
regarding the potential for harm from
the breach and protections that the
notifying entity is making available to
affected consumers. In addition, the
proposed Rule would include exemplar
notices, which entities subject to the
Rule could use to notify consumers in
terms that are easy to understand.
• Seventh, in response to public
comments, the Commission proposes to
make a number of changes to improve
the Rule’s readability. Specifically, the
Commission proposes to include
explanatory parentheticals for internal
cross-references, add statutory citations
in relevant places, consolidate notice
and timing requirements in single
sections, respectively, of the Rule, and
add a new section that plainly states the
penalties for non-compliance.
Finally, this Notice also includes a
section discussing several alternatives
the Commission considered but is not
proposing. Although the Commission
has not put forth any proposed
modifications on those issues, the
Commission nonetheless seeks public
comment on them.
The Commission believes that the
proposed changes are consistent with
the language and intent of the Recovery
Act, will address the concerns raised by
the public comments, and will ensure
that the Rule remains relevant in the
face of changing business practices and
technological developments. The
Commission invites comment on the
proposed rule revisions generally and
35 16 CFR 313.3(b). The FTC’s Financial Privacy
Rule requires financial institutions to provide
particular notices and to comply with certain
limitations on disclosure of nonpublic personal
information. Using a comprehensive definition of
‘‘clear and conspicuous’’ that is based on the
Financial Privacy Rule definition aims to ensure
consistency across the Commission’s privacyrelated rules.
PO 00000
Frm 00023
Fmt 4702
Sfmt 4702
on the specific issues outlined through
section III. Written comments must be
received on or before August 8, 2023.
II. Analysis of the Proposed Rule
The following discussion analyzes the
proposed changes to the Rule.
1. Clarification of Entities Covered
The Commission proposes revisions
to clarify the Rule’s treatment of health
apps and similar technologies not
covered by HIPAA. As the
Commission’s Policy Statement makes
clear, many health apps and similar
technologies not covered by HIPAA are
covered by the FTC’s existing Rule. To
ensure that entities covered by the Rule
understand their obligations under the
Rule, the Commission is proposing
changes to clarify that mobile health
applications are covered by the Rule,
giving important guidance to the
marketplace on the Rule’s scope. To
accomplish this objective, the
Commission proposes several changes
to § 318.2, which defines key terms in
the Rule. Commenters broadly support
the Rule covering health apps and
similar technologies.36
First, consistent with one
commenter’s recommendation,37 the
Commission proposes revising ‘‘PHR
identifiable information’’ to import
language from section 1171(6) of the
Social Security Act, 42 U.S.C. 1320d(6),
which is included in the current Rule
only by cross-reference to that statute.38
This revision is not substantive and is
being proposed to improve readability.
As revised, ‘‘PHR identifiable
information’’ would be defined as
information (1) that is provided by or on
behalf of the individual; (2) that
36 See
supra note 18.
Lisa McKeen at 5.
38 The HBN Rule, as currently drafted, defines
‘‘PHR identifiable health information ’’as‘‘
individually identifiable health information,’’ as
defined in section 1171(6) of the Social Security Act
(42 U.S.C. 1320d(6)), and, with respect to an
individual, information: (1) That is provided by or
on behalf of the individual; and (2) That identifies
the individual or with respect to which there is a
reasonable basis to believe that the information can
be used to identify the individual. See 16 CFR
318.2(e). Section 1171(6) of the Social Security Act
(42 U.S.C. 1320d(6)) states: ‘‘The term ‘individually
identifiable health information’ means any
information, including demographic information
collected from an individual, that—
(A) is created or received by a health care
provider, health plan, employer, or health care
clearinghouse; and
(B) relates to the past, present, or future physical
or mental health or condition of an individual, the
provision of health care to an individual, or the
past, present, or future payment for the provision
of health care to an individual, and—
(i) identifies the individual; or
(ii) with respect to which there is a reasonable
basis to believe that the information can be used to
identify the individual.’’
37 See
E:\FR\FM\09JNP1.SGM
09JNP1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
identifies the individual or with respect
to which there is a reasonable basis to
believe that the information can be used
to identify the individual; (3) relates to
the past, present, or future physical or
mental health or condition of an
individual, the provision of health care
to an individual, or the past, present, or
future payment for the provision of
health care to an individual; and (4) is
created or received by a health care
provider, health plan (as defined in 42
U.S.C. 1320d(5)), employer, or health
care clearinghouse (as defined in 42
U.S.C. 1320d(2)).
The Commission believes that this
definition covers traditional health
information (such as diagnoses or
medications), health information
derived from consumers’ interactions
with apps and other online services
(such as health information generated
from tracking technologies employed on
websites or mobile applications or from
customized records of website or mobile
application interactions),39 as well as
emergent health data (such as health
information inferred from non-healthrelated data points, such as location and
recent purchases).40 The Commission
requests comment as to whether any
further amendment of the definition is
needed to clarify the scope of data
covered.
The proposed Rule also defines a new
term, ‘‘health care provider,’’ in a
manner similar to the definition of
‘‘health care provider’’ found in 42
U.S.C. 1320d(3) (and referenced in
1320d(6)). Specifically, the proposed
Rule defines ‘‘health care provider’’ to
mean a provider of services (as defined
in 42 U.S.C. 1395x(u) 41), a provider of
39 In the Matter of Flo Health, Inc., FTC File No.
1923133 (June 22, 2021), https://www.ftc.gov/
system/files/documents/cases/192_3133_flo_
health_complaint.pdf; U.S. v. GoodRx Holdings,
Inc., Case No. 23–cv–460 (N.D. Cal. 2023), https://
www.ftc.gov/legal-library/browse/casesproceedings/2023090-goodrx-holdings-inc.; In the
Matter of BetterHelp, Inc., FTC File No. 2023169
(March 2, 2023), https://www.ftc.gov/legal-library/
browse/cases-proceedings/2023169-betterhelp-incmatter (proposed complaint and order); U.S. v. Easy
Healthcare Corporation, Case No. 1:23–cv–3107
(N.D. Ill. 2023), https://www.ftc.gov/legal-library/
browse/cases-proceedings/202-3186-easyhealthcare-corporation-us-v.; See also U.S. Dep’t of
Health & Human Servs., Use of Online Tracking
Technologies by HIPAA Covered Entities and
Business Associates (Dec. 1, 2022), https://
www.hhs.gov/hipaa/for-professionals/privacy/
guidance/hipaa-online-tracking/.
40 See e.g., Mason Marks, Emergent Medical Data:
Health Information Inferred by Artificial
Intelligence, 11 UC Irvine L. Rev. 995 (2021),
https://scholarship.law.uci.edu/cgi/
viewcontent.cgi?article=1501&context=ucilr.
41 Under 42 U.S.C. 1395x(u), the term ‘‘provider
of services’’ means a hospital, critical access
hospital, rural emergency hospital, skilled nursing
facility, comprehensive outpatient rehabilitation
facility, home health agency, hospice program, or,
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
medical or other health services (as
defined in 42 U.S.C. 1395x(s)), or any
other entity furnishing health care
services or supplies.
The proposed Rule adds a new
definition for the term ‘‘health care
services or supplies’’ to include any
online service, such as a website, mobile
application, or internet-connected
device that provides mechanisms to
track diseases, health conditions,
diagnoses or diagnostic testing,
treatment, medications, vital signs,
symptoms, bodily functions, fitness,
fertility, sexual health, sleep, mental
health, genetic information, diet, or that
provides other health-related services or
tools.42 The Commission’s proposed
definition of ‘‘health care services and
supplies’’ is based on a number of
factors, including the Commission’s
institutional knowledge, expertise, and
law enforcement experience in health
data technology. This definition is
designed to reflect the current state of
technology for health apps and
connected devices, as well as emerging
technological capabilities that the
Commission has observed through its
investigatory, enforcement, and policy
work.
These changes clarify that developers
of health apps and similar technologies
providing these types of ‘‘health care
services or supplies’’ qualify as ‘‘health
care providers’’ under the Rule.
Accordingly, any individually
identifiable health information these
products collect or use would constitute
‘‘PHR identifiable health information’’
covered by the Rule. These changes also
clarify that mobile health applications,
therefore, are a ‘‘personal health record’’
covered by the Rule (as long as other
conditions set forth in the definition of
‘‘personal health record’’ are met) and
accordingly the developers of such
applications are ‘‘vendors of personal
health records.’’ 43 The proposed
for purposes of section 1395f(g) and section
1395n(e) of this title, a fund.
42 See Joint Statement of Commissioner Rohit
Chopra and Commissioner Rebecca Kelly Slaughter,
Concurring in Part, Dissenting in Part, In the Matter
of Flo Health, Inc., FTC File No. 1923133 (Jan. 13,
2021), https://www.ftc.gov/system/files/documents/
public_statements/1586018/20210112_final_joint_
rcrks_statement_on_flo.pdf (‘‘The FTC’s Health
Breach Notification Rule covers (a) health care
providers that (b) store unsecured, personally
identifiable health information that (c) can be
drawn from multiple sources, and the rule is
triggered when such entities experience a ‘breach of
security.’ See 16 CFR 318. Under the definitions
cross-referenced by the Rule, Flo—which markets
itself as a ‘health assistant’—is a ‘health care
provider,’ in that it ‘furnish[es] health care services
and supplies.’ See 16 CFR 318.2(e); 42 U.S.C.
1320d(6), d(3).’’).
43 The mobile health applications covered as
‘‘vendors of personal health records’’ under the
Rule are distinct from the ‘‘online applications’’
PO 00000
Frm 00024
Fmt 4702
Sfmt 4702
37823
definition of ‘‘health care services or
supplies’’ clarifies the Rule’s scope in
two ways. First, it makes clear that the
Rule applies generally to online
services, including websites, apps, and
internet-connected devices that provide
health care services or supplies. Second,
it illustrates that the Rule covers online
services related not only to medical
issues (by including in the definition
terms such as ‘‘diseases, diagnoses,
treatment, medications’’) but also
wellness issues (by including in the
definition terms such as fitness, sleep,
and diet). The Commission intends to
ensure app developers understand their
notice obligations, even if an app is
positioned as a ‘‘wellness’’ product
rather than a ‘‘health’’ product.
The Commission’s proposed changes
are consistent with the public
comments, which recommended the
Rule cover health apps and similar
technologies.44 In revising and adding
these definitions, Commission staff also
sought informal input from staff at the
Federal agencies that interpret or
enforce the referenced statutory
provision, 42 U.S.C. 1320d, including
staff at HHS. The Commission’s
definition of ‘‘health care provider’’
differs from, but does not contradict, the
definitions or interpretations adopted by
HHS.45 The Commission’s proposed
definition is consistent with the
statutory scheme established by
Congress to regulate non-HIPAA
covered entities and within the agency’s
discretion in administering the Rule.
Topics on Which the Commission Seeks
Public Comment
The Commission seeks comment as to
whether these changes sufficiently
clarify the Rule’s application to
referenced in footnote 78 of the 2009 Statement of
Basis and Purpose as ‘‘PHR related entities.’’
Footnote 78 from the 2009 Statement of Basis and
Purpose states that PHR related entities include
‘‘online applications through which individuals
connect their blood pressure cuffs, blood glucose
monitors, or other devices’’ so they can track the
results through their personal health records. See 74
FR 42962, 42969 n.78 (2009). Footnote 78 refers
narrowly to online applications that collect health
information from a single source and transfer it to
a personal health record maintained separate and
apart from the PHR related entity by the PHR
vendor. In other words, a PHR related entity sends
health information to a personal health record
which the PHR related entity does not itself
maintain.
44 See supra note 18.
45 Although in other contexts HHS has defined
the term ‘‘health care provider’’ based upon a more
limited understanding of that term (e.g., referring
primarily to persons and entities such as doctors,
clinics, psychologists, dentists, chiropractors,
nursing homes, and pharmacies), its definition does
not contradict or preclude an interpretation of the
referenced statutory provision, 42 U.S.C. 1320d,
that encompasses developers of health applications
and similar technologies.
E:\FR\FM\09JNP1.SGM
09JNP1
37824
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
purveyors of health apps and similar
technologies that are not covered by
HIPAA. The Commission also seeks
comment as to whether the proposed
rule, as explained here, makes clear to
the market which entities are covered by
the Rule and under what circumstances.
As the Commission has explained, the
Rule is intended to cover developers
and purveyors of health apps and
internet-connected health devices, such
as fitness trackers, that are not covered
by HIPAA. The Commission seeks
comment as to whether the proposed
changes and added definitions would
apply to entities that offer other
technologies and, if so, whether these
definitions include appropriate
distinctions. If the scope should be
limited, the Commission seeks comment
as to how that limitation could be
effected through the Rule’s language,
consistent with the language and
purpose of the Recovery Act. The
Commission seeks comment on defining
‘‘health care provider’’ in a manner that
is broader than a more limited
definition of that term used in other
contexts (e.g., referring primarily to
persons and entities such as doctors,
clinics, psychologists, dentists,
chiropractors, nursing homes, and
pharmacies 46). And, finally, the
Commission seeks comment on the
definition of ‘‘healthcare services or
supplies,’’ including whether any
modifications should be made to this
definition.
2. Clarification Regarding Types of
Breaches Subject to the Rule
The Commission proposes a
definitional change to clarify that a
breach of security under the Rule
encompasses unauthorized acquisitions
that occur as a result of a data breach
or an unauthorized disclosure. The
current Rule defines ‘‘breach of
security’’ as the acquisition of
unsecured PHR identifiable health
information of an individual in a
personal health record without the
authorization of the individual.47 This
language mirrors the definition of
‘‘breach of security’’ in section
13407(f)(1) of the Recovery Act. The
current Rule also includes a rebuttable
presumption for unauthorized access to
an individual’s data. It states that when
there is unauthorized access to data,
unauthorized acquisition will be
presumed unless the entity that
46 See, e.g., U.S. Dep’t of Human Servs., Guidance
on Covered Entities and Business Associates (June
16, 2017), https://www.hhs.gov/hipaa/forprofessionals/covered-entities/ (listing
these persons/entities as examples of health care
providers).
47 16 CFR 318.2(a).
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
experienced the breach ‘‘has reliable
evidence showing that there has not
been, or could not reasonably have
been, unauthorized acquisition of such
information.’’ 48
The Commission’s proposed changes
are consistent with the plain language of
the current Rule and the Recovery Act
definition of ‘‘breach of security.’’ 49
Additionally, the Commission’s Policy
Statement makes clear that ‘‘[i]ncidents
of unauthorized access, including
sharing of covered information without
an individual’s authorization, triggers
notification obligations under the Rule,’’
and that a breach ‘‘is not limited to
cybersecurity intrusions or nefarious
behavior.’’ 50 Further, recent
Commission enforcement actions
against GoodRx and Easy Healthcare
also make clear that the Rule covers
unauthorized disclosures of consumers’
PHR identifiable health information to
third party companies. The
Commission’s proposed changes also
are consistent with public comments,
which urged the Commission to clarify
what constitutes an unauthorized
acquisition under the Rule.51
Accordingly, consistent with the
Recovery Act definition, the Policy
Statement, FTC enforcement actions
under the Rule, and public comments
received, the Commission proposes
48 16
CFR 318.2(a).
49 The commentary to the current Rule already
provides guidance on the types of disclosures that
the Commission considers to be ‘‘unauthorized.’’
For instance, it states: ‘‘Given the highly personal
nature of health information, the Commission
believes that consumers would want to know if
such information was read or shared without
authorization.’’ It further states that data sharing to
enhance consumers’ experience with a PHR is
authorized only ‘‘as long as such use is consistent
with the entity’s disclosures and individuals’
reasonable expectations’’ and that ‘‘[b]eyond such
uses, the Commission expects that vendors of
personal health records and PHR related entities
would limit the sharing of consumers’ information,
unless the consumers exercise meaningful choice in
consenting to such sharing. Buried disclosures in
lengthy privacy policies do not satisfy the standard
of ‘meaningful choice.’ ’’ 74 FR 42967.
50 Policy Statement at 2.
51 See AMA at 5–6 (‘‘The FTC should define
‘unauthorized access’ as presumed when entities
fail to disclose to individuals how they access, use,
process, and disclose their data and for how long
data are retained. Specifically, an entity should
disclose to individuals exactly what data elements
it is collecting and the purpose for their collection’’;
‘‘[T]he FTC should define ‘unauthorized access’ as
presumed when an entity fails to disclose to an
individual the specific secondary recipients of the
individual’s data.’’); Amer. Med. Informatics Ass’n
(‘‘AMIA’’) at 2 (recommending that the FTC
‘‘[e]xpand on the concept of ‘unauthorized access’
under the definition of ‘Breach of security,’ to be
presumed when a PHR or PHR related entity fails
to adequately disclose to individuals how user data
is accessed, processed, used, reused, and
disclosed.’’); OAG–CA at 5–6 (urging the FTC to
include ‘‘impermissible acquisition, access, use,
disclosure’’ under the definition of breach.).
PO 00000
Frm 00025
Fmt 4702
Sfmt 4702
amending the definition of ‘‘breach of
security’’ in § 318.2(a) by adding the
following sentence to the end of the
existing definition: ‘‘A breach of
security includes an unauthorized
acquisition of unsecured PHR
identifiable health information in a
personal health record that occurs as a
result of a data breach or an
unauthorized disclosure.’’ The proposed
definition is intended to make clear to
the marketplace that a breach includes
an unauthorized acquisition of
identifiable health information that
occurs as a result of a data breach or an
unauthorized disclosure, such as a
voluntary disclosure made by the PHR
vendor or PHR related entity where
such disclosure was not authorized by
the consumer.
Topics on Which the Commission Seeks
Public Comment
The Commission seeks comment on
(1) whether this addition to the
definition of ‘‘breach of security’’ is
necessary, given that the definition in
the current Rule already encompasses
unauthorized acquisitions beyond
security breaches, and (2) whether the
proposed definitional change
sufficiently clarifies for the marketplace
the Rule’s coverage.
3. Revised Scope of PHR Related Entity
The Commission also proposes
revising the definition of ‘‘PHR related
entity’’ in two ways that pertain to the
Rule’s scope. Currently, the Rule defines
‘‘PHR related entity’’ to mean an entity,
other than a HIPAA-covered entity or a
business associate of a HIPAA-covered
entity, that: (1) offers products or
services through the website of a vendor
of personal health records; (2) offers
products or services through the
websites of HIPAA-covered entities that
offer individuals personal health
records; or (3) accesses information in a
personal health record or sends
information to a personal health
record.52
First, the Commission proposes
language to clarify that PHR related
entities include entities offering
products and services not only through
the websites of vendors of personal
health records, but also through any
online service, including mobile
applications. Commenters urged this
change because websites are no longer
the only means through which
consumers access health information
online.53 To the contrary, online
52 16
CFR 318.2(f).
e.g., AHIMA at 2 (‘‘[W]e also recommend
that the Commission consider updating the existing
definition of a ‘PHR-related entity’ [sic] at 318.2(f)
53 See,
E:\FR\FM\09JNP1.SGM
09JNP1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
services such as apps are equally
relevant to consumers’ online
experiences with health information.
Second, the Commission proposes to
revise the third prong of the definition
so that only entities that access or send
unsecured PHR identifiable health
information to a personal health
record—rather than entities that access
or send any information to a personal
health record—qualify as PHR related
entities. This change—from any
information to unsecured PHR
identifiable health information—is
intended to eliminate potential
confusion about the Rule’s breadth and
promote compliance by narrowing the
scope of entities that qualify as PHR
related entities.54
As the Rule is currently drafted, for
example, a grocery delivery service that
integrates with a diet and fitness app
could arguably be considered a PHR
related entity when the grocery delivery
service sends information about food
purchases to the diet and fitness app.
This expansive reading of the Rule is
not consistent with the purposes of the
statute or the Commission’s intent when
it drafted the Rule. The Commission
believes that a more appropriate
interpretation of the term PHR related
entity encompasses entities that access
unsecured PHR identifiable health
information in a personal health record
as 318.2(f)(1) and 318.2(f)(2) appear to focus
primarily on products and services offered through
a vendor’s website and may not be entirely
reflective of today’s environment as new platforms
and related services are increasingly deployed and
adopted.’’; Amer. Acad. of Ophthalmology at 3–4
(recommending that the definition cover apps);
PEHRC at 4 (same).
54 The revised definition would state that a PHR
related entity is an entity, other than a HIPAAcovered entity or an entity to the extent that it
engages in activities as a business associate of a
HIPAA-covered entity, that (1) offers products or
services through the website, including any online
service, of a vendor of personal health records; (2)
offers products or services through the websites,
including any online services, of HIPAA-covered
entities that offer individuals personal health
records; or (3) accesses unsecured PHR identifiable
health information in a personal health record or
sends unsecured PHR identifiable health
information to a personal health record. Although
the Rule is only triggered when there is a breach
of security involving unsecured PHR identifiable
health information, the Commission nevertheless
believes there is a benefit to revising the third prong
of PHR related entity to make clear that only
entities that access or send unsecured PHR
identifiable health information to a personal health
record—rather than entities that access or send any
information to a personal health record—are PHR
related entities. Otherwise, under the Rule’s current
formulation, many entities could be a PHR related
entity under the definition’s third prong and such
entities would then, in the event of a breach, need
to analyze whether they experienced a reportable
breach under the Rule. If an entity, per this
proposed revision, does not qualify as a PHR related
entity in the first place, there is no need to consider
whether it experienced a reportable breach.
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
or send unsecured PHR identifiable
health information to a personal health
record. Remote blood pressure cuffs,
connected blood glucose monitors, and
fitness trackers are all examples of
devices that could qualify as a PHR
related entity when individuals sync
them with a personal health record (i.e.,
mobile health application).55
As a result of this proposed change,
a firm that performs attribution and
analytics services for a health app might
be considered both a PHR related entity
(to the extent it accesses unsecured PHR
identifiable health information in a
personal health record) and a third
party service provider. This overlap
could create competing notice
obligations, where, in the event of a
breach, the firm would be required to
notify individuals and the FTC (per
§ 318.3’s notice requirements for PHR
related entities) and notify the vendor of
the personal health record (per § 318.3’s
notice requirements for third party
service providers).
The Commission does not intend this
result. Instead, the Commission
considers firms that perform services
such as attribution and analytics for
apps and technologies providing
healthcare services and supplies to be
third party service providers. Such
service providers must notify the health
app developers for whom they provide
services, who in turn would notify
affected individuals.56 Otherwise,
treating such service providers as PHR
related entities would create a
problematic result for the consumer,
who would receive notice from an
unfamiliar company. To clarify this
issue, the Commission proposes to
revise § 318.3(b) by adding that a third
party service provider is not rendered a
PHR related entity when it accesses
unsecured PHR identifiable health
55 For example, the maker of a wearable fitness
tracker may be both a vendor of personal health
records (to the extent that its tracker interfaces with
its own app, which also accepts consumer inputs)
and a PHR related entity (to the extent that it sends
information to another company’s health app).
Regardless of whether the maker of the fitness
tracker is a vendor of personal health records or a
PHR related entity, its notice obligations are the
same: it must notify individuals, the FTC, and in
some case, the media, of a breach. 16 CFR 318.3(a),
318.5(b).
56 In attempting to help distinguish between PHR
related entities and third party service providers,
the Commission offers the following observation: in
most cases, third party service providers are likely
to be non-consumer facing. Thus, examples of PHR
related entities include, as noted above, fitness
trackers and health monitors when consumers sync
them with a mobile health app. Examples of third
party service providers include entities that provide
support or administrative functions to vendors of
personal health records and PHR related entities.
PO 00000
Frm 00026
Fmt 4702
Sfmt 4702
37825
information in the course of providing
services.
Moreover, this result will create
incentives for responsible data
stewardship and for de-identification.
Specifically, PHR vendors will have
incentives to select and retain service
providers, such as those that perform
services such as attribution or analytics
for apps, capable of treating data
responsibly (e.g., not engaging in any
onward disclosures of data that could
result in a reportable breach) and
incentives to oversee their service
providers to ensure ongoing responsible
data stewardship (which would avoid a
breach). Further, it will create
incentives for PHR vendors to avoid
breaches by service providers by deidentifying health information before
sharing it with any service provider, as
de-identification would render the data
no longer PHR identifiable health
information subject to the Rule.
a. Topics on Which the Commission
Seeks Public Comment
The Commission seeks comment on
whether additional changes to the Rule
would be necessary or helpful to clarify
this result. The Commission also
requests comment on the following
scenario: a third party service provider,
such as an analytics firm, receives PHR
identifiable health info (e.g., device
identifier and geolocation data from
which health information about an
individual can be inferred) and then
sells it to another entity without the
consumer’s authorization. The
Commission considers this to be a
reportable breach, even if the consumer
consented to the original collection. In
such a scenario, the third party service
provider would be required to notify the
vendor of personal health records or
PHR related entity, who in turn would
notify affected individuals. The
Commission requests comment on this
approach, including whether as a policy
matter it is advisable under the Rule to
require a vendor of personal health
records or PHR related entity to notify
its customers about such onward
disclosures.
The Commission also seeks comment
on the definition of ‘‘PHR related
entity,’’ including the scope.
Conversely, the Commission seeks
comment as to whether, by limiting the
third prong of the definition to entities
that access or send unsecured PHR
identifiable health information, the
proposed definition is too narrow and
would exclude entities that should be
required to notify consumers of
breaches, consistent with the Recovery
Act. To assess this question of breadth,
the Commission requests comment on
E:\FR\FM\09JNP1.SGM
09JNP1
37826
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
what entities are (1) offering products or
services through personal health records
such as apps; or (2) sending or accessing
information, including but not limited
to identifiable health information, in
health apps and other personal health
records. Finally, the Commission
requests comment on the potential
overlap between the definitions of ‘‘PHR
related entity’’ and ‘‘third party service
provider,’’ and how to sufficiently
distinguish between them.
4. Clarification of What it Means for a
Personal Health Record To Draw
Information From Multiple Sources
The Commission proposes revising
the definition of ‘‘personal health
record’’ to clarify what it means for a
personal health record to draw
information from multiple sources.
Under the current Rule, a personal
health record is defined as an electronic
record of PHR identifiable health
information that can be drawn from
multiple sources and that is managed,
shared, and controlled by or primarily
for the individual.
Under the revised definition, a
‘‘personal health record’’ would be
defined as an electronic record of PHR
identifiable health information on an
individual that has the technical
capacity to draw information from
multiple sources and that is managed,
shared, and controlled by or primarily
for the individual.57
This change clarifies the application
of the statutory definition of a personal
health record that can draw information
from multiple sources. Adding the
phrase ‘‘technical capacity to draw
information’’ serves several purposes.
First, it clarifies that a product is a
personal health record if it can draw
information from multiple sources, even
if the consumer elects to limit
information from a single source only,
in a particular instance. For example, a
depression management app that
accepts consumer inputs of mental
health states and has the technical
capacity to sync with a wearable sleep
monitor is a personal health record,
even if some customers choose not to
sync a sleep monitor with the app.
Thus, whether an app qualifies as a
personal health record would not
depend on the prevalence of consumers’
use of a particular app feature, like sleep
monitor-syncing. Instead, the analysis of
57 One commenter specifically recommended that
the definition of PHR be broadened to ‘‘to explicitly
include any website, mobile application, or other
electronic record system that collects and stores
individually identifiable information, including
health information, even if it draws that
information from a single source.’’ Kaiser
Permanente at 3.
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
the Rule’s application would be
straightforward: either the app has the
technical means (e.g., the application
programming interface or API) to draw
information from multiple sources, or it
does not. Next, adding the phrase
‘‘technical capacity to draw
information’’ would clarify that a
product is a personal health record if it
can draw any information from multiple
sources, even if it only draws health
information from one source. This
change further clarifies the
Commission’s interpretation of the
Recovery Act, as explained in the Policy
Statement.58
To illustrate the intended meaning of
the proposed revisions to the term
‘‘personal health record,’’ the
Commission offers the example of two
non-HIPAA covered diet and fitness
apps available for consumer download
in an app store. The proposed Rule
makes clear that each is a personal
health record.
• Diet and Fitness App Y allows users
to sync their app with third-party
wearable fitness trackers with the app.
Diet and Fitness App Y has the
technical capacity to draw identifiable
health information both from the user
(name, weight, height, age) and the
fitness tracker (user’s name, miles run,
heart rate), even if some users elect not
to connect the fitness tracker.
• Diet and Fitness App Y has the
ability to pull information from the
user’s phone calendar via the calendar
API to suggest personalized healthy
eating options. Diet and Fitness App Y
has the technical capacity to draw
identifiable health information from the
user (name, weight, height, age) and
non-health information (calendar entry
info, location, and time zone) from the
user’s calendar.
a. Topics on Which the Commission
Seeks Public Comment
The Commission seeks comment as to
whether the proposed changes
sufficiently clarify the Rule’s
application to developers and purveyors
of products that have the technical
capacity to draw information from more
than one source. In particular, the
Commission invites comment on its
interpretation that an app is a personal
health record because it has the
technical capacity to draw information
from multiple sources, even if particular
users of the app choose not to enable the
syncing features. The Commission also
requests comment about whether an app
(or other product) should be considered
a personal health record even if it only
draws health information from one
58 Policy
PO 00000
Statement at 2.
Frm 00027
Fmt 4702
Sfmt 4702
place (in addition to non-health
information drawn elsewhere); or only
draws identifiable health information
from one place (in addition to nonidentifiable health information drawn
elsewhere). The Commission also
requests comment about whether the
Commission’s bright-line rule (apps
with the ‘‘technical capacity to draw
information’’ are covered) should be
adjusted to take into account consumer
use, such as where no consumers (or
only a de minimis number) use a
feature. For example, an app might have
the technical capacity to draw
information from multiple sources, but
its API is entirely or mostly unused,
either because it remains a Beta feature,
has not been publicized, or is not
popular. The Commission also requests
comment on the likelihood of such
scenarios.
5. Facilitating Greater Opportunity for
Electronic Notice
Fourth, the Commission proposes to
authorize expanded use of email and
other electronic means of providing
clear and effective notice of a breach to
consumers. Increasingly, consumers
interact with vendors of personal health
records (and vice versa) solely online
and communicate primarily or
exclusively through electronic means.
Currently, the Rule permits notice by
either postal mail or, in limited
circumstances, email. The Rule provides
that vendors of personal health records
or PHR related entities that discover a
breach of security must provide
‘‘[w]ritten notice, by first-class mail to
the individual at the last known address
of the individual, or by email, if the
individual is given a clear, conspicuous,
and reasonable opportunity to receive
notification by first-class mail, and the
individual does not exercise that
choice.’’ 59
Several commenters noted the cost
and inconvenience associated with
postal mail notice to companies and
consumers alike.60 Several commenters
encouraged the Commission to update
the methods of notice to permit notice
by electronic means.61 Commenters
suggested that the Commission revise
the Rule to encourage different kinds of
electronic notice, including email, inapp messaging, and QR codes.62 For
example, one commenter stated that the
Rule’s notice requirement should be
59 16
CFR 318.5(a)(1).
at 2; Bruce Grimm at 1; All. for
Nursing Informatics at 2; Anonymous, No. FTC–
2020–0045–0005 at 1; CHI at 3; CARIN All. at 2.
61 The App Ass’n’s Connected Health Initiative
(‘‘CHI’’) at 3; CARIN All. at 2; Allscripts at 2; Bruce
Grimm at 1; All. for Nursing Informatics at 2.
62 Id.
60 Allscripts
E:\FR\FM\09JNP1.SGM
09JNP1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
updated to permit notification by email
or within an application, including
through such means as banner, ‘‘popup,’’ and clickthrough notifications.63
This commenter also noted that an
electronic communication is more likely
to be read by an individual who is using
an application, and is more cost
effective.64 Another commenter urged
the Commission to increase the options
for breach notification to include email
rather than certified mail as the only
option.65 And another commenter noted
that in-app messaging, text messages,
and platform messaging are widely used
tools and should be allowed to be
utilized to more effectively
communicate with consumers that
consent to them.66 This commenter
added that it is common sense that
consumers should be able to consent to
receiving communications under the
Rule via these modalities as well as via
email.67
The Commission recognizes that, as
commenters noted, the relationship
between vendors of personal health
records and PHR related entities, on the
one hand, and individuals takes place
online and increasingly via applications
present on devices such as mobile
phones and tablets. These applications
communicate with individuals by
various electronic means, including
text, within-application message, and
email.
a. Notice via Electronic Mail
Accordingly, the Commission
proposes to update this provision to
specify that vendors of personal health
records or PHR related entities that
discover a breach of security must
provide written notice at the last known
contact information of the individual
and such written notice may be sent by
electronic mail, if an individual has
specified electronic mail as the primary
contact method, or by first-class mail.
Authorizing entities to provide notice
about a breach of security by electronic
mail is consistent with how consumers
often receive other communications
from these entities and will align with
consumers’ expectations. As a result,
they are less likely to be ignored or
viewed as suspicious by individuals.
Consistent with this objective, the
Commission proposes defining
‘‘electronic mail’’ to mean email in
combination with one or more of the
following: text message, withinapplication messaging, or electronic
63 Allscripts
at 2.
64 Id.
65 All.
66 CHI
for Nursing Informatics at 2.
at 3.
67 Id.
VerDate Sep<11>2014
banner. The proposed Rule would
facilitate more notice by electronic mail.
This new definition of electronic mail
would ensure that the notice is both (1)
convenient and low-cost (because it is
electronic) and (2) unavoidable and
consistent with the consumer’s
relationship with the product. For
example, if an app developer is
providing notice, it could send written
notice by email and in-app message,
ensuring that the consumer receives
notice in a manner consistent with her
experience with the app. Similarly, a
website operator could send written
notice by email and an electronic
banner on the home page of its website.
The two prongs of the definition would
ensure that a notifying entity cannot
select a single form of electronic notice
that is unlikely to reach consumers—for
example, sending an in-app message
alone to app users who do not
frequently check in-app notifications.
The goal of structuring the notice in
two parts is to increase the likelihood
that consumers encounter the notice.
Many individuals routinely check email
messages, making email a useful vehicle
to communicate a breach notification.
However, some individuals do not read
email often, and these consumers under
the proposed definition would also
receive notice via text, in-app, or banner
notice, thereby increasing the likelihood
that they will encounter the breach
notification.
The Commission believes any
notification delivered via electronic
mail should be clear and conspicuous.
The proposed Rule defines ‘‘clear and
conspicuous.’’ Among other things, for
a notice to be clear and conspicuous, the
notice must be reasonably
understandable and designed to call
attention to the nature and significance
of the information in the notice. The
proposed definition of ‘‘clear and
conspicuous’’ closely tracks the
definition of clear and conspicuous in
the FTC’s Financial Privacy Rule.68
Vendors of personal health records
and PHR related entities must obtain
consumer consent prior to adopting
‘‘electronic mail’’ as their notification
method for affected individuals. The
proposed Rule would require that
entities covered by the Rule may
provide ‘‘electronic mail’’ notifications
if the individual user has specified
electronic mail as their primary method
of communication with the entity. This
is consistent with section 13402 of the
Recovery Act, which requires that
entities can only send notice by
electronic mail ‘‘if specified as a
preference by the individual.’’ The
68 16
16:22 Jun 08, 2023
Jkt 259001
PO 00000
CFR 313.3(b)(1).
Frm 00028
Fmt 4702
Sfmt 4702
37827
Commission interprets this phrase as
allowing entities to send an email or inapp alert notifying their users that they
will receive breach notices by electronic
mail and offering them the opportunity
to opt out of electronic mail notification
and instead receive notice by first class
mail. The proposed Rule also allows for
notification by first-class mail where
electronic mail is not available.
b. Model Notice
To assist entities that are required to
provide notice to individuals under the
Rule, the Commission has developed a
model notice that entities may use, in
their discretion, to notify individuals.
This model notice is attached as Exhibit
A to this Notice of Proposed
Rulemaking. The Commission invites
comment on this model notice,
including: (1) whether the model notice
should be mandatory and any
advantages or disadvantages of
mandating use of the model notice; (2)
whether and how the model notice
could be compatible with the methods
of notice contemplated by the proposed
definition of electronic mail, such as
text, banner and within-application
messaging, including whether and how
entities could suitably link to model
notice language from a text message,69
electronic banner, or in-application
message; (3) and recommended changes
to the substance and format of the
model notice.
c. Topics on Which the Commission
Seeks Public Comment
The Commission also requests
comment on the proposed changes,
including whether the definition of
‘‘electronic mail’’ would achieve the
Commission’s goal to make notice
unavoidable and consistent with the
consumer’s relationship with the
product. The Commission also requests
comment as to whether this definition
would result in over-notification from
‘‘duplicate’’ notices, including the
extent to which the proposed twopronged approach could confuse
consumers or reduce the impact that a
single notice might have. And the
Commission requests comment as to
whether this definition is consistent
with principles of data minimization,
i.e., whether an entity might collect
more data (e.g., email or text) than it
otherwise would have simply to obtain
69 The proposed text message and in-app language
in the exemplar notice invites consumers to ‘‘Visit
[add non-clickable URL] to learn what happened,
how it affects you, and what you can do to protect
your information.’’ The exemplar proposes a nonclickable URL due to the risk that a clickable URL
could expose consumers to, for example, malware
or scams.
E:\FR\FM\09JNP1.SGM
09JNP1
37828
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
sufficient information to send notice via
‘‘electronic mail’’ in the event of a
breach.
lotter on DSK11XQN23PROD with PROPOSALS1
6. Expanded Content of Notice
The Commission proposes several
modifications to the content of the
required notice to individuals.
Currently, the Rule requires that the
notice include a description of what
happened; a description of the types of
unsecured PHR identifiable health
information that were involved in the
breach; the steps individuals should
take to protect themselves from
potential harm; a description of what
the vendor of personal health records or
PHR related entity involved is doing to
investigate the breach, to mitigate any
losses, and to protect against any further
breaches; and contact procedures for
individuals to ask questions or learn
additional information.70 The
Commission proposes five changes to
the content of the notice.
a. Summary of Changes to Content of
the Notice
First, in § 318.6(a), as part of relaying
what happened regarding the breach,
the Commission proposes that the
notice to individuals also include a brief
description of the potential harm that
may result from the breach, such as
medical or other identity theft.
The Commission proposes adding this
provision so that individuals better
understand the nexus between the
information breached and the potential
harms that could result from the breach
of such information. In some cases, it is
unclear to individuals what harms may
flow from the breach of their
information. The Commission believes
it is important to equip individuals with
information about the harms they may
experience so that they can better
understand the potential risks from a
breach and determine what steps or
measures to take following a breach.
The Commission invites comment on
this proposed provision, including (1)
whether the requirement that the notice
describe potential harms would serve
the public interest and benefit
consumers, (2) whether notifying
entities typically possess information
following a breach to assess the
potential harms to individuals, (3)
whether, in the absence of such
information, notifying entities may
minimize the potential risks by
informing individuals that they are
unaware of any harms that may result
from the breach, (4) how notifying
entities, in the absence of known,
actionable harm resulting from a breach,
70 16
CFR 318.6.
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
should best describe to individuals the
potential harms they may experience,
and (5) whether additional and more
specific data elements may overwhelm
or confuse recipients of the notice.
Second, the Commission also
proposes to amend the requirements for
the notice under § 318.6(a) to include
the full name, website, and contact
information (such as a public email
address or phone number) of any third
parties that acquired unsecured PHR
identifiable health information as a
result of a breach of security, if this
information is known to the vendor of
personal health records or PHR related
entity (such as where the breach
resulted from disclosures of users’
sensitive health information without
authorization). No such requirement
exists in the current Rule.
Third, the Commission proposes
modifications to § 318.6(b), which
requires that the notice include a
description of the types of unsecured
PHR identifiable health information that
were involved in the breach. The Rule
currently sets forth examples of
different types of PHR identifiable
health information, such as full name,
date of birth, Social Security number,
account number, or disability code, that
could have been involved in the breach.
The Commission proposes that this
exemplar list be expanded to include
additional types of PHR identifiable
health information, such as health
diagnosis or condition, lab results,
medications, other treatment
information, the individual’s use of a
health-related mobile application, and
device identifier. The Commission
believes it is important for individuals
to receive notice of the specific types of
PHR identifiable health information
involved in a breach, given that the
exposure of health information can lead
to a wide spectrum of harms.71 For
example, even the disclosure of an
individual’s use of a health-related
mobile application (e.g., a HIV
management app, mental health app, or
addiction recovery app) could,
depending on the type of health app at
issue, lead to a number of potential
injuries, including embarrassment,
social stigma, more expensive health
71 See, e.g., Fed. Trade Comm’n, FTC
Informational Injury Workshop: BE and BCP Staff
Perspective (Oct. 2018), https://www.ftc.gov/
system/files/documents/reports/ftc-informationalinjury-workshop-be-bcp-staff-perspective/
informational_injury_workshop_staff_report_-_oct_
2018_0.pdf; Fed. Trade Comm’n, Former Acting
Chairwoman Maureen K. Ohlhausen, Painting the
Privacy Landscape: Informational Injury in FTC
Privacy and Data Security Cases (Sept. 19, 2017),
https://www.ftc.gov/system/files/documents/
public_statements/1255113/privacy_speech_
mkohlhausen.pdf.
PO 00000
Frm 00029
Fmt 4702
Sfmt 4702
insurance premiums, or even loss of
employment.
Fourth, § 318.6(d) of the Rule
currently requires that a vendor of
personal health records or PHR related
entity describe what the entity is doing
to investigate the breach, to mitigate any
losses, and to protect against any further
breaches. The Commission proposes to
revise this provision to require that the
notice to individuals include additional
information providing a brief
description of what the entity that
experienced the breach is doing to
protect affected individuals, such as
offering credit monitoring or other
services. The Commission believes it is
important that notifying entities explain
to individuals not only the steps
individuals should take to protect
themselves from potential harm
resulting from the breach, but also what
steps the notifying entity is taking to
protect affected individuals following
the breach. Any protections offered by
notifying entities likely will be tailored
to the facts and circumstances of each
breach and could, in certain
circumstances, include credit
monitoring or other support such as
identity theft protection or identity
restoration services.
Fifth, the Commission proposes to
modify § 318.6(e). Currently, this
section requires that the notice to
individuals include contact procedures
for individuals to ask questions or learn
additional information about the breach,
and the contact procedure must include
one of the following: a toll-free
telephone number; an email address;
website; or postal address. The
Commission proposes to modify
§ 318.6(e) to specify that the contact
procedures specified by the notifying
entity must include two or more of the
following: toll-free telephone number;
email address; website; withinapplication; or postal address. The
Commission proposes this change to
encourage and facilitate communication
between the notifying entities and
affected individuals. This modification
is intended to avoid a scenario where,
for example, a notifying entity regularly
communicates with most of its
customers via email and the notifying
entity establishes a postal address as the
only contact procedure for individuals
to employ following a breach.
7. Proposed Changes To Improve Rule’s
Readability
The Commission proposes several
changes to improve the Rule’s
readability. Specifically, the
Commission proposes to include
explanatory parentheticals for internal
cross-references, add statutory citations
E:\FR\FM\09JNP1.SGM
09JNP1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
in relevant places, consolidate notice
and timing requirements in single
sections, and revise the Enforcement
section to state more plainly the
penalties for non-compliance.
a. Explanatory Parentheticals and
Statutory References
Throughout the Rule, the Commission
proposes to include explanatory
parentheticals for each internal crossreference and add statutory citations to
help orient the reader.72 The
Commission invites comment on
whether the inclusion of explanatory
parentheticals and statutory citations
improves the Rule’s readability and
promotes comprehension.
(1) Consolidated Notice and Timing
Requirements
lotter on DSK11XQN23PROD with PROPOSALS1
To facilitate reader understanding, the
Commission proposes consolidating
into single sections, respectively, the
Rule’s breach notification and timing
requirements. Currently, the breach
notification requirements are located in
sections 318.3 and 318.5 and the timing
requirements are located in sections
318.4 and 318.5.
To consolidate the Rule’s notice
requirements, the Commission proposes
to move the provision in § 318.5
(Methods of notice) requiring notice to
the media (§ 318.5(b)) to § 318.3. The
Commission does not intend to make
any substantive change to the breach
notification requirements; this change is
merely intended to consolidate breach
notification requirements in a single
section to improve readability and
promote compliance.
New § 318.3(a)(3) would set forth the
requirement to notify prominent
media 73 outlets serving a State or
jurisdiction, following the discovery of
a breach of security, if the unsecured
PHR identifiable health information of
500 or more residents of such State or
jurisdiction is, or is reasonably believed
to have been, acquired during such
breach. The Commission requests
comment as to whether the
consolidation of breach notification
requirements improves the Rule’s
72 For example, the Commission proposes to add
a statutory citation for the Recovery Act section
referenced in the definition of ‘‘unsecured,’’ to
improve the clarity and readability of this defined
term. The revised definition would provide that
‘‘unsecured’’ means PHR identifiable health
information that is not protected through the use of
a technology or methodology specified by the
Secretary of Health and Human Services in the
guidance issued under section 13402(h)(2) of the
American Reinvestment and Recovery Act of 2009,
42 U.S.C. 17932(h)(2).
73 See supra note 6.
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
readability and will promote
compliance.74
Second, to consolidate requirements
regarding the timing of notification, the
Commission proposes moving timing
requirements for notice to the FTC that
appear in § 318.5(c) of the current Rule
to a new paragraph (b) in § 318.4 of the
proposed Rule. Accordingly, proposed
§ 318.4(b) would now require vendors of
personal health records and PHR related
entities to notify the Commission as
soon as possible and in no case later
than ten business days following the
date of discovery of the breach if the
breach involves the unsecured PHR
identifiable health information of 500 or
more individuals. If the breach involves
the unsecured PHR identifiable health
information of fewer than 500
individuals, this section permits
vendors of personal health records and
PHR related entities, in lieu of
immediate notice, to maintain a breach
log and submit this log annually to the
Federal Trade Commission no later than
60 calendar days following the end of
the calendar year.75
Importantly, the Commission does not
intend to make any substantive change
to the timing requirements; this change
is merely intended to consolidate timing
requirements in a single section to
improve readability and promote
compliance. The Commission requests
comment as to whether the inclusion of
explanatory parentheticals and the
proposed consolidation of timing
requirements improves the Rule’s
74 As noted above, the Commission does not
intend this consolidation of timing requirements to
have any effect on the substantive requirements of
the Rule. In making this proposed change, minor
revisions are required to § 318.5(b). Section 318.5(b)
of the proposed Rule would provide: ‘‘Notice to
media. As described in § 318.3(a)(3), a vendor of
personal health records or PHR related entity shall
provide notice to prominent media outlets serving
a State or jurisdiction, following the discovery of a
breach of security, if the unsecured PHR
identifiable health information of 500 or more
residents of such State or jurisdiction is, or is
reasonably believed to have been, acquired during
such breach.’’
75 As noted above, the Commission does not
intend this consolidation of timing requirements to
have any effect on the substantive requirements of
these sections. Section 318.5(c) of the proposed
Rule would provide: ‘‘(c) Notice to FTC. Vendors of
personal health records and PHR related entities
shall provide notice to the Federal Trade
Commission following the discovery of a breach of
security, as described in 318.4(b) (Timing of notice
to FTC). If the breach involves the unsecured PHR
identifiable health information of fewer than 500
individuals, the vendor of personal health records
or PHR related entity may maintain a log of any
such breach and submit such a log to the Federal
Trade Commission as described in 318.4(b) (Timing
of notice to FTC), documenting breaches from the
preceding calendar year. All notices pursuant to
this paragraph shall be provided according to
instructions at the Federal Trade Commission’s
website.’’
PO 00000
Frm 00030
Fmt 4702
Sfmt 4702
37829
readability and will promote
compliance.
(2) Revised Enforcement Provision
Commenters suggested that the Rule
be revised to specify the penalties for
non-compliance.76 Currently, the Rule
provides that a violation of § 318.3 shall
be treated as an unfair or deceptive act
or practice in violation of a regulation
under section 18 of the FTC Act. The
Commission proposes modifying § 318.7
to make plain that a violation of the
Rule constitutes a violation of a rule
promulgated under section 18 of the
FTC Act and is subject to civil penalties.
Under section 18 of the FTC Act, 15
U.S.C. 57a, the Commission is
authorized to prescribe ‘‘rules which
define with specificity acts or practices
which are unfair or deceptive acts or
practices in or affecting commerce’’
within the meaning of section 5(a)(1) of
the FTC Act, 15 U.S.C. 45(a)(1). Once
the Commission has promulgated a
trade regulation rule, anyone who
violates the rule with actual knowledge,
or knowledge fairly implied on the basis
of objective circumstances, that such act
is unfair or deceptive and is prohibited
by such rule is liable for civil penalties
for each violation. 15 U.S.C.
45(m)(1)(A). Entities that fail to comply
with the Rule are subject to penalties of
up to $50,120 per violation per day, and
this amount is increased annually per
the Federal Civil Penalties Inflation
Adjustment Act Improvements Act of
2015.77 The Commission seeks
comment on these proposed
modifications to § 318.7.
III. Changes Considered but Not
Proposed and on Which the
Commission Seeks Public Comment
1. Defining Authorization and
Affirmative Express Consent
As previously noted above, when a
health app or other device discloses
sensitive health information without
users’ authorization, this is a ‘‘breach of
76 See Bruce Grimm at 1 (‘‘Areas of 16 CFR [p]art
318.5 method of notice could be enhanced by
adding an option for consumers to text or use a
quick response (QR) code generator to obtain data
breach information that is on file. This coupled
with a modification of 16 CFR [p]art 318.7
enforcement where the actual potential penalty for
practice in violation of regulation is noted would
act as a deterrent to non-compliance.’’); All. for
Nursing Informatics at 2 (‘‘We offer the following
additional considerations to update and improve
the HBN Rule, including. . . . Identify sufficiently
stringent penalties and monitoring for responsible
management of identifiable PHI.’’).
77 16 CFR 1.98; see also Federal Trade
Commission, FTC Publishes Inflation-Adjusted Civil
Penalty Amounts for 2022 (Jan. 6, 2023), https://
www.ftc.gov/news-events/news/press-releases/2023/
01/ftc-publishes-inflation-adjusted-civil-penaltyamounts-2023.
E:\FR\FM\09JNP1.SGM
09JNP1
37830
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
security’’ under the Rule. The
Commission considered defining the
term ‘‘authorization,’’ which appears in
§ 318.2(a)’s definition of ‘‘breach of
security.’’ Specifically, § 318.2(a)
defines ‘‘breach of security,’’ in relevant
part, to mean the acquisition of
unsecured PHR identifiable information
of an individual in a personal health
record without the ‘‘authorization’’ of
the individual. The Commission
considered defining ‘‘authorization’’ to
mean the affirmative express consent of
the individual, and then defining
‘‘affirmative express consent,’’
consistent with state laws that define
consent, such as the California
Consumer Privacy Rights Act, Cal. Civ.
Code 1798.140(h).78 Such changes
would ensure that notification is
required anytime there is acquisition of
unsecured PHR identifiable information
without the individual’s affirmative
express consent for that acquisition—
such as when an app discloses
unsecured PHR identifiable information
to another company, having obtained
nominal ‘‘consent’’ from the individual
by using a small, greyed-out, preselected checkbox following a page of
dense legalese.
In considering whether to define
‘‘authorization’’ and ‘‘affirmative
express consent,’’ the Commission
considered public comments that
argued the Rule should do more to
prevent data collection and use without
the individual’s consent.79 Defining
78 The Commission considered defining
‘‘affirmative express consent’’ as follows:
Affirmative express consent means any freely
given, specific, informed, and unambiguous
indication of an individual’s wishes demonstrating
agreement by the individual, such as by a clear
affirmative action, following a clear and
conspicuous disclosure to the individual, apart
from any ‘‘privacy policy,’’ ‘‘terms of service,’’
‘‘terms of use,’’ or other similar document, of all
information material to the provision of consent.
Acceptance of a general or broad terms of use or
similar document that contains descriptions of
agreement by the individual along with other,
unrelated information, does not constitute
affirmative express consent. Hovering over, muting,
pausing, or closing a given piece of content does not
constitute affirmative consent. Likewise, agreement
obtained through use of user interface designed or
manipulated with the substantial effect of
subverting or impairing user autonomy, decisionmaking, or choice, does not constitute affirmative
express consent.
79 Lisa McKeen at 1 (recommending that the Rule
require ‘‘express written acknowledgement and
consent of the consumer/person(s) to which this
information is personally owned’’); Kaiser
Permanente at 3 (‘‘[T]he HBN Rule should require
all [covered] entities to establish and follow notices
of privacy and security practices [and] inform
consumers about those notices in a prominent
manner[.]’’; AMA at 4–5 (identifying problems with
consent structure and urging the Commission to
presume ‘‘unauthorized access’’ ‘‘when an entity
fails to disclose to an individual the specific
secondary recipients of the individual’s data.’’);
AMIA at 2 (urging the Commission to presume that
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
these terms to emphasize the
importance of meaningful consent
would partially address the concerns of
some commenters that privacy
compliance obligations for entities not
covered by HIPAA should be similar to
obligations for HIPAA covered entities,
both to ensure consistent protections for
consumers’ health information and to
level the competitive playing field
among companies holding that
information.80
The Commission is not, however,
proposing to make those changes at this
time, because the commentary to the
current Rule already provides guidance
on the types of disclosures that the
Commission considers to be
‘‘unauthorized.’’ 81 Further, recent
Commission orders, such as GoodRx,
also make clear that the use of ‘‘dark
patterns,’’ which have the effect of
manipulating or deceiving consumers,
including through use of user interfaces
designed with the substantial effect of
subverting or impairing user autonomy
and decision-making, do not satisfy the
standard of ‘‘meaningful choice.’’
Finally, Commission settlements
establish important guidelines involving
authorization. For example, the
Commission’s recent settlement with
GoodRx, alleging violations of the Rule,
highlights that disclosures of PHR
identifiable information inconsistent
with a company’s privacy promises
constitute an unauthorized disclosure.
The Commission seeks public
comment about whether the
commentary above and FTC
enforcement actions provide sufficient
guidance to put companies on notice
about their obligations for obtaining
consumer authorization for disclosures,
or whether defining the term
‘‘authorization’’ would better inform
companies of their compliance
obligations.
To the extent that including such
definitions would be appropriate, the
Commission seeks comment on the
definitions of ‘‘authorization’’ and
‘‘affirmative express consent,’’ as
described above, and the extent to
which such definitions are consistent
with the language and purpose of the
Recovery Act. The Commission also
seeks comment on what constitutes
acceptable methods of authorization,
particularly when unauthorized sharing
is occurring. For example, the
Commission seeks comment on the
following: when a vendor of personal
unauthorized access has occurred where an entity
‘‘fails to adequately disclose to individuals how
user data is accessed, processed, used, reused, and
disclosed.’’).
80 E.g., OAG–CA at 5.
81 See supra note 49.
PO 00000
Frm 00031
Fmt 4702
Sfmt 4702
health records or a PHR-related entity is
sharing information covered by the
Rule, is it acceptable for that entity to
obtain the individual’s authorization to
share that information when an
individual clicks ‘‘agree’’ or ‘‘accept’’ in
connection with a pre-checked box
disclosing such sharing? Is it sufficient
if an individual agrees to terms and
conditions disclosing such sharing but
that individual is not required to review
the terms and conditions? Or is it
sufficient if an individual uses a health
app that discloses in its privacy policy
that such sharing occurs, but the app
knows via technical means that the
individual never interacts with the
privacy policy?
Relatedly, the Commission seeks
comment on whether there are certain
types of sharing for which authorization
by consumers is implied, because such
sharing is expected and/or necessary to
provide a service to consumers. Finally,
the Commission emphasizes that its
decision to not define ‘‘authorization’’
or ‘‘affirmative express consent’’ does
not mean that a ‘‘breach of security’’ is
limited only to cybersecurity events.
2. Modifying Definition of Third Party
Service Provider
The Commission also considered
modifying the definition of ‘‘third party
service provider.’’ Under the Rule, a
‘‘third party service provider’’ means an
entity that ‘‘(1) [p]rovides services to a
vendor of personal health records in
connection with the offering or
maintenance of a personal health record
or to a PHR related entity in connection
with a product or service offered by that
entity; and (2) [a]ccesses, maintains,
retains, modifies, records, stores,
destroys, or otherwise holds, uses, or
discloses unsecured PHR identifiable
health information as a result of such
services.’’ 82 The 2009 Notice of
Proposed Rulemaking notes that third
party service providers include, for
example, entities that provide billing or
data storage services to vendors of
personal health records or PHR related
entities.83 Although the Commission is
not proposing to modify the definition
of ‘‘third party service provider’’ at this
time, the Commission requests comment
on certain issues related to the
definition. Given technological changes
and the proliferation of new business
models that have occurred since the
Rule’s issuance, the Commission invites
comments on the scope of entities that
should be considered third party service
providers under the Rule. While the
82 16
CFR 318.2(h).
FR 17917 (Apr. 17, 2009) (‘‘2009 Notice of
Proposed Rulemaking’’).
83 74
E:\FR\FM\09JNP1.SGM
09JNP1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
2009 Notice of Proposed Rulemaking
provides examples of third party service
providers, the examples are illustrative.
For example, under the Rule, should all
advertising and analytics providers and
platforms be considered third party
service providers anytime they access,
maintain, retain, modify, record, store,
destroy, or otherwise hold, use, or
disclose unsecured PHR identifiable
health information when providing
services to vendors of personal health
records and PHR related entities?
Relatedly, the Commission requests
comment on what it means to ‘‘provide
services’’ under the Rule’s definition.
3. Changing Timing Requirements
The Commission also weighed
whether to propose changing the Rule’s
timing requirements. Specifically, the
Commission considered public
comments about whether the timing
requirements were appropriate,84
introduced unnecessary delay,85 or did
not give notifying entities sufficient
time to investigate the facts of a
breach.86 One commenter expressed
concern that the timing requirements do
not provide consumers with important
information as soon as would be
valuable to them and there is no
compelling reason for delaying notice.87
Other commenters, however, expressed
concern that entities experiencing a
breach may not have sufficient
information to be able to give the
Commission a meaningful notification
within 10 days.88 These commenters
recommended that the Commission
extend the 10-day requirement for the
notice to the FTC, consistent with the
HIPAA Health Breach Notification Rule,
which requires notification to the
Secretary of HHS without unreasonable
delay and in no case later than 60
calendar days following a breach.89
Commission staff also consulted staff at
HHS about its experience enforcing the
HIPAA Health Breach Notification Rule
regarding the timing requirements in
that rule.
Although the Commission has not
proposed any timing changes, the
Commission requests comments on
several issues related to timing. First,
the Commission requests comment
about the timing of notifications to
consumers. In particular, the
Commission requests comment
regarding whether earlier notification of
consumers would better protect them or
84 Lisa
McKeen at 5; CHIME at 3; WEDI at 2.
Johnson at 1.
86 CARIN All. at 2; Allscripts at 2; Kaiser at 10.
87 Hilal Johnson at 1.
88 CARIN All. at 2; Allscripts at 2; Kaiser at 10.
89 45 CFR 164.408 (referencing timing
requirement in 404).
85 Hilal
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
whether it would lead to partial
notifications, because the entity
experiencing the breach may not have
had time to identify all the relevant
facts. Second, the Commission also
requests additional comment on the
timing of the notification to the FTC:
whether it should extend the timeline to
give entities more time to investigate
breaches and better ascertain the
number of affected individuals or
whether an extension would simply
facilitate dilatory action and minimize
the opportunity for an important
dialogue with Commission staff during
the fact-gathering stage immediately
following a breach.
IV. Paperwork Reduction Act
The Commission is submitting this
Notice of Proposed Rulemaking and a
Supporting Statement to the Office of
Management and Budget (‘‘OMB’’) for
review under the Paperwork Reduction
Act (‘‘PRA’’) (44 U.S.C. 3501–3521). The
breach notification requirements
discussed above constitute ‘‘collections
of information’’ for purposes of the PRA.
See 5 CFR 1320.3(c). OMB has approved
the Rule’s existing information
collection requirements through July 31,
2025 (OMB Control No. 3084–0150).
The proposed amendments to 16 CFR
part 318 would likely result in more
reportable breaches by covered entities
to the FTC. In the event of a breach of
security, the proposed Rule would
require covered firms to investigate and,
if certain conditions are met, notify
consumers and the Commission.90
Accordingly, staff has estimated the
burdens associated with these proposed
information collection requirements as
set forth below.
Based on industry reports, staff
estimates that the Commission’s
proposed information collection
requirements will cover approximately
170,000 entities, which, in the event
that they experience a breach, may be
required to notify consumers and the
Commission. While there are
approximately 1.8 million apps in the
Apple App Store 91 and 2.7 million apps
90 Third party service providers who experience
a breach are required to notify the vendor of
personal health records or PHR related entity, and
then this firm would be required to notify
consumers. The Commission expects that the cost
of notification to third party service providers
would be small, relative to the entities who have
to notify consumers. The Commission invites
comment on this issue and data that may be used
to quantify the costs to third party service
providers.
91 See App Store—Apple, https://
www.apple.com/app-store/ and App Store Data
(2023)—Business of Apps, https://
www.businessofapps.com/data/app-stores/.
PO 00000
Frm 00032
Fmt 4702
Sfmt 4702
37831
in the Google Play Store,92 as of
November 2022 it appears that roughly
170,000 of the apps offered in either
store are categorized as ‘‘Health and
Fitness.’’ 93 This figure for apps is a
rough proxy for all covered PHRs,
because most websites and connected
health devices that would be subject to
the Rule act in conjunction with an app.
Staff estimates that these entities will,
cumulatively, experience 71 breaches
per year for which notification may be
required. With the proviso that there is
insufficient data at this time about the
number and incidence rate of breaches
at entities covered by the Commission’s
Rule (due to underreporting prior to
issuance of the Policy Statement), staff
determined the number of estimated
breaches by calculating the breach
incidence rate for HIPAA-covered
entities, and then applied this rate to the
estimated total number of entities that
will be subject to the proposed Rule.94
Additionally, as the number of breaches
per year grew significantly in the recent
years,95 and staff expects this trend to
continue, staff relied on the average
number of breaches in 2021 and 2022 to
estimate the annual breach incidence
rate for HIPAA-covered entities.
Specifically, the HHS Office for Civil
Rights (‘‘OCR’’) reported 715 breaches in
92 App Store Data (2023)—Business of Apps,
https://www.businessofapps.com/data/app-stores/.
93 See App Store Data (2023), supra note 91,
which reports 78,764 apps in the Apple App Store
and 91,743 apps in the Google Play Store were
categorized as ‘‘Health and Fitness’’ apps as of
November 2022. This figure is likely both underand over-inclusive. For example, this figure does
not include apps categorized elsewhere (i.e.,
outside ‘‘Health and Fitness’’) that may be PHRs.
However, at the same time, this figure also
overestimates the number of covered entities, since
many developers make more than one app.
94 Staff used information publicly available from
HHS on HIPAA related breaches because the
HIPAA Breach Notification Rule is similarly
constructed. However, while there are similarities
between HIPAA-covered entities and HBNRcovered entities, it is not necessarily the case that
rates of breaches would follow the same pattern.
For instance, HIPAA-covered entities are generally
subject to stronger data security requirements under
HIPAA, but also may be more likely targets for
security incidents (e.g., ransomware attacks on
hospitals and other medical treatment centers
covered by HIPAA have increased dramatically in
recent years); thus, this number could be an underor overestimate of the number of potential breaches
per year.
95 According to the HHS Office for Civil Rights
(‘‘OCR’’), the number of breaches per year grew
from 358 in 2017 to 715 breaches in 2021 and 717
breaches in 2022. See Breach Portal, U.S. Dep’t of
Health & Human Servs., Office for Civil Rights,
https://ocrportal.hhs.gov/ocr/breach/breach_
report.jsf (visited on March 2, 2023). The data was
downloaded on March 2, 2023, resulting in limited
data for 2023. Thus, breaches from 2023 were not
considered. However, breach investigations that
remain open (under investigation) are included in
the count of yearly breaches.
E:\FR\FM\09JNP1.SGM
09JNP1
37832
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
2021 and 717 breaches in 2022,96 which
results in an average of 716 of breaches
for 2021 and 2022. Based on the 1.7
million entities that are covered by the
HIPAA Breach Notification Rule 97 and
the average number of breaches for 2021
and 2022, staff determined an annual
breach incidence rate of 0.00042 (716/
1.7 million). Accordingly, multiplying
the breach incidence rate (0.00042) by
the estimated number of entities
covered by the proposed information
collection requirements (170,000)
results in an estimated 71 breaches per
year.
Costs
lotter on DSK11XQN23PROD with PROPOSALS1
To determine the costs for purposes of
this analysis, staff has developed
estimates for two categories of potential
costs: (1) the estimated annual burden
hours and labor cost of determining
what information has been breached,
identifying the affected customers,
preparing the breach notice, and making
the required report to the Commission;
and (2) the estimated capital and other
non-labor costs associated with
notifying consumers.
Estimated Annual Burden Hours:
10,650.
Estimated Annual Labor Cost:
$720,579.
First, to determine what information
has been breached, identify the affected
customers, prepare the breach notice,
and make the required report to the
Commission, staff estimates that
covered firms will require per breach,
on average, 150 hours of employee labor
at a cost of $10,149.98 This estimate
does not include the cost of equipment
or other tangible assets of the breached
firms because they likely will use the
equipment and other assets they have
for ordinary business purposes. Based
on the estimate that there will be 71
breaches per year the annual hours of
burden for affected entities will be
10,650 hours (150 hours x 71 breaches)
96 See Breach Portal, U.S. Dep’t of Health &
Human Servs., Office for Civil Rights, https://
ocrportal.hhs.gov/ocr/breach/breach_report.jsf
(visited on March 2, 2023).
97 In a recent Federal Register Notice (‘‘FRN’’) on
Proposed Modifications to the HIPAA Privacy Rule
to Support, and Remove Barriers to, Coordinated
Care and Individual Engagement, OCR proposes
increasing the number of covered entities from
700,000 to 774,331. 86 FR 6446, 6497 (Jan. 21,
2021). The FRN also lists the number of covered
Business Associates as 1,000,000 (Table 2).
98 This estimate is the sum of 40 hours of
marketing managerial time (at an average wage of
$73.77), 40 hours of computer programmer time
($46.46), 20 hours of legal staff ($71.17), 50 hours
of computer and information systems managerial
time ($78.33). See Occupational Employment and
Wage Statistics, U.S. Bureau of Labor Statistics
(May 2021), https://www.bls.gov/oes/current/oes_
nat.htm#00-0000.
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
with an associated labor cost of
$720,579 (71 breaches × $10,149).
Estimated Capital and Other NonLabor Costs: $49,463,046.
The capital and non-labor costs
associated with breach notifications
depends upon the number of consumers
contacted and whether covered firms
are likely to retain the services of a
forensic expert. For breaches affecting
large numbers of consumers, covered
firms are likely to retain the services of
a forensic expert. FTC staff estimates
that, for each breach requiring the
services of forensic experts, forensic
experts may spend approximately 40
hours to assist in the response to the
cybersecurity intrusion, at an estimated
cost of $20,000.99 FTC staff estimates
that the services of forensic experts will
be required in 60% of the 71 breaches.
Based on the estimate that there will be
43 breaches per year requiring forensic
experts (60% × 71 breaches), the annual
hours burden for affected entities will
be 1,720 hours (43 breaches requiring
forensic experts × 40 hours) with an
associated cost of $860,000 (43 breaches
requiring forensic experts × $20,000).
Using the data on HIPAA-covered
breach notices available from HHS for
the years 2021–2022, FTC staff estimates
that the average number of individuals
affected per breach is 62,402.100 Given
an estimated 71 breaches per year, FTC
staff estimates an average of 4,430,542
consumers per year will receive a
breach notification (71 breaches ×
62,402 individuals per breach).
Based on a recent study of data breach
costs, staff estimates the cost of
providing notice to consumers to be
$10.97 per breached record.101 This
estimate includes the costs of electronic
notice, letters, outbound calls or general
99 This estimate is the sum of 40 hours of forensic
expert time at a cost of $500 per hour, which yields
a total cost of $20,000 (40 hours × $500/hour).
100 HHS Breach Data, supra note 96 (mean of
Individuals Affected during breaches 2017–2022).
This analysis uses the last six years of HHS breach
data to generate the average, in order to account for
the variation in number of individuals affected by
breaches observed in the HHS data over time.
101 See IBM Security, Costs of a Data Breach
Report 2022 (2022), https://www.ibm.com/reports/
data-breach (‘‘2022 IBM Security Report’’). The
research for the 2022 IBM Security Report is
conducted independently by the Ponemon Institute,
and the results are reported and published by IBM
Security. Figure 2 of the 2022 IBM Security Report
shows that cost per record of a breach was $164 per
record in 2022 and $161 in 2021, resulting in an
average cost of $162.50. Figure 5 of the 2022 IBM
Security Report shows that 7.1% ($0.31m/$4.35m)
of the average cost of a data breach are due to
‘‘Notification’’ costs. The fraction of average breach
costs due to ‘‘Notification’’ were 6.4% the previous
year (IBM Security, Costs of a Data Breach Report
2021). Using the average of these numbers, staff
estimates that notification costs per record across
the two years are 6.75% × $162.50 = $10.97 per
record.
PO 00000
Frm 00033
Fmt 4702
Sfmt 4702
notice to data subjects; and engagement
of outside experts.102 Applied to the
above-stated estimate of 4,430,542
consumers per year receiving breach
notification yields an estimated total
annual cost for all forms of notice to
consumers of $48,603,046 (4,430,542
consumers × $10.97 per record). The
estimated capital and non-labor costs
total $49,463,046 ($860,000 +
$48,603,046).
Staff notes that these estimates likely
overstate the costs imposed by the
proposed Rule because: (1) it assumes
that all entities covered by the Rule will
be required to take all the steps required
above; and (2) staff made conservative
assumptions in developing many of the
underlying estimates. Moreover, many
entities covered by the Rule already
have similar notification obligations
under state data breach laws.103 In
addition, the Commission has taken
several steps designed to limit the
potential burden on covered entities
that are required to provide notice,
including by providing exemplar
notices that entities may choose to use
if they are required to provide
notifications and proposing expanded
use of electronic notifications.
The Commission invites comments
on: (1) whether the proposed collection
of information is necessary for the
proper performance of the functions of
the FTC, including whether the
information will have practical utility;
(2) the accuracy of the FTC’s estimate of
the burden of the proposed collection of
information; (3) ways to enhance the
quality, utility, and clarity of the
information to be collected; and (4)
ways to minimize the burden of
collecting information on those who
respond.
Written comments and
recommendations for the proposed
information collection should also be
sent within 30 days of publication of
this document to https://
www.reginfo.gov/public/do/PRAMain.
102 See
2022 IBM Security Report at 54.
state data breach notification statutes
require notification when a breach occurs involving
certain health or medical information of individuals
in that state. See, e.g., Ala. Code 8–38–1 et seq.;
Alaska Stat. 45.48.010 et seq.; Ariz. Rev. Stat. 18–
551 et seq.; Ark. Code 4–110–101 et seq.; Cal. Civ.
Code 1798.80 et seq.; Cal. Health & Safety Code
1280.15; Colo. Rev. Stat. 6–1–716; Del. Code Ann.
tit. 6 12B–101 et seq.; DC Code 28–3851 et seq.; Fla.
Stat. 501.171; 815 Ill. Comp. Stat. 530/5 et seq.; Md.
Code Com. Law 14–3501 et seq; Mo. Rev. Stat.
407.1500; Nev. Rev. Stat. 603A.010 et seq.; N.H.
Rev. Stat. 359–C:19–C:21; N.H. Rev. Stat. 332–I:5;
N.D. Cent. Code 51–30–01–07; Or. Rev. Stat.
646A.600–646A.628; R.I. Gen. Laws 11–49.3–1–11–
49.3–6; SDCL 22–40–19–22–40–26; Tex. Bus. &
Com. Code 521.002, 521.053, 521.151–152; 9 V.S.A.
2430, 2435; Va. Code 18.2–186.6; Va. Code 32.1–
127.1:05; Va. Code 58.1–341.2; Wash. Rev. Code
19.255.010 et seq.
103 Many
E:\FR\FM\09JNP1.SGM
09JNP1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
lotter on DSK11XQN23PROD with PROPOSALS1
Find this particular information
collection by selecting ‘‘Currently under
Review—Open for Public Comments’’ or
by using the search function. The
reginfo.gov web link is a United States
Government website produced by OMB
and the General Services
Administration (‘‘GSA’’). Under PRA
requirements, OMB’s Office of
Information and Regulatory Affairs
(‘‘OIRA’’) reviews Federal information
collections.
V. Regulatory Flexibility Act
The Regulatory Flexibility Act
(‘‘RFA’’), 5 U.S.C. 601 et seq., requires
that the Commission conduct an
analysis of the anticipated economic
impact of the proposed amendment on
small entities. The purpose of a
regulatory flexibility analysis is to
ensure that an agency considers
potential impacts on small entities and
examines regulatory alternatives that
could achieve the regulatory purpose
while minimizing burdens on small
entities. The RFA requires that the
Commission provide an Initial
Regulatory Flexibility Analysis
(‘‘IRFA’’) with a proposed rule and a
Final Regulatory Flexibility Analysis
(‘‘FRFA’’) with a final rule, if any,
unless the Commission certifies that the
proposed rule will not have a significant
economic impact on a substantial
number of small entities. 5 U.S.C. 605.
The Commission believes that the
proposed amendment would not have a
significant economic impact upon small
entities, although it may affect a
substantial number of small businesses.
Among other things, the proposed
amendments clarify certain definitions,
revise the disclosures that must
accompany notice of a breach under the
Rule, and modernize the methods of
notice to allow additional use of
electronic notice such as email by
entities affected by a breach. In
addition, the proposed amendments
improve the Rule’s readability by
clarifying cross-references and adding
statutory citations. The Commission
does not anticipate these changes will
add significant additional costs to
entities covered by the Rule and the
revisions to allow additional use of
electronic notice may reduce costs for
many entities covered by the Rule.
Therefore, based on available
information, the Commission certifies
that amending the Rule as proposed will
not have a significant economic impact
on a substantial number of small
entities. Although the Commission
certifies under the RFA that the
proposed amendment would not, if
promulgated, have a significant impact
on a substantial number of small
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
entities, the Commission has
determined, nonetheless, that it is
appropriate to publish an IRFA to
inquire into the impact of the proposed
amendment on small entities. Therefore,
the Commission has prepared the
following analysis:
1. Description of the Reasons That
Action by the Agency Is Being
Considered
The Commission conducts a review of
each of its rules ten years after issuance.
In May 2020, the Commission requested
public comment on whether
technological and business changes
warranted any changes to the Rule.
After careful review of the comments
received, the Commission concludes
that there is a need to update certain
Rule provisions. Therefore, it proposes
modifications to the Rule as described
in sections I and II.
2. Statement of the Objectives of, and
Legal Basis for, the Proposed Rule
The objective of the proposed changes
is to clarify existing notice obligations
for entities covered by the Rule. The
legal basis for the proposed Rule is
section 13407 of the Recovery Act.
3. Description and Estimate of the
Number of Small Entities to Which the
Proposed Rule Will Apply
The proposed amendments, like the
current Rule, will apply to vendors of
personal health records, PHR related
entities, and third party service
providers, including developers and
purveyors of health apps, connected
health devices, and similar
technologies. As discussed in the
Commission’s PRA estimates above,
FTC staff estimates that the proposed
Rule will apply to approximately
170,000 entities. The Commission
estimates that a substantial number of
these entities likely qualify as small
businesses. According to the Statistics
on Small Businesses Census data,
approximately 94% of ‘‘Software
Publishers’’ (the category to which
health and fitness apps belong) are
small businesses.104 The Commission
invites comment and information on
this issue.
4. Projected Reporting, Recordkeeping
and Other Compliance Requirements
The Recovery Act and the proposed
Rule impose certain reporting
104 2017 SUSB Annual Data Tables by
Establishment Industry, U.S. Census Bureau (May
2021), https://www.census.gov/data/tables/2017/
econ/susb/2017-susb-annual.html. The U.S. Small
Business Administration (‘‘SBA’’) categorizes
Software Publishers as a small business if the
annual receipts are less than $41.5 million.
PO 00000
Frm 00034
Fmt 4702
Sfmt 4702
37833
requirements within the meaning of the
PRA. The proposed Rule will clarify
which entities are subject to those
reporting requirements. The
Commission is seeking clearance from
OMB for these requirements.
Specifically, the Act and proposed Rule
require vendors of personal health
records and PHR related entities to
provide notice to consumers, the
Commission, and in some cases the
media in the event of a breach of
unsecured PHR identifiable health
information. The Act and proposed Rule
also require third party service
providers to provide notice to vendors
of personal health records and PHR
related entities in the event of such a
breach. If a breach occurs, each entity
covered by Act and proposed Rule will
expend costs to determine the extent of
the breach and the individuals affected.
If the entity is a vendor of personal
health records or PHR related entity,
additional costs will include the costs of
preparing a breach notice, notifying the
Commission, compiling a list of
consumers to whom a breach notice
must be sent, and sending a breach
notice. Such entities may incur
additional costs in locating consumers
who cannot be reached, and in certain
cases, posting a breach notice on a
website, notifying consumers through
media advertisements, or sending
breach notices through press releases to
media outlets.
In-house costs may include technical
costs to determine the extent of
breaches; investigative costs of
conducting interviews and gathering
information; administrative costs of
compiling address lists; professional/
legal costs of drafting the notice; and
potentially, costs for postage, web
posting, and/or advertising. Costs may
also include the purchase of services of
a forensic expert. The Commission seeks
further comment on the costs and
burdens of small entities in complying
with the requirements of the proposed
Rule.
5. Other Duplicative, Overlapping, or
Conflicting Federal Rules
The FTC has not identified any other
Federal statutes, rules, or policies
currently in effect that would conflict
with the proposed Rule. The HIPAA
Breach Notification Rule applies to
HIPAA-covered entities; the proposed
Rule does not. The Commission invites
comment and information about any
potentially duplicative, overlapping, or
conflicting Federal statutes, rules, or
policies.
E:\FR\FM\09JNP1.SGM
09JNP1
37834
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
6. Description of Any Significant
Alternatives to the Proposed Rule
In drafting the proposed Rule, the
Commission has made every effort to
avoid unduly burdensome requirements
for entities. In particular, the
Commission believes that the proposed
changes to facilitate electronic notice
will assist small entities by significantly
reducing the costs of sending breach
notices. In addition, the Commission is
also proposing exemplar notices that
entities covered by the Rule may use, in
their discretion, to notify individuals.
The Commission anticipates that these
exemplar notices will further reduce the
potential burden on entities that are
required to provide notice under the
Rule. The Commission is not aware of
alternative methods of compliance that
will reduce the impact of the proposed
Rule on small entities, while also
comporting with the Recovery Act. The
statutory requirements are specific as to
the timing, method, and content of
notice. Accordingly, the Commission
seeks comment and information on
ways in which the Rule could be
modified to reduce any costs or burdens
for small entities consistent with the
Recovery Act’s mandated requirements.
lotter on DSK11XQN23PROD with PROPOSALS1
VI. Instructions for Submitting
Comments
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before August 8, 2023. Write ‘‘Health
Breach Notification Rule, Project No.
P205405’’ on the comment. Your
comment–including your name and
your state–will be placed on the public
record of this proceeding, including the
https://www.regulations.gov website.
Because of the agency’s heightened
security screening, postal mail
addressed to the Commission is subject
to delay. We strongly encourage you to
submit your comments online through
the https://www.regulations.gov
website. To make sure the Commission
considers your online comment, please
follow the instructions on the webbased form.
If you file your comment on paper,
write ‘‘Health Breach Notification Rule,
Project No. P205405’’ on your comment
and on the envelope, and mail your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW, Suite CC–5610 (Annex H),
Washington, DC 20580.
Because your comment will be placed
on the publicly accessible website at
https://www.regulations.gov, you are
solely responsible for making sure that
your comment does not include any
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
sensitive or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request and must
identify the specific portions of the
comment to be withheld from the public
record. Your comment will be kept
confidential only if the FTC’s General
Counsel grants your request in
accordance with the law and the public
interest. Once your comment has been
posted publicly at www.regulations.gov,
we cannot redact or remove your
comment unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the FTC’s General
Counsel grants that request.
Visit the FTC website to read this
document and the news release
describing it. The FTC Act and other
laws that the Commission administers
permit the collection of public
comments to consider and use in this
proceeding as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before August 8, 2023.
For information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
PO 00000
Frm 00035
Fmt 4702
Sfmt 4702
List of Subjects in 16 CFR Part 318
Breach, Consumer protection, Health,
Privacy, Reporting and recordkeeping
requirements, Trade practices.
For the reasons set out in this
document, the Commission proposes to
amend part 318 of title 16 of the Code
of Federal Regulations as follows:
■ 1. Revise part 318 to read as follows:
PART 318—HEALTH BREACH
NOTIFICATION RULE
Sec.
318.1
318.2
318.3
318.4
318.5
318.6
318.7
318.8
318.9
Purpose and scope.
Definitions.
Breach notification requirement.
Timeliness of notification.
Methods of notice.
Content of notice.
Enforcement.
Effective date.
Sunset.
Authority: 42 U.S.C. 17937 and 17953.
318.1
Purpose and scope.
(a) This part, which shall be called the
‘‘Health Breach Notification Rule,’’
implements section 13407 of the
American Recovery and Reinvestment
Act of 2009, 42 U.S.C. 17937. It applies
to foreign and domestic vendors of
personal health records, PHR related
entities, and third party service
providers, irrespective of any
jurisdictional tests in the Federal Trade
Commission (FTC) Act, that maintain
information of U.S. citizens or residents.
It does not apply to HIPAA-covered
entities, or to any other entity to the
extent that it engages in activities as a
business associate of a HIPAA-covered
entity.
(b) This part preempts state law as set
forth in section 13421 of the American
Recovery and Reinvestment Act of 2009,
42 U.S.C. 17951.
318.2
Definitions.
(a) Breach of security means, with
respect to unsecured PHR identifiable
health information of an individual in a
personal health record, acquisition of
such information without the
authorization of the individual.
Unauthorized acquisition will be
presumed to include unauthorized
access to unsecured PHR identifiable
health information unless the vendor of
personal health records, PHR related
entity, or third party service provider
that experienced the breach has reliable
evidence showing that there has not
been, or could not reasonably have
been, unauthorized acquisition of such
information. A breach of security
includes an unauthorized acquisition of
unsecured PHR identifiable health
information in a personal health record
E:\FR\FM\09JNP1.SGM
09JNP1
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
that occurs as a result of a data breach
or an unauthorized disclosure.
(b) Business associate means a
business associate under the Health
Insurance Portability and
Accountability Act, Public Law 104–
191, 110 Stat. 1936, as defined in 45
CFR 160.103.
(c) Clear and conspicuous means that
a notice is reasonably understandable
and designed to call attention to the
nature and significance of the
information in the notice.
(1) Reasonably Understandable: You
make your notice reasonably
understandable if you:
(i) Present the information in the
notice in clear, concise sentences,
paragraphs, and sections;
(ii) Use short explanatory sentences or
bullet lists whenever possible;
(iii) Use definite, concrete, everyday
words and active voice whenever
possible;
(iv) Avoid multiple negatives;
(v) Avoid legal and highly technical
business terminology whenever
possible; and
(vi) Avoid explanations that are
imprecise and readily subject to
different interpretations.
(2) Designed to call attention. You
design your notice to call attention to
the nature and significance of the
information in it if you:
(i) Use a plain-language heading to
call attention to the notice;
(ii) Use a typeface and type size that
are easy to read;
(iii) Provide wide margins and ample
line spacing;
(iv) Use boldface or italics for key
words; and
(v) In a form that combines your
notice with other information, use
distinctive type size, style, and graphic
devices, such as shading or sidebars,
when you combine your notice with
other information. The notice should
stand out from any accompanying text
or other visual elements so that it is
easily noticed, read, and understood.
(3) Notices on websites or withinapplication messaging. If you provide a
notice on a web page or using withinapplication messaging, you design your
notice to call attention to the nature and
significance of the information in it if
you use text or visual cues to encourage
scrolling down the page if necessary to
view the entire notice and ensure that
other elements on the website or
software application (such as text,
graphics, hyperlinks, or sound) do not
distract attention from the notice, and
you either:
(i) Place the notice on a screen that
consumers frequently access, such as a
page on which transactions are
conducted; or
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
(ii) Place a link on a screen that
consumers frequently access, such as a
page on which transactions are
conducted, that connects directly to the
notice and is labeled appropriately to
convey the importance, nature and
relevance of the notice.
(d) Electronic mail means (1) email in
combination with one or more of the
following: (2) text message, withinapplication messaging, or electronic
banner.
(e) Health care services or supplies
includes any online service such as a
website, mobile application, or internetconnected device that provides
mechanisms to track diseases, health
conditions, diagnoses or diagnostic
testing, treatment, medications, vital
signs, symptoms, bodily functions,
fitness, fertility, sexual health, sleep,
mental health, genetic information, diet,
or that provides other health-related
services or tools.
(f) Health care provider means a
provider of services (as defined in 42
U.S.C. 1395x(u)), a provider of medical
or other health services (as defined in 42
U.S.C. 1395x(s)), or any other entity
furnishing health care services or
supplies.
(g) HIPAA-covered entity means a
covered entity under the Health
Insurance Portability and
Accountability Act, Public Law 104–
191, 110 Stat. 1936, as defined in 45
CFR 160.103.
(h) Personal health record means an
electronic record of PHR identifiable
health information on an individual that
has the technical capacity to draw
information from multiple sources and
that is managed, shared, and controlled
by or primarily for the individual.
(i) PHR identifiable health
information means information:
(1) That is provided by or on behalf
of the individual;
(2) That identifies the individual or
with respect to which there is a
reasonable basis to believe that the
information can be used to identify the
individual;
(3) Relates to the past, present, or
future physical or mental health or
condition of an individual, the
provision of health care to an
individual, or the past, present, or
future payment for the provision of
health care to an individual; and
(4) Is created or received by a:
(i) health care provider;
(ii) health plan (as defined in 42
U.S.C. 1320d(5));
(iii) employer; or
(iv) health care clearinghouse (as
defined in 42 U.S.C. 1320d(2)).
(j) PHR related entity means an entity,
other than a HIPAA-covered entity or an
PO 00000
Frm 00036
Fmt 4702
Sfmt 4702
37835
entity to the extent that it engages in
activities as a business associate of a
HIPAA-covered entity, that:
(1) Offers products or services through
the website, including any online
service, of a vendor of personal health
records;
(2) Offers products or services through
the websites, including any online
service, of HIPAA-covered entities that
offer individuals personal health
records; or
(3) Accesses unsecured PHR
identifiable health information in a
personal health record or sends
unsecured PHR identifiable health
information to a personal health record.
(k) State means any of the several
States, the District of Columbia, Puerto
Rico, the Virgin Islands, Guam,
American Samoa, and the Northern
Mariana Islands.
(l) Third party service provider means
an entity that:
(1) Provides services to a vendor of
personal health records in connection
with the offering or maintenance of a
personal health record or to a PHR
related entity in connection with a
product or service offered by that entity;
and
(2) Accesses, maintains, retains,
modifies, records, stores, destroys, or
otherwise holds, uses, or discloses
unsecured PHR identifiable health
information as a result of such services.
(m) Unsecured means PHR
identifiable information that is not
protected through the use of a
technology or methodology specified by
the Secretary of Health and Human
Services in the guidance issued under
section 13402(h)(2) of the American
Reinvestment and Recovery Act of 2009,
42 U.S.C. 17932(h)(2).
(n) Vendor of personal health records
means an entity, other than a HIPAAcovered entity or an entity to the extent
that it engages in activities as a business
associate of a HIPAA-covered entity,
that offers or maintains a personal
health record.
318.3
Breach notification requirement.
(a) In general. In accordance with
§ 318.4 (Timeliness of notification),
§ 318.5 (Notice to FTC), and § 318.6
(Content of notice), each vendor of
personal health records, following the
discovery of a breach of security of
unsecured PHR identifiable health
information that is in a personal health
record maintained or offered by such
vendor, and each PHR related entity,
following the discovery of a breach of
security of such information that is
obtained through a product or service
provided by such entity, shall:
E:\FR\FM\09JNP1.SGM
09JNP1
lotter on DSK11XQN23PROD with PROPOSALS1
37836
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
(1) Notify each individual who is a
citizen or resident of the United States
whose unsecured PHR identifiable
health information was acquired by an
unauthorized person as a result of such
breach of security;
(2) Notify the Federal Trade
Commission; and
(3) Notify prominent media outlets
serving a State or jurisdiction, following
the discovery of a breach of security, if
the unsecured PHR identifiable health
information of 500 or more residents of
such State or jurisdiction is, or is
reasonably believed to have been,
acquired during such breach.
(b) Third party service providers. A
third party service provider shall,
following the discovery of a breach of
security, provide notice of the breach to
an official designated in a written
contract by the vendor of personal
health records or the PHR related entity
to receive such notices or, if such a
designation is not made, to a senior
official at the vendor of personal health
records or PHR related entity to which
it provides services, and obtain
acknowledgment from such official that
such notice was received. Such
notification shall include the
identification of each customer of the
vendor of personal health records or
PHR related entity whose unsecured
PHR identifiable health information has
been, or is reasonably believed to have
been, acquired during such breach. For
purposes of ensuring implementation of
this requirement, vendors of personal
health records and PHR related entities
shall notify third party service providers
of their status as vendors of personal
health records or PHR related entities
subject to this part. While some third
party service providers may access
unsecured PHR identifiable health
information in the course of providing
services, this does not render the third
party service provider a PHR related
entity.
(c) Breaches treated as discovered. A
breach of security shall be treated as
discovered as of the first day on which
such breach is known or reasonably
should have been known to the vendor
of personal health records, PHR related
entity, or third party service provider,
respectively. Such vendor, entity, or
third party service provider shall be
deemed to have knowledge of a breach
if such breach is known, or reasonably
should have been known, to any person,
other than the person committing the
breach, who is an employee, officer, or
other agent of such vendor of personal
health records, PHR related entity, or
third party service provider.
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
318.4
Timeliness of notification.
(a) In general. Except as provided in
paragraphs (b) (Timing of notice to FTC)
and (d) of this section (Law enforcement
exception), all notifications required
under § 318.3(a)(1) (required notice to
individuals), § 318.3(b) (required notice
by third party service providers), and
§ 318.3(a)(3) (required notice to media)
shall be sent without unreasonable
delay and in no case later than 60
calendar days after the discovery of a
breach of security.
(b) Timing of notice to FTC. All
notifications required under § 318.5(c)
(Notice to FTC) involving the unsecured
PHR identifiable health information of
500 or more individuals shall be
provided as soon as possible and in no
case later than ten business days
following the date of discovery of the
breach. All logged notifications required
under § 318.5(c) (Notice to FTC)
involving the unsecured PHR
identifiable health information of fewer
than 500 individuals may be sent
annually to the Federal Trade
Commission no later than 60 calendar
days following the end of the calendar
year.
(c) Burden of proof. The vendor of
personal health records, PHR related
entity, and third party service provider
involved shall have the burden of
demonstrating that all notifications were
made as required under this part,
including evidence demonstrating the
necessity of any delay.
(d) Law enforcement exception. If a
law enforcement official determines that
a notification, notice, or posting
required under this part would impede
a criminal investigation or cause
damage to national security, such
notification, notice, or posting shall be
delayed. This paragraph shall be
implemented in the same manner as
provided under 45 CFR 164.528(a)(2), in
the case of a disclosure covered under
such section.
318.5
Methods of notice.
(a) Individual notice. A vendor of
personal health records or PHR related
entity that discovers a breach of security
shall provide notice of such breach to an
individual promptly, as described in
§ 318.4 (Timeliness of notification), and
in the following form:
(1) Written notice at the last known
address of the individual. Written notice
may be sent by electronic mail if the
individual has specified electronic mail
as the primary method of
communication. Any written notice sent
by electronic mail must be Clear and
Conspicuous. Where notice via
electronic mail is not available or the
individual has not specified electronic
PO 00000
Frm 00037
Fmt 4702
Sfmt 4702
mail as the primary method of
communication, a vendor of personal
health records or PHR related entity
may provide notice by first-class mail at
the last known address of the
individual. If the individual is deceased,
the vendor of personal health records or
PHR related entity that discovered the
breach must provide such notice to the
next of kin of the individual if the
individual had provided contact
information for his or her next of kin,
along with authorization to contact
them. The notice may be provided in
one or more mailings as information is
available. Exemplar notices that vendors
of personal health records or PHR
related entities may use to notify
individuals pursuant to this paragraph
are attached as Appendix A.
(2) If, after making reasonable efforts
to contact all individuals to whom
notice is required under § 318.3(a),
through the means provided in
paragraph (a)(1) of this section, the
vendor of personal health records or
PHR related entity finds that contact
information for ten or more individuals
is insufficient or out-of-date, the vendor
of personal health records or PHR
related entity shall provide substitute
notice, which shall be reasonably
calculated to reach the individuals
affected by the breach, in the following
form:
(i) Through a conspicuous posting for
a period of 90 days on the home page
of its website; or
(ii) In major print or broadcast media,
including major media in geographic
areas where the individuals affected by
the breach likely reside. Such a notice
in media or web posting shall include
a toll-free phone number, which shall
remain active for at least 90 days, where
an individual can learn whether the
individual’s unsecured PHR identifiable
health information may be included in
the breach.
(3) In any case deemed by the vendor
of personal health records or PHR
related entity to require urgency because
of possible imminent misuse of
unsecured PHR identifiable health
information, that entity may provide
information to individuals by telephone
or other means, as appropriate, in
addition to notice provided under
paragraph (a)(1) of this section.
(b) Notice to media. As described in
§ 318.3(a)(3), a vendor of personal
health records or PHR related entity
shall provide notice to prominent media
outlets serving a State or jurisdiction,
following the discovery of a breach of
security, if the unsecured PHR
identifiable health information of 500 or
more residents of such State or
jurisdiction is, or is reasonably believed
E:\FR\FM\09JNP1.SGM
09JNP1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
318.6
Content of notice.
lotter on DSK11XQN23PROD with PROPOSALS1
Regardless of the method by which
notice is provided to individuals under
§ 318.5 (Methods of notice) of this part,
notice of a breach of security shall be in
plain language and include, to the
extent possible, the following:
(a) A brief description of what
happened, including: the date of the
breach and the date of the discovery of
the breach, if known; the potential harm
that may result from the breach, such as
medical or other identity theft; and the
full name, website, and contact
information (such as a public email
address or phone number) of any third
parties that acquired unsecured PHR
identifiable health information as a
result of a breach of security, if this
information is known to the vendor of
personal health records or PHR related
entity;
(b) A description of the types of
unsecured PHR identifiable health
information that were involved in the
breach (such as but not limited to full
name, Social Security number, date of
birth, home address, account number,
health diagnosis or condition, lab
results, medications, other treatment
information, the individual’s use of a
health-related mobile application, or
device identifier (in combination with
another data element));
(c) Steps individuals should take to
protect themselves from potential harm
resulting from the breach;
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
(d) A brief description of what the
entity that experienced the breach is
doing to investigate the breach, to
mitigate harm, to protect against any
further breaches, and to protect affected
individuals, such as offering credit
monitoring or other services; and
(e) Contact procedures for individuals
to ask questions or learn additional
information, which must include two or
more of the following: toll-free
telephone number; email address;
website; within-application; or postal
address.
Health Breach Notification Rule, you are not
required to use the notices below.
318.7
You shared health information with us
when you used [product name]. We
discovered that we shared your health
information with third parties for [describe
why the company shared the info] without
your permission. Visit [add non-clickable
URL] to learn what happened, how it affects
you, and what you can do to protect your
information. We also sent you an email with
more information.
Enforcement.
Any violation of this part shall be
treated as a violation of a rule
promulgated under section 18 of the
Federal Trade Commission Act, 15
U.S.C. 57a, regarding unfair or deceptive
acts or practices, and thus subject to
civil penalties (as adjusted for inflation
pursuant to § 1.98 of this chapter), and
the Commission will enforce this Rule
in the same manner, by the same means,
and with the same jurisdiction, powers,
and duties as are available to it pursuant
to the Federal Trade Commission Act,
15 U.S.C. 41 et seq.
318.8
Effective date.
This part shall apply to breaches of
security that are discovered on or after
September 24, 2009.
318.9
Sunset.
If new legislation is enacted
establishing requirements for
notification in the case of a breach of
security that apply to entities covered
by this part, the provisions of this part
shall not apply to breaches of security
discovered on or after the effective date
of regulations implementing such
legislation.
By direction of the Commission.
April J. Tabor,
Secretary.
Appendix A: Health Breach
Notification Rule Exemplar Notices
The notices below are intended to be
examples of notifications that entities may
use, in their discretion, to notify individuals
of a breach of security pursuant to the Health
Breach Notification Rule. The examples
below are for illustrative purposes only. You
should tailor any notices to the particular
facts and circumstances of your breach.
While your notice must comply with the
PO 00000
Frm 00038
Fmt 4702
Sfmt 4725
Mobile Text Message and In-App Message
Exemplars
Text Message Notification Exemplar 1
Due to a security breach on our system, the
health information you shared with us
through [name of product] is now in the
hands of unknown attackers. Visit [add nonclickable URL] to learn what happened, how
it affects you, and what you can do to protect
your information. We also sent you an email
with additional information.
Text Message Notification Exemplar 2
In-App Message Notification Exemplar 1
Due to a security breach on our system, the
health information you shared with us
through [name of product] is now in the
hands of unknown attackers. This could
include your [Add specifics—for example,
your name, email, address, blood pressure
data]. Visit [URL] to learn what happened,
how it affects you, and what you can do to
protect your information. We also sent you
an email with additional information.
In-App Message Notification Exemplar 2
You shared health information with us
when you used [product name]. We
discovered that we shared your health
information with third parties for [if known,
describe why the company shared the info]
without your permission. This could include
your [Add specifics—for example, your
name, email, address, blood pressure data].
Visit [URL] to learn what happened, how it
affects you, and what you can do to protect
your information. We also sent you an email
with additional information.
Web Banner Exemplars
Web Banner Notification Exemplar 1
Due to a security breach on our system, the
health information you shared with us
through [name of product] is now in the
hands of unknown attackers. This could
include your [Add specifics—for example,
your name, email, address, blood pressure
data]. Visit [URL] to learn what happened,
how it affects you, and what you can do to
protect your information.
• Recommend: Include clear ‘‘Take action’’
call to action button, such as the example
below:
E:\FR\FM\09JNP1.SGM
09JNP1
EP09JN23.006</GPH>
to have been, acquired during such
breach.
(c) Notice to FTC. Vendors of personal
health records and PHR related entities
shall provide notice to the Federal
Trade Commission following the
discovery of a breach of security, as
described in § 318.4(b) (Timing of notice
to FTC). If the breach involves the
unsecured PHR identifiable health
information of fewer than 500
individuals, the vendor of personal
health records or PHR related entity
may maintain a log of any such breach
and submit such a log annually to the
Federal Trade Commission as described
in § 318.4(b) (Timing of notice to FTC),
documenting breaches from the
preceding calendar year. All notices
pursuant to this paragraph shall be
provided according to instructions at
the Federal Trade Commission’s
website.
37837
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
Web Banner Notification Exemplar 2
You shared health information with us
when you used [product name]. We
discovered that we shared your health
information with third parties for [if known,
describe why the company shared the info]
without your permission. This could include
your [Add specifics—for example, your
name, email, address, blood pressure data].
Visit [URL] to learn what happened, how it
affects you, and what you can do to protect
your information.
• Recommend: Include clear ‘‘Take action’’
call to action button, such as the example
below:
Email Exemplars
Exemplar Email Notice 1
Email Sender: [Company] <company email>
Email Subject Line: [Company] Breach of
Your Health Information
Dear [Name],
We are contacting you because an attacker
recently gained unauthorized access to our
system and stole health information about
our customers, including you.
What happened and what it means for you
On [March 1, 2022], we learned that an
attacker had accessed a file containing our
customers’ health information on [February
28, 2022]. The file included your name, the
name of your health insurance company,
your date of birth, and your group or policy
number.
A hacker could use your information now
or at a later time to commit identity theft or
could sell your information to other
criminals. For example, a criminal could get
medical care in your name or change your
medical records or run up bills in your name.
What you can do to protect yourself
You can take steps now to reduce the risk
of identity theft.
1. Review your medical records,
statements, and bills for signs that someone
is using your information. Under the health
privacy law known as HIPAA, you have the
right to access your medical records. Get your
records and review them for any treatments
or doctor visits you don’t recognize. If you
find any, report them to your healthcare
provider in writing. Then go to
www.IdentityTheft.gov/steps to see what
other steps you can take to limit the damage.
Also review the Explanation of Benefits
statement your insurer sends you when it
pays for medical care.
Some criminals wait before using stolen
information so keep monitoring your benefits
and bills.
2. Review your credit reports for errors.
You can get your free credit reports from the
three credit bureaus at
www.annualcreditreport.com or call 1–877–
322–8228. Look for medical billing errors,
like medical debt collection notices that you
don’t recognize. Report any medical billing
errors to all three credit bureaus by following
the ‘‘What To Do Next’’ steps on
www.IdentityTheft.gov.
3. Sign up for free credit monitoring to
detect suspicious activity. Credit monitoring
detects and alerts you about activity on your
credit reports. Activity you don’t recognize
could be a sign that someone stole your
identity. We’re offering free credit monitoring
for two years through [name of service].
Learn more and sign up at [URL].
4. Consider freezing your credit report or
placing a fraud alert on your credit report. A
credit report freeze means potential creditors
can’t get your credit report without your
permission. That makes it less likely that an
identity thief can open new accounts in your
name. A freeze remains in place until you ask
the credit bureau to temporarily lift it or
remove it.
A fraud alert will make it harder for
someone to open a new credit account in
your name. It tells creditors to contact you
before they open any new accounts in your
name or change your accounts. A fraud alert
lasts for one year. After a year, you can renew
it.
To freeze your credit report, contact each
of the three credit bureaus, Equifax,
Experian, and TransUnion.
To place a fraud alert, contact any one of
the three credit bureaus, Equifax, Experian,
and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others
are notified to place fraud alerts on your
credit report.
Credit bureau contact information
Equifax, www.equifax.com/personal/creditreport-services, 1–800–685–1111
Experian, www.experian.com/help, 1–888–
397–3742
TransUnion, www.transunion.com/credithelp, 1–888–909–8872
Learn more about how credit report freezes
and fraud alerts can protect you from identity
theft or prevent further misuse of your
personal information at
www.consumer.ftc.gov/articles/what-knowabout-credit-freezes-and-fraud-alerts.
What we are doing in response.
We hired security experts to secure our
system. We are working with law
enforcement to find the attacker. And we are
investigating whether we made mistakes that
made it possible for the attackers to get in.
Learn more about the breach.
Go to [URL] to learn more about what
happened and what you can do to protect
yourself. If we have any updates, we will
post them there.
If you have questions or concerns, call us
at [telephone number], email us at [address],
or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 2
Email Sender: [Company] <company email>
Email Subject Line: Unauthorized disclosure
of your health information by [Company]
Dear [Name],
We are contacting you because you use our
company’s app [name of app]. When you
downloaded our app, we promised to keep
your personal health information private.
Instead, we disclosed health information
about you to another company without your
approval.
What happened?
We told Company XYZ (insert website
address of Company XYZ) that you use our
app, and between [January 10, 2021] and
[March 1, 2022], we gave them your name
and your email address.
We gave Company XYZ this information so
they could use it for advertising and
marketing purposes. For example, to target
you for ads for cancer drugs.
You may contact Company XYZ at [insert
contact info, such as email or phone] for
more information.
What we are doing in response
We will stop selling or sharing your health
information with other companies.We will
stop using your health information for
advertising or marketing purposes. We have
asked Company XYZ to delete your health
information, but it’s possible they could
continue to use it for advertising and
marketing.
What you can do
We made important changes to our app to
fix this problem. Download the latest updates
to our app then review your privacy settings.
You can also contact Company XYZ to
request that it delete your data.
Learn more
Learn more about our privacy and security
practices at [URL]. If we have any updates,
we will post them there.
If you have any questions or concerns, call
us at [telephone number] or email us at
[address].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 3
Email Sender: [Company] <company email>
Email Subject Line:[Company] Breach of
Your Health Information
VerDate Sep<11>2014
17:17 Jun 08, 2023
Jkt 259001
PO 00000
Frm 00039
Fmt 4702
Sfmt 4702
E:\FR\FM\09JNP1.SGM
09JNP1
EP09JN23.007</GPH>
lotter on DSK11XQN23PROD with PROPOSALS1
37838
lotter on DSK11XQN23PROD with PROPOSALS1
Federal Register / Vol. 88, No. 111 / Friday, June 9, 2023 / Proposed Rules
Dear [Name],
We are contacting you about a breach of
your health information collected through
the [product], a device sold by our company,
[Company].
What happened? On [March 1, 2022], we
discovered that our employee had
accidentally posted a database online on
[February 28, 2022]. That database included
your name, your credit or debit card
information, and your blood pressure
readings. We don’t know if anyone else
found the database and saw your
information. If someone found the database,
they could use personal information to steal
your identity or make unauthorized charges
in your name.
What you can do to protect yourself
You can take steps now to reduce the risk
of identity theft.
1. Get your free credit report and review it
for signs of identity theft. Order your free
credit report at www.annualcreditreport.com.
Review it for accounts and activity you don’t
recognize. Recheck your credit reports
periodically.
2. Consider freezing your credit report or
placing a fraud alert on your credit report. A
credit report freeze means potential creditors
can’t get your credit report without your
permission. That makes it less likely that an
identity thief can open new accounts in your
name. A freeze remains in place until you ask
the credit bureau to temporarily lift it or
remove it.
A fraud alert will make it harder for
someone to open a new credit account in
your name. It tells creditors to contact you
before they open any new accounts in your
name or change your accounts. A fraud alert
lasts for one year. After a year, you can renew
it.
To freeze your credit report, contact each
of the three credit bureaus, Equifax,
Experian, and TransUnion.
To place a fraud alert, contact any one of
the three credit bureaus, Equifax, Experian,
and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others
are notified to place fraud alerts on your
credit report.
Credit bureau contact information
Equifax, www.equifax.com/personal/creditreport-services, 1–800–685–1111
Experian, www.experian.com/help, 1–888–
397–3742
TransUnion, www.transunion.com/credithelp, 1–888–909–8872
Learn more about how credit report freezes
and fraud alerts can protect you from identity
theft or prevent further misuse of your
personal information at
www.consumer.ftc.gov/articles/what-knowabout-credit-freezes-and-fraud-alerts.
3. Sign up for free credit monitoring to
detect suspicious activity. Credit monitoring
detects and alerts you about activity on your
credit reports. Activity you don’t recognize
could be a sign that someone stole your
identity. We’re offering free credit monitoring
for two years through [name of service].
Learn more and sign up at [URL].
What we are doing in response
We are investigating our mistakes. We
know the database shouldn’t have been
VerDate Sep<11>2014
16:22 Jun 08, 2023
Jkt 259001
online and it should have been encrypted.
We are making changes to prevent this from
happening again.
We are working with experts to secure our
system. We are reviewing our databases to
make sure we store health information
securely.
Learn more about the breach
Go to [URL] to learn more about what
happened and what you can do to protect
yourself. If we have any updates, we will
post them there.
If you have questions or concerns, call us
at [telephone number], email us at [address],
or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
[FR Doc. 2023–12148 Filed 6–8–23; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF VETERANS
AFFAIRS
38 CFR Part 1
Exemption of ‘‘Diversity and Equal
Employment Opportunity (EEO)
Program Records’’ (203VA08)
Department of Veterans Affairs.
Proposed rule.
AGENCY:
On May 20, 2022, in the
publication of the Federal Register, the
Department of Veterans Affairs (VA)
published a notice of a new system of
records titled, ‘‘Diversity and Equal
Employment Opportunity (EEO)
Program Records’’ (203VA08). In this
notice of proposed rulemaking, VA
proposes to exempt this system of
records from certain provisions of the
Privacy Act in order to prevent
interference with harassment and sexual
harassment administrative
investigations. For the reasons provided
below, the Department proposes to
amend its Privacy Act regulations by
establishing an exemption for records in
this system from the specified
provisions of the Privacy Act.
DATES: Comments must be received on
or before August 8, 2023.
ADDRESSES: Comments must be
submitted through www.regulations.gov.
Except as provided below, comments
received before the close of the
comment period will be available at
www.regulations.gov for public viewing,
inspection, or copying, including any
personally identifiable or confidential
business information that is included in
a comment. We post the comments
received before the close of the
comment period on the following
website as soon as possible after they
SUMMARY:
PO 00000
Frm 00040
Fmt 4702
have been received: https://
www.regulations.gov. VA will not post
on Regulations.gov public comments
that make threats to individuals or
institutions or suggest that the
commenter will take actions to harm the
individual. VA encourages individuals
not to submit duplicative comments. We
will post acceptable comments from
multiple unique commenters even if the
content is identical or nearly identical
to other comments. Any public
comment received after the comment
period’s closing date is considered late
and will not be considered in the final
rulemaking.
FOR FURTHER INFORMATION CONTACT:
Vernet W. Fraser, Privacy Officer, Office
of Resolution Management, Diversity
and Inclusion (ORMDI), Department of
Veterans Affairs, 810 Vermont Avenue
NW, Washington, DC 20420, (202) 461–
0289 (this is not a toll-free number).
Records in
this system associated with the
Harassment Prevention Program (HPP)
are maintained on paper and
electronically at VA facilities by
supervisors as well as submitted to
ORMDI for compliance and oversight
purposes. Supervisors are required to
submit HPP records via the HPP
Complaint Tracking System, Equal
Employment Opportunity EcoSystem
(EEOE), designated as E-Squared (E2),
which is a comprehensive and secure
repository for electronic records
management to facilitate identification,
retrieval, maintenance, routine
destruction, report generation, policy
compliance, and document routing to
create a culture of transparency and
accountability.
SUPPLEMENTARY INFORMATION:
RIN 2900–AR95
ACTION:
37839
Sfmt 4702
I. Proposed Exemptions and Affected
Records
The ‘‘Diversity and Equal
Employment Opportunity (EEO)
Program Records’’ (203VA08) system
captures and houses information
concerning any investigation, or
response VA takes in response to
allegations filed by VA employees and
VA contractors of workplace harassment
or sexual harassment by another VA
employee, VA contractor, or nondepartment individual such as a Veteran
or Visitor to a VA facility. Due to the
investigatory nature of information that
will be maintained in this system of
records, this proposed rule would
exempt HPP records in this system of
records from subsections (c)(3), (d),
(e)(1), (e)(4), (G), (H), (I), and (f) of the
Privacy Act pursuant to 5 U.S.C.
552a(k)(2).
E:\FR\FM\09JNP1.SGM
09JNP1
]]>Agencies
[Federal Register Volume 88, Number 111 (Friday, June 9, 2023)]
[Proposed Rules]
[Pages 37819-37839]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-12148]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 318
Health Breach Notification Rule
AGENCY: Federal Trade Commission.
ACTION: Notice of proposed rulemaking; request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'')
proposes to amend the Commission's Health Breach Notification Rule (the
``HBN Rule'' or the ``Rule'') and requests public comment on the
proposed changes. The HBN Rule requires vendors of personal health
records (``PHRs'') and related entities that are not covered by the
Health Insurance Portability and Accountability Act (``HIPAA'') to
notify individuals, the FTC, and, in some cases, the media of a breach
of unsecured personally identifiable health data.
DATES: Written comments must be received on or before August 8, 2023.
ADDRESSES: Interested parties may file a comment online or on paper by
following the Request for Comment part of the SUPPLEMENTARY INFORMATION
section below. Write ``Health Breach Notification Rule, Project No.
P205405'' on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based
form. If you prefer to file your comment on paper, mail your comment to
the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex H),
Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Ryan Mehm (202) 326-2918, Elisa
Jillson, (202) 326-3001, Ronnie Solomon, (202) 326-2098, Division of
Privacy and Identity Protection, Bureau of Consumer Protection, Federal
Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: The amendments would: (1) clarify the Rule's
scope, including its coverage of developers of many health applications
(``apps''); (2) amend the definition of breach of security to clarify
that a breach of security includes data security breaches and
unauthorized disclosures; (3) revise the definition of PHR related
entity; (4) clarify what it means for a vendor of personal health
records to draw PHR identifiable health information from multiple
sources; (5) modernize the method of notice; (6) expand the content of
the notice; and (7) improve the Rule's readability by clarifying cross-
references and adding statutory citations, consolidating notice and
timing requirements, and articulating the penalties for non-compliance.
I. Background
Congress enacted the American Recovery and Reinvestment Act of 2009
(``Recovery Act'' or ``the Act''),\1\ in part, to advance the use of
health information technology and, at the same time, strengthen privacy
and security protections for health information. Recognizing that
certain entities that hold or interact with consumers' personal health
records were not subject to the privacy and security requirements of
HIPAA,\2\ Congress created requirements for such entities to notify
individuals, the Commission, and, in some cases, the media of the
breach of
[[Page 37820]]
unsecured identifiable health information from those records.
---------------------------------------------------------------------------
\1\ American Recovery and Reinvestment Act of 2009, Public Law
111-5, 123 Stat. 115 (2009).
\2\ Health Insurance Portability and Accountability Act, Public
Law 104-191, 110 Stat. 1936 (1996).
---------------------------------------------------------------------------
Specifically, section 13407 of the Recovery Act created certain
protections for ``personal health records'' or ``PHRs,'' \3\ electronic
records of PHR identifiable health information on an individual that
can be drawn from multiple sources and that are managed, shared, and
controlled by or primarily for the individual.\4\ Congress recognized
that vendors of personal health records and PHR related entities (i.e.,
companies that offer products and services through PHR websites or
access information in or send information to personal health records)
were collecting consumers' health information but were not subject to
the privacy and security requirements of HIPAA. Accordingly, the
Recovery Act directed the FTC to issue a rule requiring these non-HIPAA
covered entities, and their third party service providers, to provide
notification of any breach of unsecured PHR identifiable health
information. The Commission issued its Rule implementing these
provisions in 2009.\5\ FTC enforcement of the Rule began on February
22, 2010.
---------------------------------------------------------------------------
\3\ 42 U.S.C. 17937.
\4\ 42 U.S.C. 17921(11).
\5\ 74 FR 42962 (Aug. 25, 2009) (``2009 Final Rule'').
---------------------------------------------------------------------------
The Rule requires vendors of personal health records and PHR
related entities to provide: (1) notice to consumers whose unsecured
PHR identifiable health information has been breached; (2) notice to
the Commission; and (3) notice to prominent media outlets \6\ serving a
State or jurisdiction, in cases where 500 or more residents are
confirmed or reasonably believed to have been affected by a breach.\7\
The Rule also requires third party service providers (i.e., those
companies that provide services such as billing, data storage,
attribution, or analytics) to vendors of personal health records and
PHR related entities to provide notification to such vendors and
entities following the discovery of a breach.\8\
---------------------------------------------------------------------------
\6\ The Recovery Act does not limit this notice to particular
types of media. Thus, an entity can satisfy the requirement to
notify ``prominent media outlets'' by, for example, disseminating
press releases to a number of media outlets, including internet
media in appropriate circumstances, where most of the residents of
the relevant state or jurisdiction get their news. This will be a
fact-specific inquiry that will depend upon what media outlets are
``prominent'' in the relevant jurisdiction. 74 FR 42974.
\7\ 16 CFR 318.3, 318.5.
\8\ Id. 318.3.
---------------------------------------------------------------------------
The Rule requires notice to individuals ``without unreasonable
delay and in no case later than 60 calendar days'' after discovery of a
data breach.\9\ If the breach affects 500 or more individuals, notice
to the FTC must be provided ``as soon as possible and in no case later
than ten business days'' after discovery of the breach.\10\ The FTC
makes available a standard form for companies to use to notify the
Commission of a breach,\11\ and posts a list of breaches involving 500
or more individuals on its website.\12\
---------------------------------------------------------------------------
\9\ Id. 318.4.
\10\ Id. 318.5(c).
\11\ Fed. Trade Comm'n, Notice of Breach of Health Information,
https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/health_breach_form.pdf.
\12\ Fed. Trade Comm'n, Notices Received by the FTC Pursuant to
the Health Breach Notification Rule, Breach Notices Received by the
FTC, https://www.ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20by%20the%20FTC.pdf (last
visited Dec. 2, 2022).
---------------------------------------------------------------------------
The Rule applies only to breaches of ``unsecured'' health
information, which the Rule defines as health information that is not
secured through technologies or methodologies specified by the
Department of Health and Human Services (``HHS'') and it does not apply
to businesses or organizations covered by HIPAA.\13\ HIPAA-covered
entities and their ``business associates'' must instead comply with
HHS's breach notification rule.\14\
---------------------------------------------------------------------------
\13\ Per HHS guidance, electronic health information is
``secured'' if it has been encrypted according to certain
specifications set forth by HHS, or if the media on which electronic
health information has been stored or recorded is destroyed
according to HHS specifications. See 74 FR 19006; see also U.S.
Dep't of Health & Human Servs., Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable
to Unauthorized Individuals (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/. PHR
identifiable health information would be considered ``secured'' if
such information is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third party service
provider, in an encrypted format meeting HHS specifications, and the
PHR related entity or third party service provider stores the data
in an encrypted format that meets HHS specifications and also stores
the encryption and/or decryption tools on a device or at a location
separate from the data.
\14\ 45 CFR 164.400-414.
---------------------------------------------------------------------------
Since the Rule's issuance, apps and other direct-to-consumer health
technologies, such as fitness trackers and wearable blood pressure
monitors, have become commonplace.\15\ Further, as an outgrowth of the
COVID-19 pandemic, consumer use of such health-related technologies has
increased significantly.\16\
---------------------------------------------------------------------------
\15\ See, e.g., Tehseen Kiani, App Development in Healthcare: 12
Exciting Facts, TechnoChops (Jan. 27, 2022), https://www.technochops.com/programming/4329/app-development-in-healthcare/;
Elad Natanson, Healthcare Apps: A Boon, Today and Tomorrow, Forbes
(July 21, 2020), https://www.forbes.com/sites/eladnatanson/2020/07/21/healthcare-apps-a-boon-today-and-tomorrow/?sh=21df01ac1bb9; Emily
Olsen, Digital health apps balloon to more than 350,000 available on
the market, according to IQVIA report, MobiHealthNews (Aug. 4,
2021), https://www.mobihealthnews.com/news/digital-health-apps-balloon-more-350000-available-market-according-iqvia-report.
\16\ See id.; see also Lis Evenstad, Covid-19 has led to a 25%
increase in health app downloads, research shows, ComputerWeekly.com
(Jan. 12, 2021), https://www.computerweekly.com/news/252494669/Covid-19-has-led-to-a-25-increase-in-health-app-downloads-research-shows (finding that COVID-19 has led to a 25% increase in health app
downloads); Jasmine Pennic, U.S. Telemedicine App Downloads Spikes
During COVID-19 Pandemic, HIT Consultant (Sept. 8, 2020), https://hitconsultant.net/2020/09/08/u-s-telemedicine-app-downloads-spikes-during-covid-19-pandemic/ (``US telemedicine app downloads see
dramatic increases during the COVID-19 pandemic, with some seeing an
8,270% rise YoY.'').
---------------------------------------------------------------------------
In May 2020, the Commission announced its regular, ten-year review
of the Rule and requested public comments about potential Rule
changes.\17\ The Commission requested comment on, among other things,
whether changes should be made to the Rule in light of technological
changes, such as the proliferation of apps and similar technologies.
The Commission received 26 public comments.
---------------------------------------------------------------------------
\17\ 85 FR 31085 (May 22, 2020).
---------------------------------------------------------------------------
Many of the commenters encouraged the Commission to clarify that
the Rule applies to apps and similar technologies.\18\ In fact, no
commenter opposed this type of clarification regarding the Rule's
coverage of health apps. Several commenters pointed out examples of
health apps that have abused users' privacy, such as by disclosing
sensitive health information without consent.\19\ Several commenters
noted the urgency of this issue, as consumers have further embraced
digital health technologies during the COVID-19 pandemic.\20\
Commenters argued that the Commission should take additional steps to
protect unsecured PHR identifiable health information that is not
covered by HIPAA, both to prevent harm to consumers \21\ and to
[[Page 37821]]
level the competitive playing field among companies dealing with the
same health information.\22\ To that end, commenters not only urged the
Commission to revise the Rule, but also to increase its enforcement
efforts.\23\
---------------------------------------------------------------------------
\18\ E.g., Amer. Health Info. Mgmt. Ass'n (``AHIMA'') at 2;
Kaiser Permanente at 3; Allscripts at 3; Amer. Acad. of
Ophthalmology at 2; All. for Nursing Informatics at 2; Amer. Med.
Ass'n (``AMA'') at 4; Amer. College of Surgeons at 6; Physicians'
Elec. Health Record Coal. (``PEHRC'') at 4 (``Apps that collect
health information, regardless of whether or not they connect to an
EHR, must be regulated by the FTC Health Breach Notification Rule to
ensure the safety and security of personal health information.'');
America's Health Ins. Plans (``AHIP'') and Blue Cross Blue Shield
Ass'n (``BCBS'') at 2; The App Ass'n's Connected Health Initiative
(``CHI'') at 3.
\19\ Kaiser Permanente at 7; The Light Collective at 2; Amer.
Acad. of Ophthalmology at 2; Healthcare Info. and Mgmt. Sys. Soc'y
(``HIMSS'') and the Personal Connected Health All. (``PCH
Alliance'') at 3; PEHRC at 2-3.
\20\ Lisa McKeen at 2-3; Kaiser Permanente at 7-8; AMA at 3;
Off. of the Att'y Gen. for the State of Cal. (``OAG-CA'') at 4.
\21\ Georgia Morgan; Amer. Acad. of Ophthalmology at 2-3
(arguing that the breach of health information held by a non-HIPAA-
covered app, for example, harms the patient-provider relationship,
because the patient erroneously believes that the provider is the
source of the breach); CHIME at 3 (arguing that apps' privacy
practices impact the patient-provider relationship because providers
do not know what technologies are sufficiently trustworthy for their
patients); AMA at 2-3 (expressing concern that patients share less
health data with health care providers, perhaps because of
``spillover from privacy and security breaches'').
\22\ Kaiser Permanente at 2, 4; Workgroup for Electronic Data
Interchange (``WEDI'') at 2; AHIP & BCBS at 3 (``[HIPAA] covered
entities, such as health plans, that use or disclose protected
health information should not be subject to stricter notification
requirements than those imposed on vendors of personal health
records or other such entities. Otherwise, the Federal government
will be providing market advantages to particular industry segments
with the effect of dampening competition and harming consumers.'').
\23\ Kaiser Permanente at 3, 4; Fred Trotter at 1; Casey Quinlan
at 1; CARIN All. at 2. At the time of this Notice, the Commission
has brought two enforcement actions under the Rule; the first
against digital health company GoodRx Holdings, Inc., and the second
against an ovulation-tracking mobile app marketed under the name
``Premom'' and developed by Easy Healthcare, Inc. U.S. v. GoodRx
Holdings, Inc., Case No. 23-cv-460 (N.D. Cal. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc; U.S. v. Easy Healthcare Corporation, Case No. 1:23-cv-
3107 (N.D. Ill. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.
---------------------------------------------------------------------------
1. The Commission's 2021 Policy Statement
On September 15, 2021, the Commission issued a Policy Statement
providing guidance on the scope of the Rule. The Policy Statement
clarified that the Rule covers most health apps and similar
technologies that are not covered by HIPAA.\24\ The Rule defines a
``personal health record'' as ``an electronic record of PHR
identifiable health information on an individual that can be drawn from
multiple sources and that is managed, shared, and controlled by or
primarily for the individual.'' \25\ As the Commission explained in the
Policy Statement, many makers and purveyors of health apps and other
connected devices are vendors of personal health records covered by the
Rule because their products are electronic records of PHR identifiable
health information.
---------------------------------------------------------------------------
\24\ Statement of the Commission on Breaches by Health Apps and
Other Connected Devices, Fed. Trade Comm'n (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf (``Policy Statement'').
\25\ 16 CFR 318.2(d).
---------------------------------------------------------------------------
The Commission explained that PHR identifiable health information
includes individually identifiable health information created or
received by a health care provider,\26\ and that ``health care
providers'' include any entities that ``furnish[] health care services
or supplies.'' \27\ Because these health app purveyors furnish health
care services to their users through the mobile applications they
provide, the information held in the app is PHR identifiable health
information, and therefore many app makers likely qualify as vendors of
personal health records.\28\
---------------------------------------------------------------------------
\26\ Id. 318.2(e).
\27\ Id. 318.2(e); 42 U.S.C. 1320d(6), d(3).
\28\ See Policy Statement at 1.
---------------------------------------------------------------------------
The Policy Statement further explained that the statute directing
the FTC to promulgate the Rule requires that a ``personal health
record'' be an electronic record that can be drawn from multiple
sources.\29\ Accordingly, health apps and similar technologies likely
qualify as personal health records covered by the Rule if they are
capable of drawing information from multiple sources. The Commission
further clarified that health apps and other products experience a
``breach of security'' under the Rule when they disclose users'
sensitive health information without authorization; \30\ a breach is
``not limited to cybersecurity intrusions or nefarious behavior.'' \31\
---------------------------------------------------------------------------
\29\ The Policy Statement provided this example: ``[I]f a blood
sugar monitoring app draws health information only from one source
(e.g., a consumer's inputted blood sugar levels), but also takes
non-health information from another source (e.g., dates from your
phone's calendar), it is covered under the Rule.'' Id. at 2.
\30\ 16 CFR 318.2(a).
\31\ Policy Statement at 2; 74 FR 42967 (Commentary to 2009
Final Rule) (``On a related issue, the final rule provides that a
breach of security means acquisition of information without the
authorization `of the individual.' Some commenters raised questions
about how the extent of individual authorization should be
determined. For example, if a privacy policy contains buried
disclosures describing extensive dissemination of consumers' data,
could consumers be said to have authorized such dissemination?
The Commission believes that an entity's use of information to
enhance individuals' experience with their PHR would be within the
scope of the individuals' authorization, as long as such use is
consistent with the entity's disclosures and individuals' reasonable
expectations. Such authorized uses could include communication of
information to the consumer, data processing, or Web design, either
in-house or through the use of service providers. Beyond such uses,
the Commission expects that vendors of personal health records and
PHR related entities would limit the sharing of consumers'
information, unless the consumers exercise meaningful choice in
consenting to such sharing.'') (citations omitted).
---------------------------------------------------------------------------
2. Enforcement History
In 2023, the Commission has brought its first enforcement actions
under the Rule against vendors of personal health records. In February
2023, the Commission brought its first enforcement action alleging a
violation of the Rule against GoodRx Holdings, Inc. (``GoodRx''), a
digital health company that sells health-related products and services
directly to consumers, including prescription medication discount
products and telehealth services through its website and mobile
applications.\32\
---------------------------------------------------------------------------
\32\ U.S. v. GoodRx Holdings, Inc., Case No. 23-cv-460 (N.D.
Cal. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc.
---------------------------------------------------------------------------
In its complaint, the Commission alleged that between 2017 and
2020, GoodRx as a vendor of personal health records, disclosed more
than 500 consumers' unsecured PHR identifiable health information to
third party advertising platforms like Facebook and Google, without the
authorization of those consumers. As charged in the complaint, these
disclosures violated explicit privacy promises the company made to its
users about its data sharing practices (including about its sharing of
PHR identifiable health information). The Commission alleged that
GoodRx broke these promises and disclosed its users' prescription
medications and personal health conditions, personal contact
information, and unique advertising and persistent identifiers. The
Commission charged GoodRx with violating the Rule by failing to provide
the required notifications, as prescribed by the Rule, to (1)
individuals whose unsecured PHR identifiable health information was
acquired by an unauthorized person, (2) to the Federal Trade
Commission, or (3) to media outlets. 16 CFR 318.3-6. The Commission
entered into a settlement that, among other injunctive relief, required
GoodRx to pay a $1.5 million civil penalty for its violation of the
Rule.\33\
---------------------------------------------------------------------------
\33\ In addition, the Commission alleged that GoodRx's data
sharing practices were deceptive and unfair, in violation of Section
5 of the FTC Act.
---------------------------------------------------------------------------
Similarly, on May 17, 2023, the Commission brought its second
enforcement action under the Rule against Easy Healthcare Corporation
(``Easy Healthcare''), a company that publishes an ovulation and period
tracking mobile application called Premom, which allows its users to
input and track various types of health and other sensitive data.
Similar to the conduct alleged against GoodRx, Easy Healthcare
disclosed PHR identifiable health information to third party companies
such as Google and AppsFlyer, contrary to its privacy promises, and did
not comply with the Rule's notification requirements. The
[[Page 37822]]
Commission entered into a settlement that, among other injunctive
relief, required Easy Healthcare to pay a $100,000 civil penalty for
its violation of the Rule.\34\
---------------------------------------------------------------------------
\34\ U.S. v. Easy Healthcare Corporation, Case No. 1:23-cv-3107
(N.D. Ill. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.
---------------------------------------------------------------------------
3. Summary of Proposed Rule Changes
Having considered the public comments, described in further detail
below, and its Policy Statement, the Commission now proposes to revise
the Rule, 16 CFR part 318, in seven ways.
First, the Commission proposes to revise several
definitions in order to clarify the Rule and better explain its
application to health apps and similar technologies not covered by
HIPAA. Consistent with this objective, the proposed Rule would modify
the definition of ``PHR identifiable health information'' and add two
new definitions (``health care provider'' and ``health care services or
supplies''). These changes are consistent with a number of public
comments supporting the Rule's coverage of these technologies.
Second, the Commission proposes to revise the definition
of breach of security to clarify that a breach of security includes an
unauthorized acquisition of PHR identifiable health information in a
personal health record that occurs as a result of a data security
breach or an unauthorized disclosure.
Third, the Commission proposes to revise the definition of
PHR related entity in two ways. Consistent with its clarification that
the Rule applies to health apps, the Commission first proposes
clarifying the definition of ``PHR related entity'' to make clear that
the Rule covers entities that offer products and services through the
online services, including mobile applications, of vendors of personal
health records. In addition, the Commission proposes revising the
definition of ``PHR related entity'' to provide that entities that
access or send unsecured PHR identifiable health information to a
personal health record--rather than entities that access or send any
information to a personal health record--are PHR related entities.
Fourth, the Commission proposes to clarify what it means
for a personal health record to draw PHR identifiable health
information from multiple sources.
Fifth, in response to public comments expressing concern
that mailed notice is costly and not consistent with how consumers
interact with online technologies like health apps, the Commission
proposes to revise the Rule to authorize electronic notice in
additional circumstances. Specifically, the proposed Rule would adjust
the language in the ``method of notice section'' and add a new
definition of the term ``electronic mail.'' The proposed Rule also
requires that any notice delivered by electronic mail be ``clear and
conspicuous,'' a newly defined term, which aligns closely with the
definition of ``clear and conspicuous'' codified in the FTC's Financial
Privacy Rule.\35\
---------------------------------------------------------------------------
\35\ 16 CFR 313.3(b). The FTC's Financial Privacy Rule requires
financial institutions to provide particular notices and to comply
with certain limitations on disclosure of nonpublic personal
information. Using a comprehensive definition of ``clear and
conspicuous'' that is based on the Financial Privacy Rule definition
aims to ensure consistency across the Commission's privacy-related
rules.
---------------------------------------------------------------------------
Sixth, the proposed Rule would expand the required content
of the notice to individuals, to require that consumers whose unsecured
PHR identifiable information has been breached receive additional
important information, including information regarding the potential
for harm from the breach and protections that the notifying entity is
making available to affected consumers. In addition, the proposed Rule
would include exemplar notices, which entities subject to the Rule
could use to notify consumers in terms that are easy to understand.
Seventh, in response to public comments, the Commission
proposes to make a number of changes to improve the Rule's readability.
Specifically, the Commission proposes to include explanatory
parentheticals for internal cross-references, add statutory citations
in relevant places, consolidate notice and timing requirements in
single sections, respectively, of the Rule, and add a new section that
plainly states the penalties for non-compliance.
Finally, this Notice also includes a section discussing several
alternatives the Commission considered but is not proposing. Although
the Commission has not put forth any proposed modifications on those
issues, the Commission nonetheless seeks public comment on them.
The Commission believes that the proposed changes are consistent
with the language and intent of the Recovery Act, will address the
concerns raised by the public comments, and will ensure that the Rule
remains relevant in the face of changing business practices and
technological developments. The Commission invites comment on the
proposed rule revisions generally and on the specific issues outlined
through section III. Written comments must be received on or before
August 8, 2023.
II. Analysis of the Proposed Rule
The following discussion analyzes the proposed changes to the Rule.
1. Clarification of Entities Covered
The Commission proposes revisions to clarify the Rule's treatment
of health apps and similar technologies not covered by HIPAA. As the
Commission's Policy Statement makes clear, many health apps and similar
technologies not covered by HIPAA are covered by the FTC's existing
Rule. To ensure that entities covered by the Rule understand their
obligations under the Rule, the Commission is proposing changes to
clarify that mobile health applications are covered by the Rule, giving
important guidance to the marketplace on the Rule's scope. To
accomplish this objective, the Commission proposes several changes to
Sec. 318.2, which defines key terms in the Rule. Commenters broadly
support the Rule covering health apps and similar technologies.\36\
---------------------------------------------------------------------------
\36\ See supra note 18.
---------------------------------------------------------------------------
First, consistent with one commenter's recommendation,\37\ the
Commission proposes revising ``PHR identifiable information'' to import
language from section 1171(6) of the Social Security Act, 42 U.S.C.
1320d(6), which is included in the current Rule only by cross-reference
to that statute.\38\ This revision is not substantive and is being
proposed to improve readability.
---------------------------------------------------------------------------
\37\ See Lisa McKeen at 5.
\38\ The HBN Rule, as currently drafted, defines ``PHR
identifiable health information ''as`` individually identifiable
health information,'' as defined in section 1171(6) of the Social
Security Act (42 U.S.C. 1320d(6)), and, with respect to an
individual, information: (1) That is provided by or on behalf of the
individual; and (2) That identifies the individual or with respect
to which there is a reasonable basis to believe that the information
can be used to identify the individual. See 16 CFR 318.2(e). Section
1171(6) of the Social Security Act (42 U.S.C. 1320d(6)) states:
``The term `individually identifiable health information' means any
information, including demographic information collected from an
individual, that--
(A) is created or received by a health care provider, health
plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care
to an individual, or the past, present, or future payment for the
provision of health care to an individual, and--
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to
believe that the information can be used to identify the
individual.''
---------------------------------------------------------------------------
As revised, ``PHR identifiable information'' would be defined as
information (1) that is provided by or on behalf of the individual; (2)
that
[[Page 37823]]
identifies the individual or with respect to which there is a
reasonable basis to believe that the information can be used to
identify the individual; (3) relates to the past, present, or future
physical or mental health or condition of an individual, the provision
of health care to an individual, or the past, present, or future
payment for the provision of health care to an individual; and (4) is
created or received by a health care provider, health plan (as defined
in 42 U.S.C. 1320d(5)), employer, or health care clearinghouse (as
defined in 42 U.S.C. 1320d(2)).
The Commission believes that this definition covers traditional
health information (such as diagnoses or medications), health
information derived from consumers' interactions with apps and other
online services (such as health information generated from tracking
technologies employed on websites or mobile applications or from
customized records of website or mobile application interactions),\39\
as well as emergent health data (such as health information inferred
from non-health-related data points, such as location and recent
purchases).\40\ The Commission requests comment as to whether any
further amendment of the definition is needed to clarify the scope of
data covered.
---------------------------------------------------------------------------
\39\ In the Matter of Flo Health, Inc., FTC File No. 1923133
(June 22, 2021), https://www.ftc.gov/system/files/documents/cases/192_3133_flo_health_complaint.pdf; U.S. v. GoodRx Holdings, Inc.,
Case No. 23-cv-460 (N.D. Cal. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc.; In
the Matter of BetterHelp, Inc., FTC File No. 2023169 (March 2,
2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023169-betterhelp-inc-matter (proposed complaint and order); U.S.
v. Easy Healthcare Corporation, Case No. 1:23-cv-3107 (N.D. Ill.
2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.; See also U.S. Dep't of
Health & Human Servs., Use of Online Tracking Technologies by HIPAA
Covered Entities and Business Associates (Dec. 1, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/.
\40\ See e.g., Mason Marks, Emergent Medical Data: Health
Information Inferred by Artificial Intelligence, 11 UC Irvine L.
Rev. 995 (2021), https://scholarship.law.uci.edu/cgi/viewcontent.cgi?article=1501&context=ucilr.
---------------------------------------------------------------------------
The proposed Rule also defines a new term, ``health care
provider,'' in a manner similar to the definition of ``health care
provider'' found in 42 U.S.C. 1320d(3) (and referenced in 1320d(6)).
Specifically, the proposed Rule defines ``health care provider'' to
mean a provider of services (as defined in 42 U.S.C. 1395x(u) \41\), a
provider of medical or other health services (as defined in 42 U.S.C.
1395x(s)), or any other entity furnishing health care services or
supplies.
---------------------------------------------------------------------------
\41\ Under 42 U.S.C. 1395x(u), the term ``provider of services''
means a hospital, critical access hospital, rural emergency
hospital, skilled nursing facility, comprehensive outpatient
rehabilitation facility, home health agency, hospice program, or,
for purposes of section 1395f(g) and section 1395n(e) of this title,
a fund.
---------------------------------------------------------------------------
The proposed Rule adds a new definition for the term ``health care
services or supplies'' to include any online service, such as a
website, mobile application, or internet-connected device that provides
mechanisms to track diseases, health conditions, diagnoses or
diagnostic testing, treatment, medications, vital signs, symptoms,
bodily functions, fitness, fertility, sexual health, sleep, mental
health, genetic information, diet, or that provides other health-
related services or tools.\42\ The Commission's proposed definition of
``health care services and supplies'' is based on a number of factors,
including the Commission's institutional knowledge, expertise, and law
enforcement experience in health data technology. This definition is
designed to reflect the current state of technology for health apps and
connected devices, as well as emerging technological capabilities that
the Commission has observed through its investigatory, enforcement, and
policy work.
---------------------------------------------------------------------------
\42\ See Joint Statement of Commissioner Rohit Chopra and
Commissioner Rebecca Kelly Slaughter, Concurring in Part, Dissenting
in Part, In the Matter of Flo Health, Inc., FTC File No. 1923133
(Jan. 13, 2021), https://www.ftc.gov/system/files/documents/public_statements/1586018/20210112_final_joint_rcrks_statement_on_flo.pdf (``The FTC's Health
Breach Notification Rule covers (a) health care providers that (b)
store unsecured, personally identifiable health information that (c)
can be drawn from multiple sources, and the rule is triggered when
such entities experience a `breach of security.' See 16 CFR 318.
Under the definitions cross-referenced by the Rule, Flo--which
markets itself as a `health assistant'--is a `health care provider,'
in that it `furnish[es] health care services and supplies.' See 16
CFR 318.2(e); 42 U.S.C. 1320d(6), d(3).'').
---------------------------------------------------------------------------
These changes clarify that developers of health apps and similar
technologies providing these types of ``health care services or
supplies'' qualify as ``health care providers'' under the Rule.
Accordingly, any individually identifiable health information these
products collect or use would constitute ``PHR identifiable health
information'' covered by the Rule. These changes also clarify that
mobile health applications, therefore, are a ``personal health record''
covered by the Rule (as long as other conditions set forth in the
definition of ``personal health record'' are met) and accordingly the
developers of such applications are ``vendors of personal health
records.'' \43\ The proposed definition of ``health care services or
supplies'' clarifies the Rule's scope in two ways. First, it makes
clear that the Rule applies generally to online services, including
websites, apps, and internet-connected devices that provide health care
services or supplies. Second, it illustrates that the Rule covers
online services related not only to medical issues (by including in the
definition terms such as ``diseases, diagnoses, treatment,
medications'') but also wellness issues (by including in the definition
terms such as fitness, sleep, and diet). The Commission intends to
ensure app developers understand their notice obligations, even if an
app is positioned as a ``wellness'' product rather than a ``health''
product.
---------------------------------------------------------------------------
\43\ The mobile health applications covered as ``vendors of
personal health records'' under the Rule are distinct from the
``online applications'' referenced in footnote 78 of the 2009
Statement of Basis and Purpose as ``PHR related entities.'' Footnote
78 from the 2009 Statement of Basis and Purpose states that PHR
related entities include ``online applications through which
individuals connect their blood pressure cuffs, blood glucose
monitors, or other devices'' so they can track the results through
their personal health records. See 74 FR 42962, 42969 n.78 (2009).
Footnote 78 refers narrowly to online applications that collect
health information from a single source and transfer it to a
personal health record maintained separate and apart from the PHR
related entity by the PHR vendor. In other words, a PHR related
entity sends health information to a personal health record which
the PHR related entity does not itself maintain.
---------------------------------------------------------------------------
The Commission's proposed changes are consistent with the public
comments, which recommended the Rule cover health apps and similar
technologies.\44\ In revising and adding these definitions, Commission
staff also sought informal input from staff at the Federal agencies
that interpret or enforce the referenced statutory provision, 42 U.S.C.
1320d, including staff at HHS. The Commission's definition of ``health
care provider'' differs from, but does not contradict, the definitions
or interpretations adopted by HHS.\45\ The Commission's proposed
definition is consistent with the statutory scheme established by
Congress to regulate non-HIPAA covered entities and within the agency's
discretion in administering the Rule.
---------------------------------------------------------------------------
\44\ See supra note 18.
\45\ Although in other contexts HHS has defined the term
``health care provider'' based upon a more limited understanding of
that term (e.g., referring primarily to persons and entities such as
doctors, clinics, psychologists, dentists, chiropractors, nursing
homes, and pharmacies), its definition does not contradict or
preclude an interpretation of the referenced statutory provision, 42
U.S.C. 1320d, that encompasses developers of health applications and
similar technologies.
---------------------------------------------------------------------------
Topics on Which the Commission Seeks Public Comment
The Commission seeks comment as to whether these changes
sufficiently clarify the Rule's application to
[[Page 37824]]
purveyors of health apps and similar technologies that are not covered
by HIPAA. The Commission also seeks comment as to whether the proposed
rule, as explained here, makes clear to the market which entities are
covered by the Rule and under what circumstances. As the Commission has
explained, the Rule is intended to cover developers and purveyors of
health apps and internet-connected health devices, such as fitness
trackers, that are not covered by HIPAA. The Commission seeks comment
as to whether the proposed changes and added definitions would apply to
entities that offer other technologies and, if so, whether these
definitions include appropriate distinctions. If the scope should be
limited, the Commission seeks comment as to how that limitation could
be effected through the Rule's language, consistent with the language
and purpose of the Recovery Act. The Commission seeks comment on
defining ``health care provider'' in a manner that is broader than a
more limited definition of that term used in other contexts (e.g.,
referring primarily to persons and entities such as doctors, clinics,
psychologists, dentists, chiropractors, nursing homes, and pharmacies
\46\). And, finally, the Commission seeks comment on the definition of
``healthcare services or supplies,'' including whether any
modifications should be made to this definition.
---------------------------------------------------------------------------
\46\ See, e.g., U.S. Dep't of Human Servs., Guidance on Covered
Entities and Business Associates (June 16, 2017), https://www.hhs.gov/hipaa/for-professionals/covered-entities/
(listing these persons/entities as examples of health care
providers).
---------------------------------------------------------------------------
2. Clarification Regarding Types of Breaches Subject to the Rule
The Commission proposes a definitional change to clarify that a
breach of security under the Rule encompasses unauthorized acquisitions
that occur as a result of a data breach or an unauthorized disclosure.
The current Rule defines ``breach of security'' as the acquisition of
unsecured PHR identifiable health information of an individual in a
personal health record without the authorization of the individual.\47\
This language mirrors the definition of ``breach of security'' in
section 13407(f)(1) of the Recovery Act. The current Rule also includes
a rebuttable presumption for unauthorized access to an individual's
data. It states that when there is unauthorized access to data,
unauthorized acquisition will be presumed unless the entity that
experienced the breach ``has reliable evidence showing that there has
not been, or could not reasonably have been, unauthorized acquisition
of such information.'' \48\
---------------------------------------------------------------------------
\47\ 16 CFR 318.2(a).
\48\ 16 CFR 318.2(a).
---------------------------------------------------------------------------
The Commission's proposed changes are consistent with the plain
language of the current Rule and the Recovery Act definition of
``breach of security.'' \49\ Additionally, the Commission's Policy
Statement makes clear that ``[i]ncidents of unauthorized access,
including sharing of covered information without an individual's
authorization, triggers notification obligations under the Rule,'' and
that a breach ``is not limited to cybersecurity intrusions or nefarious
behavior.'' \50\ Further, recent Commission enforcement actions against
GoodRx and Easy Healthcare also make clear that the Rule covers
unauthorized disclosures of consumers' PHR identifiable health
information to third party companies. The Commission's proposed changes
also are consistent with public comments, which urged the Commission to
clarify what constitutes an unauthorized acquisition under the
Rule.\51\
---------------------------------------------------------------------------
\49\ The commentary to the current Rule already provides
guidance on the types of disclosures that the Commission considers
to be ``unauthorized.'' For instance, it states: ``Given the highly
personal nature of health information, the Commission believes that
consumers would want to know if such information was read or shared
without authorization.'' It further states that data sharing to
enhance consumers' experience with a PHR is authorized only ``as
long as such use is consistent with the entity's disclosures and
individuals' reasonable expectations'' and that ``[b]eyond such
uses, the Commission expects that vendors of personal health records
and PHR related entities would limit the sharing of consumers'
information, unless the consumers exercise meaningful choice in
consenting to such sharing. Buried disclosures in lengthy privacy
policies do not satisfy the standard of `meaningful choice.' '' 74
FR 42967.
\50\ Policy Statement at 2.
\51\ See AMA at 5-6 (``The FTC should define `unauthorized
access' as presumed when entities fail to disclose to individuals
how they access, use, process, and disclose their data and for how
long data are retained. Specifically, an entity should disclose to
individuals exactly what data elements it is collecting and the
purpose for their collection''; ``[T]he FTC should define
`unauthorized access' as presumed when an entity fails to disclose
to an individual the specific secondary recipients of the
individual's data.''); Amer. Med. Informatics Ass'n (``AMIA'') at 2
(recommending that the FTC ``[e]xpand on the concept of
`unauthorized access' under the definition of `Breach of security,'
to be presumed when a PHR or PHR related entity fails to adequately
disclose to individuals how user data is accessed, processed, used,
reused, and disclosed.''); OAG-CA at 5-6 (urging the FTC to include
``impermissible acquisition, access, use, disclosure'' under the
definition of breach.).
---------------------------------------------------------------------------
Accordingly, consistent with the Recovery Act definition, the
Policy Statement, FTC enforcement actions under the Rule, and public
comments received, the Commission proposes amending the definition of
``breach of security'' in Sec. 318.2(a) by adding the following
sentence to the end of the existing definition: ``A breach of security
includes an unauthorized acquisition of unsecured PHR identifiable
health information in a personal health record that occurs as a result
of a data breach or an unauthorized disclosure.'' The proposed
definition is intended to make clear to the marketplace that a breach
includes an unauthorized acquisition of identifiable health information
that occurs as a result of a data breach or an unauthorized disclosure,
such as a voluntary disclosure made by the PHR vendor or PHR related
entity where such disclosure was not authorized by the consumer.
Topics on Which the Commission Seeks Public Comment
The Commission seeks comment on (1) whether this addition to the
definition of ``breach of security'' is necessary, given that the
definition in the current Rule already encompasses unauthorized
acquisitions beyond security breaches, and (2) whether the proposed
definitional change sufficiently clarifies for the marketplace the
Rule's coverage.
3. Revised Scope of PHR Related Entity
The Commission also proposes revising the definition of ``PHR
related entity'' in two ways that pertain to the Rule's scope.
Currently, the Rule defines ``PHR related entity'' to mean an entity,
other than a HIPAA-covered entity or a business associate of a HIPAA-
covered entity, that: (1) offers products or services through the
website of a vendor of personal health records; (2) offers products or
services through the websites of HIPAA-covered entities that offer
individuals personal health records; or (3) accesses information in a
personal health record or sends information to a personal health
record.\52\
---------------------------------------------------------------------------
\52\ 16 CFR 318.2(f).
---------------------------------------------------------------------------
First, the Commission proposes language to clarify that PHR related
entities include entities offering products and services not only
through the websites of vendors of personal health records, but also
through any online service, including mobile applications. Commenters
urged this change because websites are no longer the only means through
which consumers access health information online.\53\ To the contrary,
online
[[Page 37825]]
services such as apps are equally relevant to consumers' online
experiences with health information.
---------------------------------------------------------------------------
\53\ See, e.g., AHIMA at 2 (``[W]e also recommend that the
Commission consider updating the existing definition of a `PHR-
related entity' [sic] at 318.2(f) as 318.2(f)(1) and 318.2(f)(2)
appear to focus primarily on products and services offered through a
vendor's website and may not be entirely reflective of today's
environment as new platforms and related services are increasingly
deployed and adopted.''; Amer. Acad. of Ophthalmology at 3-4
(recommending that the definition cover apps); PEHRC at 4 (same).
---------------------------------------------------------------------------
Second, the Commission proposes to revise the third prong of the
definition so that only entities that access or send unsecured PHR
identifiable health information to a personal health record--rather
than entities that access or send any information to a personal health
record--qualify as PHR related entities. This change--from any
information to unsecured PHR identifiable health information--is
intended to eliminate potential confusion about the Rule's breadth and
promote compliance by narrowing the scope of entities that qualify as
PHR related entities.\54\
---------------------------------------------------------------------------
\54\ The revised definition would state that a PHR related
entity is an entity, other than a HIPAA-covered entity or an entity
to the extent that it engages in activities as a business associate
of a HIPAA-covered entity, that (1) offers products or services
through the website, including any online service, of a vendor of
personal health records; (2) offers products or services through the
websites, including any online services, of HIPAA-covered entities
that offer individuals personal health records; or (3) accesses
unsecured PHR identifiable health information in a personal health
record or sends unsecured PHR identifiable health information to a
personal health record. Although the Rule is only triggered when
there is a breach of security involving unsecured PHR identifiable
health information, the Commission nevertheless believes there is a
benefit to revising the third prong of PHR related entity to make
clear that only entities that access or send unsecured PHR
identifiable health information to a personal health record--rather
than entities that access or send any information to a personal
health record--are PHR related entities. Otherwise, under the Rule's
current formulation, many entities could be a PHR related entity
under the definition's third prong and such entities would then, in
the event of a breach, need to analyze whether they experienced a
reportable breach under the Rule. If an entity, per this proposed
revision, does not qualify as a PHR related entity in the first
place, there is no need to consider whether it experienced a
reportable breach.
---------------------------------------------------------------------------
As the Rule is currently drafted, for example, a grocery delivery
service that integrates with a diet and fitness app could arguably be
considered a PHR related entity when the grocery delivery service sends
information about food purchases to the diet and fitness app. This
expansive reading of the Rule is not consistent with the purposes of
the statute or the Commission's intent when it drafted the Rule. The
Commission believes that a more appropriate interpretation of the term
PHR related entity encompasses entities that access unsecured PHR
identifiable health information in a personal health record or send
unsecured PHR identifiable health information to a personal health
record. Remote blood pressure cuffs, connected blood glucose monitors,
and fitness trackers are all examples of devices that could qualify as
a PHR related entity when individuals sync them with a personal health
record (i.e., mobile health application).\55\
---------------------------------------------------------------------------
\55\ For example, the maker of a wearable fitness tracker may be
both a vendor of personal health records (to the extent that its
tracker interfaces with its own app, which also accepts consumer
inputs) and a PHR related entity (to the extent that it sends
information to another company's health app). Regardless of whether
the maker of the fitness tracker is a vendor of personal health
records or a PHR related entity, its notice obligations are the
same: it must notify individuals, the FTC, and in some case, the
media, of a breach. 16 CFR 318.3(a), 318.5(b).
---------------------------------------------------------------------------
As a result of this proposed change, a firm that performs
attribution and analytics services for a health app might be considered
both a PHR related entity (to the extent it accesses unsecured PHR
identifiable health information in a personal health record) and a
third party service provider. This overlap could create competing
notice obligations, where, in the event of a breach, the firm would be
required to notify individuals and the FTC (per Sec. 318.3's notice
requirements for PHR related entities) and notify the vendor of the
personal health record (per Sec. 318.3's notice requirements for third
party service providers).
The Commission does not intend this result. Instead, the Commission
considers firms that perform services such as attribution and analytics
for apps and technologies providing healthcare services and supplies to
be third party service providers. Such service providers must notify
the health app developers for whom they provide services, who in turn
would notify affected individuals.\56\ Otherwise, treating such service
providers as PHR related entities would create a problematic result for
the consumer, who would receive notice from an unfamiliar company. To
clarify this issue, the Commission proposes to revise Sec. 318.3(b) by
adding that a third party service provider is not rendered a PHR
related entity when it accesses unsecured PHR identifiable health
information in the course of providing services.
---------------------------------------------------------------------------
\56\ In attempting to help distinguish between PHR related
entities and third party service providers, the Commission offers
the following observation: in most cases, third party service
providers are likely to be non-consumer facing. Thus, examples of
PHR related entities include, as noted above, fitness trackers and
health monitors when consumers sync them with a mobile health app.
Examples of third party service providers include entities that
provide support or administrative functions to vendors of personal
health records and PHR related entities.
---------------------------------------------------------------------------
Moreover, this result will create incentives for responsible data
stewardship and for de-identification. Specifically, PHR vendors will
have incentives to select and retain service providers, such as those
that perform services such as attribution or analytics for apps,
capable of treating data responsibly (e.g., not engaging in any onward
disclosures of data that could result in a reportable breach) and
incentives to oversee their service providers to ensure ongoing
responsible data stewardship (which would avoid a breach). Further, it
will create incentives for PHR vendors to avoid breaches by service
providers by de-identifying health information before sharing it with
any service provider, as de-identification would render the data no
longer PHR identifiable health information subject to the Rule.
a. Topics on Which the Commission Seeks Public Comment
The Commission seeks comment on whether additional changes to the
Rule would be necessary or helpful to clarify this result. The
Commission also requests comment on the following scenario: a third
party service provider, such as an analytics firm, receives PHR
identifiable health info (e.g., device identifier and geolocation data
from which health information about an individual can be inferred) and
then sells it to another entity without the consumer's authorization.
The Commission considers this to be a reportable breach, even if the
consumer consented to the original collection. In such a scenario, the
third party service provider would be required to notify the vendor of
personal health records or PHR related entity, who in turn would notify
affected individuals. The Commission requests comment on this approach,
including whether as a policy matter it is advisable under the Rule to
require a vendor of personal health records or PHR related entity to
notify its customers about such onward disclosures.
The Commission also seeks comment on the definition of ``PHR
related entity,'' including the scope. Conversely, the Commission seeks
comment as to whether, by limiting the third prong of the definition to
entities that access or send unsecured PHR identifiable health
information, the proposed definition is too narrow and would exclude
entities that should be required to notify consumers of breaches,
consistent with the Recovery Act. To assess this question of breadth,
the Commission requests comment on
[[Page 37826]]
what entities are (1) offering products or services through personal
health records such as apps; or (2) sending or accessing information,
including but not limited to identifiable health information, in health
apps and other personal health records. Finally, the Commission
requests comment on the potential overlap between the definitions of
``PHR related entity'' and ``third party service provider,'' and how to
sufficiently distinguish between them.
4. Clarification of What it Means for a Personal Health Record To Draw
Information From Multiple Sources
The Commission proposes revising the definition of ``personal
health record'' to clarify what it means for a personal health record
to draw information from multiple sources. Under the current Rule, a
personal health record is defined as an electronic record of PHR
identifiable health information that can be drawn from multiple sources
and that is managed, shared, and controlled by or primarily for the
individual.
Under the revised definition, a ``personal health record'' would be
defined as an electronic record of PHR identifiable health information
on an individual that has the technical capacity to draw information
from multiple sources and that is managed, shared, and controlled by or
primarily for the individual.\57\
---------------------------------------------------------------------------
\57\ One commenter specifically recommended that the definition
of PHR be broadened to ``to explicitly include any website, mobile
application, or other electronic record system that collects and
stores individually identifiable information, including health
information, even if it draws that information from a single
source.'' Kaiser Permanente at 3.
---------------------------------------------------------------------------
This change clarifies the application of the statutory definition
of a personal health record that can draw information from multiple
sources. Adding the phrase ``technical capacity to draw information''
serves several purposes. First, it clarifies that a product is a
personal health record if it can draw information from multiple
sources, even if the consumer elects to limit information from a single
source only, in a particular instance. For example, a depression
management app that accepts consumer inputs of mental health states and
has the technical capacity to sync with a wearable sleep monitor is a
personal health record, even if some customers choose not to sync a
sleep monitor with the app. Thus, whether an app qualifies as a
personal health record would not depend on the prevalence of consumers'
use of a particular app feature, like sleep monitor-syncing. Instead,
the analysis of the Rule's application would be straightforward: either
the app has the technical means (e.g., the application programming
interface or API) to draw information from multiple sources, or it does
not. Next, adding the phrase ``technical capacity to draw information''
would clarify that a product is a personal health record if it can draw
any information from multiple sources, even if it only draws health
information from one source. This change further clarifies the
Commission's interpretation of the Recovery Act, as explained in the
Policy Statement.\58\
---------------------------------------------------------------------------
\58\ Policy Statement at 2.
---------------------------------------------------------------------------
To illustrate the intended meaning of the proposed revisions to the
term ``personal health record,'' the Commission offers the example of
two non-HIPAA covered diet and fitness apps available for consumer
download in an app store. The proposed Rule makes clear that each is a
personal health record.
Diet and Fitness App Y allows users to sync their app with
third-party wearable fitness trackers with the app. Diet and Fitness
App Y has the technical capacity to draw identifiable health
information both from the user (name, weight, height, age) and the
fitness tracker (user's name, miles run, heart rate), even if some
users elect not to connect the fitness tracker.
Diet and Fitness App Y has the ability to pull information
from the user's phone calendar via the calendar API to suggest
personalized healthy eating options. Diet and Fitness App Y has the
technical capacity to draw identifiable health information from the
user (name, weight, height, age) and non-health information (calendar
entry info, location, and time zone) from the user's calendar.
a. Topics on Which the Commission Seeks Public Comment
The Commission seeks comment as to whether the proposed changes
sufficiently clarify the Rule's application to developers and purveyors
of products that have the technical capacity to draw information from
more than one source. In particular, the Commission invites comment on
its interpretation that an app is a personal health record because it
has the technical capacity to draw information from multiple sources,
even if particular users of the app choose not to enable the syncing
features. The Commission also requests comment about whether an app (or
other product) should be considered a personal health record even if it
only draws health information from one place (in addition to non-health
information drawn elsewhere); or only draws identifiable health
information from one place (in addition to non-identifiable health
information drawn elsewhere). The Commission also requests comment
about whether the Commission's bright-line rule (apps with the
``technical capacity to draw information'' are covered) should be
adjusted to take into account consumer use, such as where no consumers
(or only a de minimis number) use a feature. For example, an app might
have the technical capacity to draw information from multiple sources,
but its API is entirely or mostly unused, either because it remains a
Beta feature, has not been publicized, or is not popular. The
Commission also requests comment on the likelihood of such scenarios.
5. Facilitating Greater Opportunity for Electronic Notice
Fourth, the Commission proposes to authorize expanded use of email
and other electronic means of providing clear and effective notice of a
breach to consumers. Increasingly, consumers interact with vendors of
personal health records (and vice versa) solely online and communicate
primarily or exclusively through electronic means.
Currently, the Rule permits notice by either postal mail or, in
limited circumstances, email. The Rule provides that vendors of
personal health records or PHR related entities that discover a breach
of security must provide ``[w]ritten notice, by first-class mail to the
individual at the last known address of the individual, or by email, if
the individual is given a clear, conspicuous, and reasonable
opportunity to receive notification by first-class mail, and the
individual does not exercise that choice.'' \59\
---------------------------------------------------------------------------
\59\ 16 CFR 318.5(a)(1).
---------------------------------------------------------------------------
Several commenters noted the cost and inconvenience associated with
postal mail notice to companies and consumers alike.\60\ Several
commenters encouraged the Commission to update the methods of notice to
permit notice by electronic means.\61\ Commenters suggested that the
Commission revise the Rule to encourage different kinds of electronic
notice, including email, in-app messaging, and QR codes.\62\ For
example, one commenter stated that the Rule's notice requirement should
be
[[Page 37827]]
updated to permit notification by email or within an application,
including through such means as banner, ``pop-up,'' and clickthrough
notifications.\63\ This commenter also noted that an electronic
communication is more likely to be read by an individual who is using
an application, and is more cost effective.\64\ Another commenter urged
the Commission to increase the options for breach notification to
include email rather than certified mail as the only option.\65\ And
another commenter noted that in-app messaging, text messages, and
platform messaging are widely used tools and should be allowed to be
utilized to more effectively communicate with consumers that consent to
them.\66\ This commenter added that it is common sense that consumers
should be able to consent to receiving communications under the Rule
via these modalities as well as via email.\67\
---------------------------------------------------------------------------
\60\ Allscripts at 2; Bruce Grimm at 1; All. for Nursing
Informatics at 2; Anonymous, No. FTC-2020-0045-0005 at 1; CHI at 3;
CARIN All. at 2.
\61\ The App Ass'n's Connected Health Initiative (``CHI'') at 3;
CARIN All. at 2; Allscripts at 2; Bruce Grimm at 1; All. for Nursing
Informatics at 2.
\62\ Id.
\63\ Allscripts at 2.
\64\ Id.
\65\ All. for Nursing Informatics at 2.
\66\ CHI at 3.
\67\ Id.
---------------------------------------------------------------------------
The Commission recognizes that, as commenters noted, the
relationship between vendors of personal health records and PHR related
entities, on the one hand, and individuals takes place online and
increasingly via applications present on devices such as mobile phones
and tablets. These applications communicate with individuals by various
electronic means, including text, within-application message, and
email.
a. Notice via Electronic Mail
Accordingly, the Commission proposes to update this provision to
specify that vendors of personal health records or PHR related entities
that discover a breach of security must provide written notice at the
last known contact information of the individual and such written
notice may be sent by electronic mail, if an individual has specified
electronic mail as the primary contact method, or by first-class mail.
Authorizing entities to provide notice about a breach of security
by electronic mail is consistent with how consumers often receive other
communications from these entities and will align with consumers'
expectations. As a result, they are less likely to be ignored or viewed
as suspicious by individuals.
Consistent with this objective, the Commission proposes defining
``electronic mail'' to mean email in combination with one or more of
the following: text message, within-application messaging, or
electronic banner. The proposed Rule would facilitate more notice by
electronic mail. This new definition of electronic mail would ensure
that the notice is both (1) convenient and low-cost (because it is
electronic) and (2) unavoidable and consistent with the consumer's
relationship with the product. For example, if an app developer is
providing notice, it could send written notice by email and in-app
message, ensuring that the consumer receives notice in a manner
consistent with her experience with the app. Similarly, a website
operator could send written notice by email and an electronic banner on
the home page of its website. The two prongs of the definition would
ensure that a notifying entity cannot select a single form of
electronic notice that is unlikely to reach consumers--for example,
sending an in-app message alone to app users who do not frequently
check in-app notifications.
The goal of structuring the notice in two parts is to increase the
likelihood that consumers encounter the notice. Many individuals
routinely check email messages, making email a useful vehicle to
communicate a breach notification. However, some individuals do not
read email often, and these consumers under the proposed definition
would also receive notice via text, in-app, or banner notice, thereby
increasing the likelihood that they will encounter the breach
notification.
The Commission believes any notification delivered via electronic
mail should be clear and conspicuous. The proposed Rule defines ``clear
and conspicuous.'' Among other things, for a notice to be clear and
conspicuous, the notice must be reasonably understandable and designed
to call attention to the nature and significance of the information in
the notice. The proposed definition of ``clear and conspicuous''
closely tracks the definition of clear and conspicuous in the FTC's
Financial Privacy Rule.\68\
---------------------------------------------------------------------------
\68\ 16 CFR 313.3(b)(1).
---------------------------------------------------------------------------
Vendors of personal health records and PHR related entities must
obtain consumer consent prior to adopting ``electronic mail'' as their
notification method for affected individuals. The proposed Rule would
require that entities covered by the Rule may provide ``electronic
mail'' notifications if the individual user has specified electronic
mail as their primary method of communication with the entity. This is
consistent with section 13402 of the Recovery Act, which requires that
entities can only send notice by electronic mail ``if specified as a
preference by the individual.'' The Commission interprets this phrase
as allowing entities to send an email or in-app alert notifying their
users that they will receive breach notices by electronic mail and
offering them the opportunity to opt out of electronic mail
notification and instead receive notice by first class mail. The
proposed Rule also allows for notification by first-class mail where
electronic mail is not available.
b. Model Notice
To assist entities that are required to provide notice to
individuals under the Rule, the Commission has developed a model notice
that entities may use, in their discretion, to notify individuals. This
model notice is attached as Exhibit A to this Notice of Proposed
Rulemaking. The Commission invites comment on this model notice,
including: (1) whether the model notice should be mandatory and any
advantages or disadvantages of mandating use of the model notice; (2)
whether and how the model notice could be compatible with the methods
of notice contemplated by the proposed definition of electronic mail,
such as text, banner and within-application messaging, including
whether and how entities could suitably link to model notice language
from a text message,\69\ electronic banner, or in-application message;
(3) and recommended changes to the substance and format of the model
notice.
---------------------------------------------------------------------------
\69\ The proposed text message and in-app language in the
exemplar notice invites consumers to ``Visit [add non-clickable URL]
to learn what happened, how it affects you, and what you can do to
protect your information.'' The exemplar proposes a non-clickable
URL due to the risk that a clickable URL could expose consumers to,
for example, malware or scams.
---------------------------------------------------------------------------
c. Topics on Which the Commission Seeks Public Comment
The Commission also requests comment on the proposed changes,
including whether the definition of ``electronic mail'' would achieve
the Commission's goal to make notice unavoidable and consistent with
the consumer's relationship with the product. The Commission also
requests comment as to whether this definition would result in over-
notification from ``duplicate'' notices, including the extent to which
the proposed two-pronged approach could confuse consumers or reduce the
impact that a single notice might have. And the Commission requests
comment as to whether this definition is consistent with principles of
data minimization, i.e., whether an entity might collect more data
(e.g., email or text) than it otherwise would have simply to obtain
[[Page 37828]]
sufficient information to send notice via ``electronic mail'' in the
event of a breach.
6. Expanded Content of Notice
The Commission proposes several modifications to the content of the
required notice to individuals. Currently, the Rule requires that the
notice include a description of what happened; a description of the
types of unsecured PHR identifiable health information that were
involved in the breach; the steps individuals should take to protect
themselves from potential harm; a description of what the vendor of
personal health records or PHR related entity involved is doing to
investigate the breach, to mitigate any losses, and to protect against
any further breaches; and contact procedures for individuals to ask
questions or learn additional information.\70\ The Commission proposes
five changes to the content of the notice.
---------------------------------------------------------------------------
\70\ 16 CFR 318.6.
---------------------------------------------------------------------------
a. Summary of Changes to Content of the Notice
First, in Sec. 318.6(a), as part of relaying what happened
regarding the breach, the Commission proposes that the notice to
individuals also include a brief description of the potential harm that
may result from the breach, such as medical or other identity theft.
The Commission proposes adding this provision so that individuals
better understand the nexus between the information breached and the
potential harms that could result from the breach of such information.
In some cases, it is unclear to individuals what harms may flow from
the breach of their information. The Commission believes it is
important to equip individuals with information about the harms they
may experience so that they can better understand the potential risks
from a breach and determine what steps or measures to take following a
breach. The Commission invites comment on this proposed provision,
including (1) whether the requirement that the notice describe
potential harms would serve the public interest and benefit consumers,
(2) whether notifying entities typically possess information following
a breach to assess the potential harms to individuals, (3) whether, in
the absence of such information, notifying entities may minimize the
potential risks by informing individuals that they are unaware of any
harms that may result from the breach, (4) how notifying entities, in
the absence of known, actionable harm resulting from a breach, should
best describe to individuals the potential harms they may experience,
and (5) whether additional and more specific data elements may
overwhelm or confuse recipients of the notice.
Second, the Commission also proposes to amend the requirements for
the notice under Sec. 318.6(a) to include the full name, website, and
contact information (such as a public email address or phone number) of
any third parties that acquired unsecured PHR identifiable health
information as a result of a breach of security, if this information is
known to the vendor of personal health records or PHR related entity
(such as where the breach resulted from disclosures of users' sensitive
health information without authorization). No such requirement exists
in the current Rule.
Third, the Commission proposes modifications to Sec. 318.6(b),
which requires that the notice include a description of the types of
unsecured PHR identifiable health information that were involved in the
breach. The Rule currently sets forth examples of different types of
PHR identifiable health information, such as full name, date of birth,
Social Security number, account number, or disability code, that could
have been involved in the breach.
The Commission proposes that this exemplar list be expanded to
include additional types of PHR identifiable health information, such
as health diagnosis or condition, lab results, medications, other
treatment information, the individual's use of a health-related mobile
application, and device identifier. The Commission believes it is
important for individuals to receive notice of the specific types of
PHR identifiable health information involved in a breach, given that
the exposure of health information can lead to a wide spectrum of
harms.\71\ For example, even the disclosure of an individual's use of a
health-related mobile application (e.g., a HIV management app, mental
health app, or addiction recovery app) could, depending on the type of
health app at issue, lead to a number of potential injuries, including
embarrassment, social stigma, more expensive health insurance premiums,
or even loss of employment.
---------------------------------------------------------------------------
\71\ See, e.g., Fed. Trade Comm'n, FTC Informational Injury
Workshop: BE and BCP Staff Perspective (Oct. 2018), https://www.ftc.gov/system/files/documents/reports/ftc-informational-injury-workshop-be-bcp-staff-perspective/informational_injury_workshop_staff_report_-_oct_2018_0.pdf; Fed.
Trade Comm'n, Former Acting Chairwoman Maureen K. Ohlhausen,
Painting the Privacy Landscape: Informational Injury in FTC Privacy
and Data Security Cases (Sept. 19, 2017), https://www.ftc.gov/system/files/documents/public_statements/1255113/privacy_speech_mkohlhausen.pdf.
---------------------------------------------------------------------------
Fourth, Sec. 318.6(d) of the Rule currently requires that a vendor
of personal health records or PHR related entity describe what the
entity is doing to investigate the breach, to mitigate any losses, and
to protect against any further breaches. The Commission proposes to
revise this provision to require that the notice to individuals include
additional information providing a brief description of what the entity
that experienced the breach is doing to protect affected individuals,
such as offering credit monitoring or other services. The Commission
believes it is important that notifying entities explain to individuals
not only the steps individuals should take to protect themselves from
potential harm resulting from the breach, but also what steps the
notifying entity is taking to protect affected individuals following
the breach. Any protections offered by notifying entities likely will
be tailored to the facts and circumstances of each breach and could, in
certain circumstances, include credit monitoring or other support such
as identity theft protection or identity restoration services.
Fifth, the Commission proposes to modify Sec. 318.6(e). Currently,
this section requires that the notice to individuals include contact
procedures for individuals to ask questions or learn additional
information about the breach, and the contact procedure must include
one of the following: a toll-free telephone number; an email address;
website; or postal address. The Commission proposes to modify Sec.
318.6(e) to specify that the contact procedures specified by the
notifying entity must include two or more of the following: toll-free
telephone number; email address; website; within-application; or postal
address. The Commission proposes this change to encourage and
facilitate communication between the notifying entities and affected
individuals. This modification is intended to avoid a scenario where,
for example, a notifying entity regularly communicates with most of its
customers via email and the notifying entity establishes a postal
address as the only contact procedure for individuals to employ
following a breach.
7. Proposed Changes To Improve Rule's Readability
The Commission proposes several changes to improve the Rule's
readability. Specifically, the Commission proposes to include
explanatory parentheticals for internal cross-references, add statutory
citations
[[Page 37829]]
in relevant places, consolidate notice and timing requirements in
single sections, and revise the Enforcement section to state more
plainly the penalties for non-compliance.
a. Explanatory Parentheticals and Statutory References
Throughout the Rule, the Commission proposes to include explanatory
parentheticals for each internal cross-reference and add statutory
citations to help orient the reader.\72\ The Commission invites comment
on whether the inclusion of explanatory parentheticals and statutory
citations improves the Rule's readability and promotes comprehension.
---------------------------------------------------------------------------
\72\ For example, the Commission proposes to add a statutory
citation for the Recovery Act section referenced in the definition
of ``unsecured,'' to improve the clarity and readability of this
defined term. The revised definition would provide that
``unsecured'' means PHR identifiable health information that is not
protected through the use of a technology or methodology specified
by the Secretary of Health and Human Services in the guidance issued
under section 13402(h)(2) of the American Reinvestment and Recovery
Act of 2009, 42 U.S.C. 17932(h)(2).
---------------------------------------------------------------------------
(1) Consolidated Notice and Timing Requirements
To facilitate reader understanding, the Commission proposes
consolidating into single sections, respectively, the Rule's breach
notification and timing requirements. Currently, the breach
notification requirements are located in sections 318.3 and 318.5 and
the timing requirements are located in sections 318.4 and 318.5.
To consolidate the Rule's notice requirements, the Commission
proposes to move the provision in Sec. 318.5 (Methods of notice)
requiring notice to the media (Sec. 318.5(b)) to Sec. 318.3. The
Commission does not intend to make any substantive change to the breach
notification requirements; this change is merely intended to
consolidate breach notification requirements in a single section to
improve readability and promote compliance.
New Sec. 318.3(a)(3) would set forth the requirement to notify
prominent media \73\ outlets serving a State or jurisdiction, following
the discovery of a breach of security, if the unsecured PHR
identifiable health information of 500 or more residents of such State
or jurisdiction is, or is reasonably believed to have been, acquired
during such breach. The Commission requests comment as to whether the
consolidation of breach notification requirements improves the Rule's
readability and will promote compliance.\74\
---------------------------------------------------------------------------
\73\ See supra note 6.
\74\ As noted above, the Commission does not intend this
consolidation of timing requirements to have any effect on the
substantive requirements of the Rule. In making this proposed
change, minor revisions are required to Sec. 318.5(b). Section
318.5(b) of the proposed Rule would provide: ``Notice to media. As
described in Sec. 318.3(a)(3), a vendor of personal health records
or PHR related entity shall provide notice to prominent media
outlets serving a State or jurisdiction, following the discovery of
a breach of security, if the unsecured PHR identifiable health
information of 500 or more residents of such State or jurisdiction
is, or is reasonably believed to have been, acquired during such
breach.''
---------------------------------------------------------------------------
Second, to consolidate requirements regarding the timing of
notification, the Commission proposes moving timing requirements for
notice to the FTC that appear in Sec. 318.5(c) of the current Rule to
a new paragraph (b) in Sec. 318.4 of the proposed Rule. Accordingly,
proposed Sec. 318.4(b) would now require vendors of personal health
records and PHR related entities to notify the Commission as soon as
possible and in no case later than ten business days following the date
of discovery of the breach if the breach involves the unsecured PHR
identifiable health information of 500 or more individuals. If the
breach involves the unsecured PHR identifiable health information of
fewer than 500 individuals, this section permits vendors of personal
health records and PHR related entities, in lieu of immediate notice,
to maintain a breach log and submit this log annually to the Federal
Trade Commission no later than 60 calendar days following the end of
the calendar year.\75\
---------------------------------------------------------------------------
\75\ As noted above, the Commission does not intend this
consolidation of timing requirements to have any effect on the
substantive requirements of these sections. Section 318.5(c) of the
proposed Rule would provide: ``(c) Notice to FTC. Vendors of
personal health records and PHR related entities shall provide
notice to the Federal Trade Commission following the discovery of a
breach of security, as described in 318.4(b) (Timing of notice to
FTC). If the breach involves the unsecured PHR identifiable health
information of fewer than 500 individuals, the vendor of personal
health records or PHR related entity may maintain a log of any such
breach and submit such a log to the Federal Trade Commission as
described in 318.4(b) (Timing of notice to FTC), documenting
breaches from the preceding calendar year. All notices pursuant to
this paragraph shall be provided according to instructions at the
Federal Trade Commission's website.''
---------------------------------------------------------------------------
Importantly, the Commission does not intend to make any substantive
change to the timing requirements; this change is merely intended to
consolidate timing requirements in a single section to improve
readability and promote compliance. The Commission requests comment as
to whether the inclusion of explanatory parentheticals and the proposed
consolidation of timing requirements improves the Rule's readability
and will promote compliance.
(2) Revised Enforcement Provision
Commenters suggested that the Rule be revised to specify the
penalties for non-compliance.\76\ Currently, the Rule provides that a
violation of Sec. 318.3 shall be treated as an unfair or deceptive act
or practice in violation of a regulation under section 18 of the FTC
Act. The Commission proposes modifying Sec. 318.7 to make plain that a
violation of the Rule constitutes a violation of a rule promulgated
under section 18 of the FTC Act and is subject to civil penalties.
---------------------------------------------------------------------------
\76\ See Bruce Grimm at 1 (``Areas of 16 CFR [p]art 318.5 method
of notice could be enhanced by adding an option for consumers to
text or use a quick response (QR) code generator to obtain data
breach information that is on file. This coupled with a modification
of 16 CFR [p]art 318.7 enforcement where the actual potential
penalty for practice in violation of regulation is noted would act
as a deterrent to non-compliance.''); All. for Nursing Informatics
at 2 (``We offer the following additional considerations to update
and improve the HBN Rule, including. . . . Identify sufficiently
stringent penalties and monitoring for responsible management of
identifiable PHI.'').
---------------------------------------------------------------------------
Under section 18 of the FTC Act, 15 U.S.C. 57a, the Commission is
authorized to prescribe ``rules which define with specificity acts or
practices which are unfair or deceptive acts or practices in or
affecting commerce'' within the meaning of section 5(a)(1) of the FTC
Act, 15 U.S.C. 45(a)(1). Once the Commission has promulgated a trade
regulation rule, anyone who violates the rule with actual knowledge, or
knowledge fairly implied on the basis of objective circumstances, that
such act is unfair or deceptive and is prohibited by such rule is
liable for civil penalties for each violation. 15 U.S.C. 45(m)(1)(A).
Entities that fail to comply with the Rule are subject to penalties of
up to $50,120 per violation per day, and this amount is increased
annually per the Federal Civil Penalties Inflation Adjustment Act
Improvements Act of 2015.\77\ The Commission seeks comment on these
proposed modifications to Sec. 318.7.
---------------------------------------------------------------------------
\77\ 16 CFR 1.98; see also Federal Trade Commission, FTC
Publishes Inflation-Adjusted Civil Penalty Amounts for 2022 (Jan. 6,
2023), https://www.ftc.gov/news-events/news/press-releases/2023/01/ftc-publishes-inflation-adjusted-civil-penalty-amounts-2023.
---------------------------------------------------------------------------
III. Changes Considered but Not Proposed and on Which the Commission
Seeks Public Comment
1. Defining Authorization and Affirmative Express Consent
As previously noted above, when a health app or other device
discloses sensitive health information without users' authorization,
this is a ``breach of
[[Page 37830]]
security'' under the Rule. The Commission considered defining the term
``authorization,'' which appears in Sec. 318.2(a)'s definition of
``breach of security.'' Specifically, Sec. 318.2(a) defines ``breach
of security,'' in relevant part, to mean the acquisition of unsecured
PHR identifiable information of an individual in a personal health
record without the ``authorization'' of the individual. The Commission
considered defining ``authorization'' to mean the affirmative express
consent of the individual, and then defining ``affirmative express
consent,'' consistent with state laws that define consent, such as the
California Consumer Privacy Rights Act, Cal. Civ. Code 1798.140(h).\78\
Such changes would ensure that notification is required anytime there
is acquisition of unsecured PHR identifiable information without the
individual's affirmative express consent for that acquisition--such as
when an app discloses unsecured PHR identifiable information to another
company, having obtained nominal ``consent'' from the individual by
using a small, greyed-out, pre-selected checkbox following a page of
dense legalese.
---------------------------------------------------------------------------
\78\ The Commission considered defining ``affirmative express
consent'' as follows:
Affirmative express consent means any freely given, specific,
informed, and unambiguous indication of an individual's wishes
demonstrating agreement by the individual, such as by a clear
affirmative action, following a clear and conspicuous disclosure to
the individual, apart from any ``privacy policy,'' ``terms of
service,'' ``terms of use,'' or other similar document, of all
information material to the provision of consent. Acceptance of a
general or broad terms of use or similar document that contains
descriptions of agreement by the individual along with other,
unrelated information, does not constitute affirmative express
consent. Hovering over, muting, pausing, or closing a given piece of
content does not constitute affirmative consent. Likewise, agreement
obtained through use of user interface designed or manipulated with
the substantial effect of subverting or impairing user autonomy,
decision-making, or choice, does not constitute affirmative express
consent.
---------------------------------------------------------------------------
In considering whether to define ``authorization'' and
``affirmative express consent,'' the Commission considered public
comments that argued the Rule should do more to prevent data collection
and use without the individual's consent.\79\ Defining these terms to
emphasize the importance of meaningful consent would partially address
the concerns of some commenters that privacy compliance obligations for
entities not covered by HIPAA should be similar to obligations for
HIPAA covered entities, both to ensure consistent protections for
consumers' health information and to level the competitive playing
field among companies holding that information.\80\
---------------------------------------------------------------------------
\79\ Lisa McKeen at 1 (recommending that the Rule require
``express written acknowledgement and consent of the consumer/
person(s) to which this information is personally owned''); Kaiser
Permanente at 3 (``[T]he HBN Rule should require all [covered]
entities to establish and follow notices of privacy and security
practices [and] inform consumers about those notices in a prominent
manner[.]''; AMA at 4-5 (identifying problems with consent structure
and urging the Commission to presume ``unauthorized access'' ``when
an entity fails to disclose to an individual the specific secondary
recipients of the individual's data.''); AMIA at 2 (urging the
Commission to presume that unauthorized access has occurred where an
entity ``fails to adequately disclose to individuals how user data
is accessed, processed, used, reused, and disclosed.'').
\80\ E.g., OAG-CA at 5.
---------------------------------------------------------------------------
The Commission is not, however, proposing to make those changes at
this time, because the commentary to the current Rule already provides
guidance on the types of disclosures that the Commission considers to
be ``unauthorized.'' \81\ Further, recent Commission orders, such as
GoodRx, also make clear that the use of ``dark patterns,'' which have
the effect of manipulating or deceiving consumers, including through
use of user interfaces designed with the substantial effect of
subverting or impairing user autonomy and decision-making, do not
satisfy the standard of ``meaningful choice.'' Finally, Commission
settlements establish important guidelines involving authorization. For
example, the Commission's recent settlement with GoodRx, alleging
violations of the Rule, highlights that disclosures of PHR identifiable
information inconsistent with a company's privacy promises constitute
an unauthorized disclosure.
---------------------------------------------------------------------------
\81\ See supra note 49.
---------------------------------------------------------------------------
The Commission seeks public comment about whether the commentary
above and FTC enforcement actions provide sufficient guidance to put
companies on notice about their obligations for obtaining consumer
authorization for disclosures, or whether defining the term
``authorization'' would better inform companies of their compliance
obligations.
To the extent that including such definitions would be appropriate,
the Commission seeks comment on the definitions of ``authorization''
and ``affirmative express consent,'' as described above, and the extent
to which such definitions are consistent with the language and purpose
of the Recovery Act. The Commission also seeks comment on what
constitutes acceptable methods of authorization, particularly when
unauthorized sharing is occurring. For example, the Commission seeks
comment on the following: when a vendor of personal health records or a
PHR-related entity is sharing information covered by the Rule, is it
acceptable for that entity to obtain the individual's authorization to
share that information when an individual clicks ``agree'' or
``accept'' in connection with a pre-checked box disclosing such
sharing? Is it sufficient if an individual agrees to terms and
conditions disclosing such sharing but that individual is not required
to review the terms and conditions? Or is it sufficient if an
individual uses a health app that discloses in its privacy policy that
such sharing occurs, but the app knows via technical means that the
individual never interacts with the privacy policy?
Relatedly, the Commission seeks comment on whether there are
certain types of sharing for which authorization by consumers is
implied, because such sharing is expected and/or necessary to provide a
service to consumers. Finally, the Commission emphasizes that its
decision to not define ``authorization'' or ``affirmative express
consent'' does not mean that a ``breach of security'' is limited only
to cybersecurity events.
2. Modifying Definition of Third Party Service Provider
The Commission also considered modifying the definition of ``third
party service provider.'' Under the Rule, a ``third party service
provider'' means an entity that ``(1) [p]rovides services to a vendor
of personal health records in connection with the offering or
maintenance of a personal health record or to a PHR related entity in
connection with a product or service offered by that entity; and (2)
[a]ccesses, maintains, retains, modifies, records, stores, destroys, or
otherwise holds, uses, or discloses unsecured PHR identifiable health
information as a result of such services.'' \82\ The 2009 Notice of
Proposed Rulemaking notes that third party service providers include,
for example, entities that provide billing or data storage services to
vendors of personal health records or PHR related entities.\83\
Although the Commission is not proposing to modify the definition of
``third party service provider'' at this time, the Commission requests
comment on certain issues related to the definition. Given
technological changes and the proliferation of new business models that
have occurred since the Rule's issuance, the Commission invites
comments on the scope of entities that should be considered third party
service providers under the Rule. While the
[[Page 37831]]
2009 Notice of Proposed Rulemaking provides examples of third party
service providers, the examples are illustrative. For example, under
the Rule, should all advertising and analytics providers and platforms
be considered third party service providers anytime they access,
maintain, retain, modify, record, store, destroy, or otherwise hold,
use, or disclose unsecured PHR identifiable health information when
providing services to vendors of personal health records and PHR
related entities? Relatedly, the Commission requests comment on what it
means to ``provide services'' under the Rule's definition.
---------------------------------------------------------------------------
\82\ 16 CFR 318.2(h).
\83\ 74 FR 17917 (Apr. 17, 2009) (``2009 Notice of Proposed
Rulemaking'').
---------------------------------------------------------------------------
3. Changing Timing Requirements
The Commission also weighed whether to propose changing the Rule's
timing requirements. Specifically, the Commission considered public
comments about whether the timing requirements were appropriate,\84\
introduced unnecessary delay,\85\ or did not give notifying entities
sufficient time to investigate the facts of a breach.\86\ One commenter
expressed concern that the timing requirements do not provide consumers
with important information as soon as would be valuable to them and
there is no compelling reason for delaying notice.\87\ Other
commenters, however, expressed concern that entities experiencing a
breach may not have sufficient information to be able to give the
Commission a meaningful notification within 10 days.\88\ These
commenters recommended that the Commission extend the 10-day
requirement for the notice to the FTC, consistent with the HIPAA Health
Breach Notification Rule, which requires notification to the Secretary
of HHS without unreasonable delay and in no case later than 60 calendar
days following a breach.\89\ Commission staff also consulted staff at
HHS about its experience enforcing the HIPAA Health Breach Notification
Rule regarding the timing requirements in that rule.
---------------------------------------------------------------------------
\84\ Lisa McKeen at 5; CHIME at 3; WEDI at 2.
\85\ Hilal Johnson at 1.
\86\ CARIN All. at 2; Allscripts at 2; Kaiser at 10.
\87\ Hilal Johnson at 1.
\88\ CARIN All. at 2; Allscripts at 2; Kaiser at 10.
\89\ 45 CFR 164.408 (referencing timing requirement in 404).
---------------------------------------------------------------------------
Although the Commission has not proposed any timing changes, the
Commission requests comments on several issues related to timing.
First, the Commission requests comment about the timing of
notifications to consumers. In particular, the Commission requests
comment regarding whether earlier notification of consumers would
better protect them or whether it would lead to partial notifications,
because the entity experiencing the breach may not have had time to
identify all the relevant facts. Second, the Commission also requests
additional comment on the timing of the notification to the FTC:
whether it should extend the timeline to give entities more time to
investigate breaches and better ascertain the number of affected
individuals or whether an extension would simply facilitate dilatory
action and minimize the opportunity for an important dialogue with
Commission staff during the fact-gathering stage immediately following
a breach.
IV. Paperwork Reduction Act
The Commission is submitting this Notice of Proposed Rulemaking and
a Supporting Statement to the Office of Management and Budget (``OMB'')
for review under the Paperwork Reduction Act (``PRA'') (44 U.S.C. 3501-
3521). The breach notification requirements discussed above constitute
``collections of information'' for purposes of the PRA. See 5 CFR
1320.3(c). OMB has approved the Rule's existing information collection
requirements through July 31, 2025 (OMB Control No. 3084-0150).
The proposed amendments to 16 CFR part 318 would likely result in
more reportable breaches by covered entities to the FTC. In the event
of a breach of security, the proposed Rule would require covered firms
to investigate and, if certain conditions are met, notify consumers and
the Commission.\90\
---------------------------------------------------------------------------
\90\ Third party service providers who experience a breach are
required to notify the vendor of personal health records or PHR
related entity, and then this firm would be required to notify
consumers. The Commission expects that the cost of notification to
third party service providers would be small, relative to the
entities who have to notify consumers. The Commission invites
comment on this issue and data that may be used to quantify the
costs to third party service providers.
---------------------------------------------------------------------------
Accordingly, staff has estimated the burdens associated with these
proposed information collection requirements as set forth below.
Based on industry reports, staff estimates that the Commission's
proposed information collection requirements will cover approximately
170,000 entities, which, in the event that they experience a breach,
may be required to notify consumers and the Commission. While there are
approximately 1.8 million apps in the Apple App Store \91\ and 2.7
million apps in the Google Play Store,\92\ as of November 2022 it
appears that roughly 170,000 of the apps offered in either store are
categorized as ``Health and Fitness.'' \93\ This figure for apps is a
rough proxy for all covered PHRs, because most websites and connected
health devices that would be subject to the Rule act in conjunction
with an app.
---------------------------------------------------------------------------
\91\ See App Store--Apple, https://www.apple.com/app-store/ and
App Store Data (2023)--Business of Apps, https://www.businessofapps.com/data/app-stores/.
\92\ App Store Data (2023)--Business of Apps, https://www.businessofapps.com/data/app-stores/.
\93\ See App Store Data (2023), supra note 91, which reports
78,764 apps in the Apple App Store and 91,743 apps in the Google
Play Store were categorized as ``Health and Fitness'' apps as of
November 2022. This figure is likely both under- and over-inclusive.
For example, this figure does not include apps categorized elsewhere
(i.e., outside ``Health and Fitness'') that may be PHRs. However, at
the same time, this figure also overestimates the number of covered
entities, since many developers make more than one app.
---------------------------------------------------------------------------
Staff estimates that these entities will, cumulatively, experience
71 breaches per year for which notification may be required. With the
proviso that there is insufficient data at this time about the number
and incidence rate of breaches at entities covered by the Commission's
Rule (due to underreporting prior to issuance of the Policy Statement),
staff determined the number of estimated breaches by calculating the
breach incidence rate for HIPAA-covered entities, and then applied this
rate to the estimated total number of entities that will be subject to
the proposed Rule.\94\ Additionally, as the number of breaches per year
grew significantly in the recent years,\95\ and staff expects this
trend to continue, staff relied on the average number of breaches in
2021 and 2022 to estimate the annual breach incidence rate for HIPAA-
covered entities.
---------------------------------------------------------------------------
\94\ Staff used information publicly available from HHS on HIPAA
related breaches because the HIPAA Breach Notification Rule is
similarly constructed. However, while there are similarities between
HIPAA-covered entities and HBNR-covered entities, it is not
necessarily the case that rates of breaches would follow the same
pattern. For instance, HIPAA-covered entities are generally subject
to stronger data security requirements under HIPAA, but also may be
more likely targets for security incidents (e.g., ransomware attacks
on hospitals and other medical treatment centers covered by HIPAA
have increased dramatically in recent years); thus, this number
could be an under- or overestimate of the number of potential
breaches per year.
\95\ According to the HHS Office for Civil Rights (``OCR''), the
number of breaches per year grew from 358 in 2017 to 715 breaches in
2021 and 717 breaches in 2022. See Breach Portal, U.S. Dep't of
Health & Human Servs., Office for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (visited on March 2,
2023). The data was downloaded on March 2, 2023, resulting in
limited data for 2023. Thus, breaches from 2023 were not considered.
However, breach investigations that remain open (under
investigation) are included in the count of yearly breaches.
---------------------------------------------------------------------------
Specifically, the HHS Office for Civil Rights (``OCR'') reported
715 breaches in
[[Page 37832]]
2021 and 717 breaches in 2022,\96\ which results in an average of 716
of breaches for 2021 and 2022. Based on the 1.7 million entities that
are covered by the HIPAA Breach Notification Rule \97\ and the average
number of breaches for 2021 and 2022, staff determined an annual breach
incidence rate of 0.00042 (716/1.7 million). Accordingly, multiplying
the breach incidence rate (0.00042) by the estimated number of entities
covered by the proposed information collection requirements (170,000)
results in an estimated 71 breaches per year.
---------------------------------------------------------------------------
\96\ See Breach Portal, U.S. Dep't of Health & Human Servs.,
Office for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (visited on March 2, 2023).
\97\ In a recent Federal Register Notice (``FRN'') on Proposed
Modifications to the HIPAA Privacy Rule to Support, and Remove
Barriers to, Coordinated Care and Individual Engagement, OCR
proposes increasing the number of covered entities from 700,000 to
774,331. 86 FR 6446, 6497 (Jan. 21, 2021). The FRN also lists the
number of covered Business Associates as 1,000,000 (Table 2).
---------------------------------------------------------------------------
Costs
To determine the costs for purposes of this analysis, staff has
developed estimates for two categories of potential costs: (1) the
estimated annual burden hours and labor cost of determining what
information has been breached, identifying the affected customers,
preparing the breach notice, and making the required report to the
Commission; and (2) the estimated capital and other non-labor costs
associated with notifying consumers.
Estimated Annual Burden Hours: 10,650.
Estimated Annual Labor Cost: $720,579.
First, to determine what information has been breached, identify
the affected customers, prepare the breach notice, and make the
required report to the Commission, staff estimates that covered firms
will require per breach, on average, 150 hours of employee labor at a
cost of $10,149.\98\ This estimate does not include the cost of
equipment or other tangible assets of the breached firms because they
likely will use the equipment and other assets they have for ordinary
business purposes. Based on the estimate that there will be 71 breaches
per year the annual hours of burden for affected entities will be
10,650 hours (150 hours x 71 breaches) with an associated labor cost of
$720,579 (71 breaches x $10,149).
---------------------------------------------------------------------------
\98\ This estimate is the sum of 40 hours of marketing
managerial time (at an average wage of $73.77), 40 hours of computer
programmer time ($46.46), 20 hours of legal staff ($71.17), 50 hours
of computer and information systems managerial time ($78.33). See
Occupational Employment and Wage Statistics, U.S. Bureau of Labor
Statistics (May 2021), https://www.bls.gov/oes/current/oes_nat.htm#00-0000.
---------------------------------------------------------------------------
Estimated Capital and Other Non-Labor Costs: $49,463,046.
The capital and non-labor costs associated with breach
notifications depends upon the number of consumers contacted and
whether covered firms are likely to retain the services of a forensic
expert. For breaches affecting large numbers of consumers, covered
firms are likely to retain the services of a forensic expert. FTC staff
estimates that, for each breach requiring the services of forensic
experts, forensic experts may spend approximately 40 hours to assist in
the response to the cybersecurity intrusion, at an estimated cost of
$20,000.\99\ FTC staff estimates that the services of forensic experts
will be required in 60% of the 71 breaches. Based on the estimate that
there will be 43 breaches per year requiring forensic experts (60% x 71
breaches), the annual hours burden for affected entities will be 1,720
hours (43 breaches requiring forensic experts x 40 hours) with an
associated cost of $860,000 (43 breaches requiring forensic experts x
$20,000).
---------------------------------------------------------------------------
\99\ This estimate is the sum of 40 hours of forensic expert
time at a cost of $500 per hour, which yields a total cost of
$20,000 (40 hours x $500/hour).
---------------------------------------------------------------------------
Using the data on HIPAA-covered breach notices available from HHS
for the years 2021-2022, FTC staff estimates that the average number of
individuals affected per breach is 62,402.\100\ Given an estimated 71
breaches per year, FTC staff estimates an average of 4,430,542
consumers per year will receive a breach notification (71 breaches x
62,402 individuals per breach).
---------------------------------------------------------------------------
\100\ HHS Breach Data, supra note 96 (mean of Individuals
Affected during breaches 2017-2022). This analysis uses the last six
years of HHS breach data to generate the average, in order to
account for the variation in number of individuals affected by
breaches observed in the HHS data over time.
---------------------------------------------------------------------------
Based on a recent study of data breach costs, staff estimates the
cost of providing notice to consumers to be $10.97 per breached
record.\101\ This estimate includes the costs of electronic notice,
letters, outbound calls or general notice to data subjects; and
engagement of outside experts.\102\ Applied to the above-stated
estimate of 4,430,542 consumers per year receiving breach notification
yields an estimated total annual cost for all forms of notice to
consumers of $48,603,046 (4,430,542 consumers x $10.97 per record). The
estimated capital and non-labor costs total $49,463,046 ($860,000 +
$48,603,046).
---------------------------------------------------------------------------
\101\ See IBM Security, Costs of a Data Breach Report 2022
(2022), https://www.ibm.com/reports/data-breach (``2022 IBM Security
Report''). The research for the 2022 IBM Security Report is
conducted independently by the Ponemon Institute, and the results
are reported and published by IBM Security. Figure 2 of the 2022 IBM
Security Report shows that cost per record of a breach was $164 per
record in 2022 and $161 in 2021, resulting in an average cost of
$162.50. Figure 5 of the 2022 IBM Security Report shows that 7.1%
($0.31m/$4.35m) of the average cost of a data breach are due to
``Notification'' costs. The fraction of average breach costs due to
``Notification'' were 6.4% the previous year (IBM Security, Costs of
a Data Breach Report 2021). Using the average of these numbers,
staff estimates that notification costs per record across the two
years are 6.75% x $162.50 = $10.97 per record.
\102\ See 2022 IBM Security Report at 54.
---------------------------------------------------------------------------
Staff notes that these estimates likely overstate the costs imposed
by the proposed Rule because: (1) it assumes that all entities covered
by the Rule will be required to take all the steps required above; and
(2) staff made conservative assumptions in developing many of the
underlying estimates. Moreover, many entities covered by the Rule
already have similar notification obligations under state data breach
laws.\103\ In addition, the Commission has taken several steps designed
to limit the potential burden on covered entities that are required to
provide notice, including by providing exemplar notices that entities
may choose to use if they are required to provide notifications and
proposing expanded use of electronic notifications.
---------------------------------------------------------------------------
\103\ Many state data breach notification statutes require
notification when a breach occurs involving certain health or
medical information of individuals in that state. See, e.g., Ala.
Code 8-38-1 et seq.; Alaska Stat. 45.48.010 et seq.; Ariz. Rev.
Stat. 18-551 et seq.; Ark. Code 4-110-101 et seq.; Cal. Civ. Code
1798.80 et seq.; Cal. Health & Safety Code 1280.15; Colo. Rev. Stat.
6-1-716; Del. Code Ann. tit. 6 12B-101 et seq.; DC Code 28-3851 et
seq.; Fla. Stat. 501.171; 815 Ill. Comp. Stat. 530/5 et seq.; Md.
Code Com. Law 14-3501 et seq; Mo. Rev. Stat. 407.1500; Nev. Rev.
Stat. 603A.010 et seq.; N.H. Rev. Stat. 359-C:19-C:21; N.H. Rev.
Stat. 332-I:5; N.D. Cent. Code 51-30-01-07; Or. Rev. Stat. 646A.600-
646A.628; R.I. Gen. Laws 11-49.3-1-11-49.3-6; SDCL 22-40-19-22-40-
26; Tex. Bus. & Com. Code 521.002, 521.053, 521.151-152; 9 V.S.A.
2430, 2435; Va. Code 18.2-186.6; Va. Code 32.1-127.1:05; Va. Code
58.1-341.2; Wash. Rev. Code 19.255.010 et seq.
---------------------------------------------------------------------------
The Commission invites comments on: (1) whether the proposed
collection of information is necessary for the proper performance of
the functions of the FTC, including whether the information will have
practical utility; (2) the accuracy of the FTC's estimate of the burden
of the proposed collection of information; (3) ways to enhance the
quality, utility, and clarity of the information to be collected; and
(4) ways to minimize the burden of collecting information on those who
respond.
Written comments and recommendations for the proposed information
collection should also be sent within 30 days of publication of this
document to https://www.reginfo.gov/public/do/PRAMain.
[[Page 37833]]
Find this particular information collection by selecting ``Currently
under Review--Open for Public Comments'' or by using the search
function. The reginfo.gov web link is a United States Government
website produced by OMB and the General Services Administration
(``GSA''). Under PRA requirements, OMB's Office of Information and
Regulatory Affairs (``OIRA'') reviews Federal information collections.
V. Regulatory Flexibility Act
The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601 et seq.,
requires that the Commission conduct an analysis of the anticipated
economic impact of the proposed amendment on small entities. The
purpose of a regulatory flexibility analysis is to ensure that an
agency considers potential impacts on small entities and examines
regulatory alternatives that could achieve the regulatory purpose while
minimizing burdens on small entities. The RFA requires that the
Commission provide an Initial Regulatory Flexibility Analysis
(``IRFA'') with a proposed rule and a Final Regulatory Flexibility
Analysis (``FRFA'') with a final rule, if any, unless the Commission
certifies that the proposed rule will not have a significant economic
impact on a substantial number of small entities. 5 U.S.C. 605.
The Commission believes that the proposed amendment would not have
a significant economic impact upon small entities, although it may
affect a substantial number of small businesses. Among other things,
the proposed amendments clarify certain definitions, revise the
disclosures that must accompany notice of a breach under the Rule, and
modernize the methods of notice to allow additional use of electronic
notice such as email by entities affected by a breach. In addition, the
proposed amendments improve the Rule's readability by clarifying cross-
references and adding statutory citations. The Commission does not
anticipate these changes will add significant additional costs to
entities covered by the Rule and the revisions to allow additional use
of electronic notice may reduce costs for many entities covered by the
Rule. Therefore, based on available information, the Commission
certifies that amending the Rule as proposed will not have a
significant economic impact on a substantial number of small entities.
Although the Commission certifies under the RFA that the proposed
amendment would not, if promulgated, have a significant impact on a
substantial number of small entities, the Commission has determined,
nonetheless, that it is appropriate to publish an IRFA to inquire into
the impact of the proposed amendment on small entities. Therefore, the
Commission has prepared the following analysis:
1. Description of the Reasons That Action by the Agency Is Being
Considered
The Commission conducts a review of each of its rules ten years
after issuance. In May 2020, the Commission requested public comment on
whether technological and business changes warranted any changes to the
Rule. After careful review of the comments received, the Commission
concludes that there is a need to update certain Rule provisions.
Therefore, it proposes modifications to the Rule as described in
sections I and II.
2. Statement of the Objectives of, and Legal Basis for, the Proposed
Rule
The objective of the proposed changes is to clarify existing notice
obligations for entities covered by the Rule. The legal basis for the
proposed Rule is section 13407 of the Recovery Act.
3. Description and Estimate of the Number of Small Entities to Which
the Proposed Rule Will Apply
The proposed amendments, like the current Rule, will apply to
vendors of personal health records, PHR related entities, and third
party service providers, including developers and purveyors of health
apps, connected health devices, and similar technologies. As discussed
in the Commission's PRA estimates above, FTC staff estimates that the
proposed Rule will apply to approximately 170,000 entities. The
Commission estimates that a substantial number of these entities likely
qualify as small businesses. According to the Statistics on Small
Businesses Census data, approximately 94% of ``Software Publishers''
(the category to which health and fitness apps belong) are small
businesses.\104\ The Commission invites comment and information on this
issue.
---------------------------------------------------------------------------
\104\ 2017 SUSB Annual Data Tables by Establishment Industry,
U.S. Census Bureau (May 2021), https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html. The U.S. Small Business
Administration (``SBA'') categorizes Software Publishers as a small
business if the annual receipts are less than $41.5 million.
---------------------------------------------------------------------------
4. Projected Reporting, Recordkeeping and Other Compliance Requirements
The Recovery Act and the proposed Rule impose certain reporting
requirements within the meaning of the PRA. The proposed Rule will
clarify which entities are subject to those reporting requirements. The
Commission is seeking clearance from OMB for these requirements.
Specifically, the Act and proposed Rule require vendors of personal
health records and PHR related entities to provide notice to consumers,
the Commission, and in some cases the media in the event of a breach of
unsecured PHR identifiable health information. The Act and proposed
Rule also require third party service providers to provide notice to
vendors of personal health records and PHR related entities in the
event of such a breach. If a breach occurs, each entity covered by Act
and proposed Rule will expend costs to determine the extent of the
breach and the individuals affected. If the entity is a vendor of
personal health records or PHR related entity, additional costs will
include the costs of preparing a breach notice, notifying the
Commission, compiling a list of consumers to whom a breach notice must
be sent, and sending a breach notice. Such entities may incur
additional costs in locating consumers who cannot be reached, and in
certain cases, posting a breach notice on a website, notifying
consumers through media advertisements, or sending breach notices
through press releases to media outlets.
In-house costs may include technical costs to determine the extent
of breaches; investigative costs of conducting interviews and gathering
information; administrative costs of compiling address lists;
professional/legal costs of drafting the notice; and potentially, costs
for postage, web posting, and/or advertising. Costs may also include
the purchase of services of a forensic expert. The Commission seeks
further comment on the costs and burdens of small entities in complying
with the requirements of the proposed Rule.
5. Other Duplicative, Overlapping, or Conflicting Federal Rules
The FTC has not identified any other Federal statutes, rules, or
policies currently in effect that would conflict with the proposed
Rule. The HIPAA Breach Notification Rule applies to HIPAA-covered
entities; the proposed Rule does not. The Commission invites comment
and information about any potentially duplicative, overlapping, or
conflicting Federal statutes, rules, or policies.
[[Page 37834]]
6. Description of Any Significant Alternatives to the Proposed Rule
In drafting the proposed Rule, the Commission has made every effort
to avoid unduly burdensome requirements for entities. In particular,
the Commission believes that the proposed changes to facilitate
electronic notice will assist small entities by significantly reducing
the costs of sending breach notices. In addition, the Commission is
also proposing exemplar notices that entities covered by the Rule may
use, in their discretion, to notify individuals. The Commission
anticipates that these exemplar notices will further reduce the
potential burden on entities that are required to provide notice under
the Rule. The Commission is not aware of alternative methods of
compliance that will reduce the impact of the proposed Rule on small
entities, while also comporting with the Recovery Act. The statutory
requirements are specific as to the timing, method, and content of
notice. Accordingly, the Commission seeks comment and information on
ways in which the Rule could be modified to reduce any costs or burdens
for small entities consistent with the Recovery Act's mandated
requirements.
VI. Instructions for Submitting Comments
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before August 8, 2023.
Write ``Health Breach Notification Rule, Project No. P205405'' on the
comment. Your comment-including your name and your state-will be placed
on the public record of this proceeding, including the https://www.regulations.gov website.
Because of the agency's heightened security screening, postal mail
addressed to the Commission is subject to delay. We strongly encourage
you to submit your comments online through the https://www.regulations.gov website. To make sure the Commission considers your
online comment, please follow the instructions on the web-based form.
If you file your comment on paper, write ``Health Breach
Notification Rule, Project No. P205405'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex H), Washington, DC 20580.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure that your comment does not include any sensitive or
confidential information. In particular, your comment should not
include any sensitive personal information, such as your or anyone
else's Social Security number; date of birth; driver's license number
or other state identification number, or foreign country equivalent;
passport number; financial account number; or credit or debit card
number. You are also solely responsible for making sure that your
comment does not include any sensitive health information, such as
medical records or other individually identifiable health information.
In addition, your comment should not include any ``trade secret or any
commercial or financial information which . . . is privileged or
confidential''--as provided by section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--including in
particular competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request and
must identify the specific portions of the comment to be withheld from
the public record. Your comment will be kept confidential only if the
FTC's General Counsel grants your request in accordance with the law
and the public interest. Once your comment has been posted publicly at
www.regulations.gov, we cannot redact or remove your comment unless you
submit a confidentiality request that meets the requirements for such
treatment under FTC Rule 4.9(c), and the FTC's General Counsel grants
that request.
Visit the FTC website to read this document and the news release
describing it. The FTC Act and other laws that the Commission
administers permit the collection of public comments to consider and
use in this proceeding as appropriate. The Commission will consider all
timely and responsive public comments that it receives on or before
August 8, 2023. For information on the Commission's privacy policy,
including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
List of Subjects in 16 CFR Part 318
Breach, Consumer protection, Health, Privacy, Reporting and
recordkeeping requirements, Trade practices.
For the reasons set out in this document, the Commission proposes
to amend part 318 of title 16 of the Code of Federal Regulations as
follows:
0
1. Revise part 318 to read as follows:
PART 318--HEALTH BREACH NOTIFICATION RULE
Sec.
318.1 Purpose and scope.
318.2 Definitions.
318.3 Breach notification requirement.
318.4 Timeliness of notification.
318.5 Methods of notice.
318.6 Content of notice.
318.7 Enforcement.
318.8 Effective date.
318.9 Sunset.
Authority: 42 U.S.C. 17937 and 17953.
318.1 Purpose and scope.
(a) This part, which shall be called the ``Health Breach
Notification Rule,'' implements section 13407 of the American Recovery
and Reinvestment Act of 2009, 42 U.S.C. 17937. It applies to foreign
and domestic vendors of personal health records, PHR related entities,
and third party service providers, irrespective of any jurisdictional
tests in the Federal Trade Commission (FTC) Act, that maintain
information of U.S. citizens or residents. It does not apply to HIPAA-
covered entities, or to any other entity to the extent that it engages
in activities as a business associate of a HIPAA-covered entity.
(b) This part preempts state law as set forth in section 13421 of
the American Recovery and Reinvestment Act of 2009, 42 U.S.C. 17951.
318.2 Definitions.
(a) Breach of security means, with respect to unsecured PHR
identifiable health information of an individual in a personal health
record, acquisition of such information without the authorization of
the individual. Unauthorized acquisition will be presumed to include
unauthorized access to unsecured PHR identifiable health information
unless the vendor of personal health records, PHR related entity, or
third party service provider that experienced the breach has reliable
evidence showing that there has not been, or could not reasonably have
been, unauthorized acquisition of such information. A breach of
security includes an unauthorized acquisition of unsecured PHR
identifiable health information in a personal health record
[[Page 37835]]
that occurs as a result of a data breach or an unauthorized disclosure.
(b) Business associate means a business associate under the Health
Insurance Portability and Accountability Act, Public Law 104-191, 110
Stat. 1936, as defined in 45 CFR 160.103.
(c) Clear and conspicuous means that a notice is reasonably
understandable and designed to call attention to the nature and
significance of the information in the notice.
(1) Reasonably Understandable: You make your notice reasonably
understandable if you:
(i) Present the information in the notice in clear, concise
sentences, paragraphs, and sections;
(ii) Use short explanatory sentences or bullet lists whenever
possible;
(iii) Use definite, concrete, everyday words and active voice
whenever possible;
(iv) Avoid multiple negatives;
(v) Avoid legal and highly technical business terminology whenever
possible; and
(vi) Avoid explanations that are imprecise and readily subject to
different interpretations.
(2) Designed to call attention. You design your notice to call
attention to the nature and significance of the information in it if
you:
(i) Use a plain-language heading to call attention to the notice;
(ii) Use a typeface and type size that are easy to read;
(iii) Provide wide margins and ample line spacing;
(iv) Use boldface or italics for key words; and
(v) In a form that combines your notice with other information, use
distinctive type size, style, and graphic devices, such as shading or
sidebars, when you combine your notice with other information. The
notice should stand out from any accompanying text or other visual
elements so that it is easily noticed, read, and understood.
(3) Notices on websites or within-application messaging. If you
provide a notice on a web page or using within-application messaging,
you design your notice to call attention to the nature and significance
of the information in it if you use text or visual cues to encourage
scrolling down the page if necessary to view the entire notice and
ensure that other elements on the website or software application (such
as text, graphics, hyperlinks, or sound) do not distract attention from
the notice, and you either:
(i) Place the notice on a screen that consumers frequently access,
such as a page on which transactions are conducted; or
(ii) Place a link on a screen that consumers frequently access,
such as a page on which transactions are conducted, that connects
directly to the notice and is labeled appropriately to convey the
importance, nature and relevance of the notice.
(d) Electronic mail means (1) email in combination with one or more
of the following: (2) text message, within-application messaging, or
electronic banner.
(e) Health care services or supplies includes any online service
such as a website, mobile application, or internet-connected device
that provides mechanisms to track diseases, health conditions,
diagnoses or diagnostic testing, treatment, medications, vital signs,
symptoms, bodily functions, fitness, fertility, sexual health, sleep,
mental health, genetic information, diet, or that provides other
health-related services or tools.
(f) Health care provider means a provider of services (as defined
in 42 U.S.C. 1395x(u)), a provider of medical or other health services
(as defined in 42 U.S.C. 1395x(s)), or any other entity furnishing
health care services or supplies.
(g) HIPAA-covered entity means a covered entity under the Health
Insurance Portability and Accountability Act, Public Law 104-191, 110
Stat. 1936, as defined in 45 CFR 160.103.
(h) Personal health record means an electronic record of PHR
identifiable health information on an individual that has the technical
capacity to draw information from multiple sources and that is managed,
shared, and controlled by or primarily for the individual.
(i) PHR identifiable health information means information:
(1) That is provided by or on behalf of the individual;
(2) That identifies the individual or with respect to which there
is a reasonable basis to believe that the information can be used to
identify the individual;
(3) Relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care to
an individual, or the past, present, or future payment for the
provision of health care to an individual; and
(4) Is created or received by a:
(i) health care provider;
(ii) health plan (as defined in 42 U.S.C. 1320d(5));
(iii) employer; or
(iv) health care clearinghouse (as defined in 42 U.S.C. 1320d(2)).
(j) PHR related entity means an entity, other than a HIPAA-covered
entity or an entity to the extent that it engages in activities as a
business associate of a HIPAA-covered entity, that:
(1) Offers products or services through the website, including any
online service, of a vendor of personal health records;
(2) Offers products or services through the websites, including any
online service, of HIPAA-covered entities that offer individuals
personal health records; or
(3) Accesses unsecured PHR identifiable health information in a
personal health record or sends unsecured PHR identifiable health
information to a personal health record.
(k) State means any of the several States, the District of
Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and
the Northern Mariana Islands.
(l) Third party service provider means an entity that:
(1) Provides services to a vendor of personal health records in
connection with the offering or maintenance of a personal health record
or to a PHR related entity in connection with a product or service
offered by that entity; and
(2) Accesses, maintains, retains, modifies, records, stores,
destroys, or otherwise holds, uses, or discloses unsecured PHR
identifiable health information as a result of such services.
(m) Unsecured means PHR identifiable information that is not
protected through the use of a technology or methodology specified by
the Secretary of Health and Human Services in the guidance issued under
section 13402(h)(2) of the American Reinvestment and Recovery Act of
2009, 42 U.S.C. 17932(h)(2).
(n) Vendor of personal health records means an entity, other than a
HIPAA-covered entity or an entity to the extent that it engages in
activities as a business associate of a HIPAA-covered entity, that
offers or maintains a personal health record.
318.3 Breach notification requirement.
(a) In general. In accordance with Sec. 318.4 (Timeliness of
notification), Sec. 318.5 (Notice to FTC), and Sec. 318.6 (Content of
notice), each vendor of personal health records, following the
discovery of a breach of security of unsecured PHR identifiable health
information that is in a personal health record maintained or offered
by such vendor, and each PHR related entity, following the discovery of
a breach of security of such information that is obtained through a
product or service provided by such entity, shall:
[[Page 37836]]
(1) Notify each individual who is a citizen or resident of the
United States whose unsecured PHR identifiable health information was
acquired by an unauthorized person as a result of such breach of
security;
(2) Notify the Federal Trade Commission; and
(3) Notify prominent media outlets serving a State or jurisdiction,
following the discovery of a breach of security, if the unsecured PHR
identifiable health information of 500 or more residents of such State
or jurisdiction is, or is reasonably believed to have been, acquired
during such breach.
(b) Third party service providers. A third party service provider
shall, following the discovery of a breach of security, provide notice
of the breach to an official designated in a written contract by the
vendor of personal health records or the PHR related entity to receive
such notices or, if such a designation is not made, to a senior
official at the vendor of personal health records or PHR related entity
to which it provides services, and obtain acknowledgment from such
official that such notice was received. Such notification shall include
the identification of each customer of the vendor of personal health
records or PHR related entity whose unsecured PHR identifiable health
information has been, or is reasonably believed to have been, acquired
during such breach. For purposes of ensuring implementation of this
requirement, vendors of personal health records and PHR related
entities shall notify third party service providers of their status as
vendors of personal health records or PHR related entities subject to
this part. While some third party service providers may access
unsecured PHR identifiable health information in the course of
providing services, this does not render the third party service
provider a PHR related entity.
(c) Breaches treated as discovered. A breach of security shall be
treated as discovered as of the first day on which such breach is known
or reasonably should have been known to the vendor of personal health
records, PHR related entity, or third party service provider,
respectively. Such vendor, entity, or third party service provider
shall be deemed to have knowledge of a breach if such breach is known,
or reasonably should have been known, to any person, other than the
person committing the breach, who is an employee, officer, or other
agent of such vendor of personal health records, PHR related entity, or
third party service provider.
318.4 Timeliness of notification.
(a) In general. Except as provided in paragraphs (b) (Timing of
notice to FTC) and (d) of this section (Law enforcement exception), all
notifications required under Sec. 318.3(a)(1) (required notice to
individuals), Sec. 318.3(b) (required notice by third party service
providers), and Sec. 318.3(a)(3) (required notice to media) shall be
sent without unreasonable delay and in no case later than 60 calendar
days after the discovery of a breach of security.
(b) Timing of notice to FTC. All notifications required under Sec.
318.5(c) (Notice to FTC) involving the unsecured PHR identifiable
health information of 500 or more individuals shall be provided as soon
as possible and in no case later than ten business days following the
date of discovery of the breach. All logged notifications required
under Sec. 318.5(c) (Notice to FTC) involving the unsecured PHR
identifiable health information of fewer than 500 individuals may be
sent annually to the Federal Trade Commission no later than 60 calendar
days following the end of the calendar year.
(c) Burden of proof. The vendor of personal health records, PHR
related entity, and third party service provider involved shall have
the burden of demonstrating that all notifications were made as
required under this part, including evidence demonstrating the
necessity of any delay.
(d) Law enforcement exception. If a law enforcement official
determines that a notification, notice, or posting required under this
part would impede a criminal investigation or cause damage to national
security, such notification, notice, or posting shall be delayed. This
paragraph shall be implemented in the same manner as provided under 45
CFR 164.528(a)(2), in the case of a disclosure covered under such
section.
318.5 Methods of notice.
(a) Individual notice. A vendor of personal health records or PHR
related entity that discovers a breach of security shall provide notice
of such breach to an individual promptly, as described in Sec. 318.4
(Timeliness of notification), and in the following form:
(1) Written notice at the last known address of the individual.
Written notice may be sent by electronic mail if the individual has
specified electronic mail as the primary method of communication. Any
written notice sent by electronic mail must be Clear and Conspicuous.
Where notice via electronic mail is not available or the individual has
not specified electronic mail as the primary method of communication, a
vendor of personal health records or PHR related entity may provide
notice by first-class mail at the last known address of the individual.
If the individual is deceased, the vendor of personal health records or
PHR related entity that discovered the breach must provide such notice
to the next of kin of the individual if the individual had provided
contact information for his or her next of kin, along with
authorization to contact them. The notice may be provided in one or
more mailings as information is available. Exemplar notices that
vendors of personal health records or PHR related entities may use to
notify individuals pursuant to this paragraph are attached as Appendix
A.
(2) If, after making reasonable efforts to contact all individuals
to whom notice is required under Sec. 318.3(a), through the means
provided in paragraph (a)(1) of this section, the vendor of personal
health records or PHR related entity finds that contact information for
ten or more individuals is insufficient or out-of-date, the vendor of
personal health records or PHR related entity shall provide substitute
notice, which shall be reasonably calculated to reach the individuals
affected by the breach, in the following form:
(i) Through a conspicuous posting for a period of 90 days on the
home page of its website; or
(ii) In major print or broadcast media, including major media in
geographic areas where the individuals affected by the breach likely
reside. Such a notice in media or web posting shall include a toll-free
phone number, which shall remain active for at least 90 days, where an
individual can learn whether the individual's unsecured PHR
identifiable health information may be included in the breach.
(3) In any case deemed by the vendor of personal health records or
PHR related entity to require urgency because of possible imminent
misuse of unsecured PHR identifiable health information, that entity
may provide information to individuals by telephone or other means, as
appropriate, in addition to notice provided under paragraph (a)(1) of
this section.
(b) Notice to media. As described in Sec. 318.3(a)(3), a vendor of
personal health records or PHR related entity shall provide notice to
prominent media outlets serving a State or jurisdiction, following the
discovery of a breach of security, if the unsecured PHR identifiable
health information of 500 or more residents of such State or
jurisdiction is, or is reasonably believed
[[Page 37837]]
to have been, acquired during such breach.
(c) Notice to FTC. Vendors of personal health records and PHR
related entities shall provide notice to the Federal Trade Commission
following the discovery of a breach of security, as described in Sec.
318.4(b) (Timing of notice to FTC). If the breach involves the
unsecured PHR identifiable health information of fewer than 500
individuals, the vendor of personal health records or PHR related
entity may maintain a log of any such breach and submit such a log
annually to the Federal Trade Commission as described in Sec. 318.4(b)
(Timing of notice to FTC), documenting breaches from the preceding
calendar year. All notices pursuant to this paragraph shall be provided
according to instructions at the Federal Trade Commission's website.
318.6 Content of notice.
Regardless of the method by which notice is provided to individuals
under Sec. 318.5 (Methods of notice) of this part, notice of a breach
of security shall be in plain language and include, to the extent
possible, the following:
(a) A brief description of what happened, including: the date of
the breach and the date of the discovery of the breach, if known; the
potential harm that may result from the breach, such as medical or
other identity theft; and the full name, website, and contact
information (such as a public email address or phone number) of any
third parties that acquired unsecured PHR identifiable health
information as a result of a breach of security, if this information is
known to the vendor of personal health records or PHR related entity;
(b) A description of the types of unsecured PHR identifiable health
information that were involved in the breach (such as but not limited
to full name, Social Security number, date of birth, home address,
account number, health diagnosis or condition, lab results,
medications, other treatment information, the individual's use of a
health-related mobile application, or device identifier (in combination
with another data element));
(c) Steps individuals should take to protect themselves from
potential harm resulting from the breach;
(d) A brief description of what the entity that experienced the
breach is doing to investigate the breach, to mitigate harm, to protect
against any further breaches, and to protect affected individuals, such
as offering credit monitoring or other services; and
(e) Contact procedures for individuals to ask questions or learn
additional information, which must include two or more of the
following: toll-free telephone number; email address; website; within-
application; or postal address.
318.7 Enforcement.
Any violation of this part shall be treated as a violation of a
rule promulgated under section 18 of the Federal Trade Commission Act,
15 U.S.C. 57a, regarding unfair or deceptive acts or practices, and
thus subject to civil penalties (as adjusted for inflation pursuant to
Sec. 1.98 of this chapter), and the Commission will enforce this Rule
in the same manner, by the same means, and with the same jurisdiction,
powers, and duties as are available to it pursuant to the Federal Trade
Commission Act, 15 U.S.C. 41 et seq.
318.8 Effective date.
This part shall apply to breaches of security that are discovered
on or after September 24, 2009.
318.9 Sunset.
If new legislation is enacted establishing requirements for
notification in the case of a breach of security that apply to entities
covered by this part, the provisions of this part shall not apply to
breaches of security discovered on or after the effective date of
regulations implementing such legislation.
By direction of the Commission.
April J. Tabor,
Secretary.
Appendix A: Health Breach Notification Rule Exemplar Notices
The notices below are intended to be examples of notifications
that entities may use, in their discretion, to notify individuals of
a breach of security pursuant to the Health Breach Notification
Rule. The examples below are for illustrative purposes only. You
should tailor any notices to the particular facts and circumstances
of your breach. While your notice must comply with the Health Breach
Notification Rule, you are not required to use the notices below.
Mobile Text Message and In-App Message Exemplars
Text Message Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. Visit [add non-clickable URL] to learn what
happened, how it affects you, and what you can do to protect your
information. We also sent you an email with additional information.
Text Message Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [describe why the company shared the info] without
your permission. Visit [add non-clickable URL] to learn what
happened, how it affects you, and what you can do to protect your
information. We also sent you an email with more information.
In-App Message Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. This could include your [Add specifics--for
example, your name, email, address, blood pressure data]. Visit
[URL] to learn what happened, how it affects you, and what you can
do to protect your information. We also sent you an email with
additional information.
In-App Message Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [if known, describe why the company shared the
info] without your permission. This could include your [Add
specifics--for example, your name, email, address, blood pressure
data]. Visit [URL] to learn what happened, how it affects you, and
what you can do to protect your information. We also sent you an
email with additional information.
Web Banner Exemplars
Web Banner Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. This could include your [Add specifics--for
example, your name, email, address, blood pressure data]. Visit
[URL] to learn what happened, how it affects you, and what you can
do to protect your information.
Recommend: Include clear ``Take action'' call to action
button, such as the example below:
[GRAPHIC] [TIFF OMITTED] TP09JN23.006
[[Page 37838]]
Web Banner Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [if known, describe why the company shared the
info] without your permission. This could include your [Add
specifics--for example, your name, email, address, blood pressure
data]. Visit [URL] to learn what happened, how it affects you, and
what you can do to protect your information.
Recommend: Include clear ``Take action'' call to action
button, such as the example below:
[GRAPHIC] [TIFF OMITTED] TP09JN23.007
Email Exemplars
Exemplar Email Notice 1
Email Sender: [Company]
Email Subject Line: [Company] Breach of Your Health Information
Dear [Name],
We are contacting you because an attacker recently gained
unauthorized access to our system and stole health information about
our customers, including you.
What happened and what it means for you
On [March 1, 2022], we learned that an attacker had accessed a
file containing our customers' health information on [February 28,
2022]. The file included your name, the name of your health
insurance company, your date of birth, and your group or policy
number.
A hacker could use your information now or at a later time to
commit identity theft or could sell your information to other
criminals. For example, a criminal could get medical care in your
name or change your medical records or run up bills in your name.
What you can do to protect yourself
You can take steps now to reduce the risk of identity theft.
1. Review your medical records, statements, and bills for signs
that someone is using your information. Under the health privacy law
known as HIPAA, you have the right to access your medical records.
Get your records and review them for any treatments or doctor visits
you don't recognize. If you find any, report them to your healthcare
provider in writing. Then go to www.IdentityTheft.gov/steps to see
what other steps you can take to limit the damage.
Also review the Explanation of Benefits statement your insurer
sends you when it pays for medical care.
Some criminals wait before using stolen information so keep
monitoring your benefits and bills.
2. Review your credit reports for errors. You can get your free
credit reports from the three credit bureaus at
www.annualcreditreport.com or call 1-877-322-8228. Look for medical
billing errors, like medical debt collection notices that you don't
recognize. Report any medical billing errors to all three credit
bureaus by following the ``What To Do Next'' steps on
www.IdentityTheft.gov.
3. Sign up for free credit monitoring to detect suspicious
activity. Credit monitoring detects and alerts you about activity on
your credit reports. Activity you don't recognize could be a sign
that someone stole your identity. We're offering free credit
monitoring for two years through [name of service]. Learn more and
sign up at [URL].
4. Consider freezing your credit report or placing a fraud alert
on your credit report. A credit report freeze means potential
creditors can't get your credit report without your permission. That
makes it less likely that an identity thief can open new accounts in
your name. A freeze remains in place until you ask the credit bureau
to temporarily lift it or remove it.
A fraud alert will make it harder for someone to open a new
credit account in your name. It tells creditors to contact you
before they open any new accounts in your name or change your
accounts. A fraud alert lasts for one year. After a year, you can
renew it.
To freeze your credit report, contact each of the three credit
bureaus, Equifax, Experian, and TransUnion.
To place a fraud alert, contact any one of the three credit
bureaus, Equifax, Experian, and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others are notified to place
fraud alerts on your credit report.
Credit bureau contact information
Equifax, www.equifax.com/personal/credit-report-services, 1-800-
685-1111
Experian, www.experian.com/help, 1-888-397-3742
TransUnion, www.transunion.com/credit-help, 1-888-909-8872
Learn more about how credit report freezes and fraud alerts can
protect you from identity theft or prevent further misuse of your
personal information at www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.
What we are doing in response.
We hired security experts to secure our system. We are working
with law enforcement to find the attacker. And we are investigating
whether we made mistakes that made it possible for the attackers to
get in.
Learn more about the breach.
Go to [URL] to learn more about what happened and what you can
do to protect yourself. If we have any updates, we will post them
there.
If you have questions or concerns, call us at [telephone
number], email us at [address], or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 2
Email Sender: [Company]
Email Subject Line: Unauthorized disclosure of your health
information by [Company]
Dear [Name],
We are contacting you because you use our company's app [name of
app]. When you downloaded our app, we promised to keep your personal
health information private. Instead, we disclosed health information
about you to another company without your approval.
What happened?
We told Company XYZ (insert website address of Company XYZ) that
you use our app, and between [January 10, 2021] and [March 1, 2022],
we gave them your name and your email address.
We gave Company XYZ this information so they could use it for
advertising and marketing purposes. For example, to target you for
ads for cancer drugs.
You may contact Company XYZ at [insert contact info, such as
email or phone] for more information.
What we are doing in response
We will stop selling or sharing your health information with
other companies.We will stop using your health information for
advertising or marketing purposes. We have asked Company XYZ to
delete your health information, but it's possible they could
continue to use it for advertising and marketing.
What you can do
We made important changes to our app to fix this problem.
Download the latest updates to our app then review your privacy
settings. You can also contact Company XYZ to request that it delete
your data.
Learn more
Learn more about our privacy and security practices at [URL]. If
we have any updates, we will post them there.
If you have any questions or concerns, call us at [telephone
number] or email us at [address].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 3
Email Sender: [Company]
Email Subject Line:[Company] Breach of Your Health Information
[[Page 37839]]
Dear [Name],
We are contacting you about a breach of your health information
collected through the [product], a device sold by our company,
[Company].
What happened? On [March 1, 2022], we discovered that our
employee had accidentally posted a database online on [February 28,
2022]. That database included your name, your credit or debit card
information, and your blood pressure readings. We don't know if
anyone else found the database and saw your information. If someone
found the database, they could use personal information to steal
your identity or make unauthorized charges in your name.
What you can do to protect yourself
You can take steps now to reduce the risk of identity theft.
1. Get your free credit report and review it for signs of
identity theft. Order your free credit report at
www.annualcreditreport.com. Review it for accounts and activity you
don't recognize. Recheck your credit reports periodically.
2. Consider freezing your credit report or placing a fraud alert
on your credit report. A credit report freeze means potential
creditors can't get your credit report without your permission. That
makes it less likely that an identity thief can open new accounts in
your name. A freeze remains in place until you ask the credit bureau
to temporarily lift it or remove it.
A fraud alert will make it harder for someone to open a new
credit account in your name. It tells creditors to contact you
before they open any new accounts in your name or change your
accounts. A fraud alert lasts for one year. After a year, you can
renew it.
To freeze your credit report, contact each of the three credit
bureaus, Equifax, Experian, and TransUnion.
To place a fraud alert, contact any one of the three credit
bureaus, Equifax, Experian, and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others are notified to place
fraud alerts on your credit report.
Credit bureau contact information
Equifax, www.equifax.com/personal/credit-report-services, 1-800-
685-1111
Experian, www.experian.com/help, 1-888-397-3742
TransUnion, www.transunion.com/credit-help, 1-888-909-8872
Learn more about how credit report freezes and fraud alerts can
protect you from identity theft or prevent further misuse of your
personal information at www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.
3. Sign up for free credit monitoring to detect suspicious
activity. Credit monitoring detects and alerts you about activity on
your credit reports. Activity you don't recognize could be a sign
that someone stole your identity. We're offering free credit
monitoring for two years through [name of service]. Learn more and
sign up at [URL].
What we are doing in response
We are investigating our mistakes. We know the database
shouldn't have been online and it should have been encrypted. We are
making changes to prevent this from happening again.
We are working with experts to secure our system. We are
reviewing our databases to make sure we store health information
securely.
Learn more about the breach
Go to [URL] to learn more about what happened and what you can
do to protect yourself. If we have any updates, we will post them
there.
If you have questions or concerns, call us at [telephone
number], email us at [address], or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
[FR Doc. 2023-12148 Filed 6-8-23; 8:45 am]
BILLING CODE 6750-01-P
