Health Breach Notification Rule, 47028-47064 [2024-10855]
Download as PDF
<![CDATA[
47028
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
FEDERAL TRADE COMMISSION
16 CFR Part 318
RIN 3084–AB56
Health Breach Notification Rule
Federal Trade Commission.
Final rule.
AGENCY:
ACTION:
The Federal Trade
Commission (‘‘FTC’’ or ‘‘Commission’’)
is amending the Commission’s Health
Breach Notification Rule (the ‘‘HBN
Rule’’ or the ‘‘Rule’’). The HBN Rule
requires vendors of personal health
records (‘‘PHRs’’) and related entities
that are not covered by the Health
Insurance Portability and
Accountability Act (‘‘HIPAA’’) to notify
individuals, the FTC, and, in some
cases, the media of a breach of
unsecured personally identifiable health
data.
DATES: The amendments are effective
July 29, 2024.
ADDRESSES: Relevant portions of the
record of this proceeding, including this
document, are available at https://
www.ftc.gov and https://
www.regulations.gov.
SUMMARY:
FOR FURTHER INFORMATION CONTACT:
Ryan Mehm, (202) 326–2918, rmehm@
ftc.gov, and Ronnie Solomon, (202) 326–
2098, rsolomon@ftc.gov, Bureau of
Consumer Protection, Federal Trade
Commission.
The
amendments: (1) clarify the Rule’s
scope, including its coverage of
developers of many health applications
(‘‘apps’’); (2) clarify what it means for a
vendor of personal health records to
draw PHR identifiable health
information from multiple sources; (3)
revise the definition of breach of
security to clarify that a breach of
security includes data security breaches
and unauthorized disclosures; (4) revise
the definition of PHR related entity; (5)
modernize the method of notice; (6)
expand the content of the notice; (7)
alter the Rule’s timing requirement for
notifying the FTC of a breach of
security; and (8) improve the Rule’s
readability by clarifying cross-references
and adding statutory citations,
consolidating notice and timing
requirements, articulating the penalties
for non-compliance, and incorporating a
small number of non-substantive
changes.
ddrumheller on DSK120RN23PROD with RULES2
SUPPLEMENTARY INFORMATION:
I. Background
Congress enacted the American
Recovery and Reinvestment Act of 2009
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
(‘‘Recovery Act’’ or ‘‘the Act’’),1 in part
to advance the use of health information
technology and, at the same time,
strengthen privacy and security
protections for health information.
Recognizing that certain entities that
hold or interact with consumers’
personal health records were not subject
to the privacy and security requirements
of HIPAA,2 Congress created
requirements for such entities to notify
individuals, the Commission, and, in
some cases, the media of the breach of
unsecured identifiable health
information from those records.
Specifically, section 13407 of the
Recovery Act created certain protections
for ‘‘personal health records’’ or
‘‘PHRs,’’ 3 electronic records of PHR
identifiable health information on an
individual that can be drawn from
multiple sources and that are managed,
shared, and controlled by or primarily
for the individual.4 Congress recognized
that vendors of personal health records
and PHR related entities (i.e., companies
that offer products and services through
PHR websites or access information in
or send information to personal health
records) were collecting consumers’
health information but were not subject
to the privacy and security requirements
of HIPAA. Accordingly, the Recovery
Act directed the FTC to issue a rule
requiring these non-HIPAA covered
entities, and their third party service
providers, to provide notification of any
breach of unsecured PHR identifiable
health information. The Commission
issued its Rule implementing these
provisions in 2009.5 FTC enforcement of
the Rule began on February 22, 2010.
The Rule the Commission issued in
2009 (‘‘2009 Rule’’) requires vendors of
personal health records and PHR related
entities to provide: (1) notice to
consumers whose unsecured PHR
identifiable health information has been
breached; (2) notice to the Commission;
and (3) notice to prominent media
outlets 6 serving a State or jurisdiction,
in cases where 500 or more residents are
1 Am. Recovery and Reinvestment Act of 2009,
Public Law 111–5, 123 Stat. 115 (2009).
2 Health Ins. Portability and Accountability Act,
Public Law 104–191, 110 Stat. 1936 (1996).
3 42 U.S.C. 17937.
4 42 U.S.C. 17921(11).
5 74 FR 42962 (Aug. 25, 2009) (‘‘2009 Final
Rule’’).
6 The Recovery Act does not limit this notice to
particular types of media. Thus, an entity can
satisfy the requirement to notify ‘‘prominent media
outlets’’ by, for example, disseminating press
releases to a number of media outlets, including
internet media in appropriate circumstances, where
most of the residents of the relevant State or
jurisdiction get their news. This will be a factspecific inquiry that will depend on what media
outlets are ‘‘prominent’’ in the relevant jurisdiction.
74 FR 42974.
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
confirmed or reasonably believed to
have been affected by a breach.7 The
Rule also requires third party service
providers (i.e., those companies that
provide services such as billing, data
storage, attribution, or analytics) to
vendors of personal health records and
PHR related entities to provide
notification to such vendors and entities
following the discovery of a breach.8
The 2009 Rule requires notice to
individuals ‘‘without unreasonable
delay and in no case later than 60
calendar days’’ after discovery of a data
breach.9 If the breach affects 500 or
more individuals, notice to the FTC
must be provided ‘‘as soon as possible
and in no case later than ten business
days’’ after discovery of the breach.10
The FTC makes available a standard
form for companies to use to notify the
Commission of a breach,11 and posts a
list of breaches involving 500 or more
individuals on its website.12
The 2009 Rule applies only to
breaches of ‘‘unsecured’’ health
information, which the Rule defines as
health information that is not secured
through technologies or methodologies
specified by the Department of Health
and Human Services (‘‘HHS’’). The Rule
does not apply to businesses or
organizations covered by HIPAA.13
HIPAA-covered entities and their
‘‘business associates’’ must instead
comply with HHS’s breach notification
rule.14
7 16
CFR 318.3, 318.5.
§ 318.3(b).
9 Id. § 318.4(a).
10 Id. § 318.5(c).
11 Fed. Trade Comm’n, Notice of Breach of Health
Information, https://www.ftc.gov/system/files/
documents/rules/health-breach-notification-rule/
health_breach_form.pdf.
12 Fed. Trade Comm’n, Notices Received by the
FTC Pursuant to the Health Breach Notification
Rule, https://www.ftc.gov/system/files/ftc_gov/pdf/
Health%20Breach%20Notices%20Received
%20by%20the%20FTC.pdf (last visited Dec. 2,
2022).
13 Per HHS guidance, electronic health
information is ‘‘secured’’ if it has been encrypted
according to certain specifications set forth by HHS,
or if the media on which electronic health
information has been stored or recorded is
destroyed according to HHS specifications. See 74
FR 19006; see also U.S. Dep’t of Health & Human
Servs., Guidance to Render Unsecured Protected
Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals (July
26, 2013), https://www.hhs.gov/hipaa/forprofessionals/breach-notification/guidance/
index.html. PHR identifiable health information
would be considered ‘‘secured’’ if such information
is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third
party service provider, in an encrypted format
meeting HHS specifications, and the PHR related
entity or third party service provider stores the data
in an encrypted format that meets HHS
specifications and also stores the encryption and/
or decryption tools on a device or at a location
separate from the data.
14 45 CFR 164.400 through 164.414.
8 Id.
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
Since the Rule’s issuance, apps and
other direct-to-consumer health
technologies, such as fitness trackers
and wearable blood pressure monitors,
have become commonplace.15 Further,
as an outgrowth of the COVID–19
pandemic, consumer use of such healthrelated technologies has increased
significantly.16
In May 2020, the Commission
announced its regular, ten-year review
of the Rule and requested public
comment about potential Rule
changes.17 The Commission requested
comment on, among other things,
whether changes should be made to the
Rule in light of technological changes,
such as the proliferation of apps and
similar technologies. The Commission
received 26 public comments.18
Many of the commenters in 2020
encouraged the Commission to clarify
that the Rule applies to apps and similar
technologies.19 In fact, no commenter
opposed this type of clarification
regarding the Rule’s coverage of health
apps. Several commenters pointed out
examples of health apps that have
abused users’ privacy, such as by
15 See, e.g., Kokou Adzo, App Development in
Healthcare: 12 Exciting Facts, TechnoChops (Jan. 3,
2023), https://www.technochops.com/
programming/4329/app-development-inhealthcare/; Emily Olsen, Digital health apps
balloon to more than 350,000 available on the
market, according to IQVIA report,
MobiHealthNews (Aug. 4, 2021), https://
www.mobihealthnews.com/news/digital-healthapps-balloon-more-350000-available-marketaccording-iqvia-report; Elad Natanson, Healthcare
Apps: A Boon, Today and Tomorrow, Forbes (July
21, 2020), https://www.forbes.com/sites/
eladnatanson/2020/07/21/healthcare-apps-a-boontoday-and-tomorrow/?sh=21df01ac1bb9.
16 See id. See also Lis Evenstad, Covid–19 has led
to a 25% increase in health app downloads,
research shows, ComputerWeekly.com (Jan. 12,
2021), https://www.computerweekly.com/news/
252494669/Covid-19-has-led-to-a-25-increase-inhealth-app-downloads-research-shows (finding that
COVID–19 has led to a 25% increase in health app
downloads); Jasmine Pennic, U.S. Telemedicine
App Downloads Spikes During COVID–19
Pandemic, HIT Consultant (Sept. 8, 2020), https://
hitconsultant.net/2020/09/08/u-s-telemedicine-appdownloads-spikes-during-covid-19-pandemic/ (‘‘US
telemedicine app downloads see dramatic increases
during the COVID–19 pandemic, with some seeing
an 8,270% rise YoY.’’).
17 85 FR 31085 (May 22, 2020).
18 Comments are available at https://
www.regulations.gov/docket/FTC-2020-0045/
comments.
19 E.g., Am. Health Info. Mgmt. Ass’n (‘‘AHIMA’’)
at 2; Kaiser Permanente at 3; Allscripts at 3; Am.
Acad. of Ophthalmology at 2; All. for Nursing
Informatics (‘‘ANI’’) at 2; Am. Med. Ass’n (‘‘AMA’’)
at 4; Am. Coll. of Surgeons at 6; Physicians’ Elec.
Health Rec. Coal. (‘‘PEHRC’’) at 4 (‘‘Apps that
collect health information, regardless of whether or
not they connect to an EHR, must be regulated by
the FTC Health Breach Notification Rule to ensure
the safety and security of personal health
information.’’); Am.’s Health Ins. Plans (‘‘AHIP’’)
and Blue Cross Blue Shield Ass’n (‘‘BCBS’’) at 2;
The App Ass’n’s Connected Health Initiative
(‘‘CHI’’) at 3.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
disclosing sensitive health information
without consent.20 Several commenters
noted the urgency of this issue, as
consumers have further embraced
digital health technologies during the
COVID–19 pandemic.21 Commenters
argued the Commission should take
additional steps to protect unsecured
PHR identifiable health information that
is not covered by HIPAA, both to
prevent harm to consumers 22 and to
level the competitive playing field
among companies dealing with the same
health information.23 To that end,
commenters not only urged the
Commission to revise the Rule, but also
to increase its enforcement efforts.24
A. The Commission’s 2021 Policy
Statement
On September 15, 2021, the
Commission issued a Policy Statement
providing guidance on the scope of the
Rule. The Policy Statement clarified that
the Rule covers most health apps and
similar technologies that are not covered
20 Kaiser Permanente at 7; The Light Collective at
2; Am. Acad. of Ophthalmology at 2; PEHRC at 2–
3.
21 Lisa McKeen at 2–3; Kaiser Permanente at 7–
8; AMA at 3; Off. of the Att’y Gen. for the State of
Cal. (‘‘OAG–CA’’) at 3–4; Healthcare Info. and
Mgmt. Sys. Soc’y (‘‘HIMSS’’) and Personal
Connected Health All. (‘‘PCH Alliance’’) at 4–5.
22 Georgia Morgan; Am. Acad. of Ophthalmology
at 2–3 (arguing that consumers do not know all the
ways their data is being used by third parties, and
the downstream consequences of data being used in
this way may ultimately erode a patient’s privacy
and willingness to disclose information to his or her
physician); Coll. of Healthcare Info. Mgmt. Exec.’s
(‘‘CHIME’’) at 3 (arguing that apps’ privacy practices
impact the patient-provider relationship because
providers do not know what technologies are
sufficiently trustworthy for their patients); AMA at
2–3 (expressing concern that patients share less
health data with health care providers, perhaps
because of ‘‘spillover from privacy and security
breaches’’).
23 Kaiser Permanente at 2, 4; Workgroup for Elec.
Data Interchange (‘‘WEDI’’) at 2; AHIP and BCBS at
3 (‘‘[HIPAA] covered entities, such as health plans,
that use or disclose protected health information
should not be subject to stricter notification
requirements than those imposed on vendors of
personal health records or other such entities.
Otherwise, the Federal government will be
providing market advantages to particular industry
segments with the effect of dampening competition
and harming consumers.’’).
24 Kaiser Permanente at 4; Fred Trotter at 1; Casey
Quinlan at 1; CARIN Alliance at 2. At the time of
this document’s publication, the Commission has
brought two enforcement actions under the Rule;
the first against digital health company GoodRx
Holdings, Inc., and the second against an ovulationtracking mobile app marketed under the name
‘‘Premom’’ and developed by Easy Healthcare, Inc.
United States v. GoodRx Holdings, Inc., No. 23–cv–
460 (N.D. Cal. Feb. 17, 2023), https://www.ftc.gov/
legal-library/browse/cases-proceedings/2023090goodrx-holdings-inc; United States v. Easy
Healthcare Corp., No. 1:23–cv–3107 (N.D. Ill. June
22, 2023), https://www.ftc.gov/legal-library/browse/
cases-proceedings/202-3186-easy-healthcarecorporation-us-v.
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
47029
by HIPAA.25 The Rule defines a
‘‘personal health record’’ as ‘‘an
electronic record of PHR identifiable
health information on an individual that
can be drawn from multiple sources and
that is managed, shared, and controlled
by or primarily for the individual.’’ 26 As
the Commission explained in the Policy
Statement, many makers and purveyors
of health apps and other connected
devices are vendors of personal health
records covered by the Rule because
their products are electronic records of
PHR identifiable health information.
The Commission explained that PHR
identifiable health information includes
individually identifiable health
information created or received by a
health care provider,27 and that ‘‘health
care providers’’ include any entities that
‘‘furnish[ ] health care services or
supplies.’’ 28 Because these health app
purveyors furnish health care services to
their users through the mobile
applications they provide, the
information held in the app is PHR
identifiable health information, and
therefore many health app purveyors
likely qualify as vendors of personal
health records.29
The Policy Statement further
explained that the statute directing the
FTC to promulgate the Rule requires
that a ‘‘personal health record’’ be an
electronic record that can be drawn
from multiple sources.30 Accordingly,
health apps and similar technologies
likely qualify as personal health records
covered by the Rule if they are capable
of drawing information from multiple
sources. The Commission further
clarified that health apps and other
products experience a ‘‘breach of
security’’ under the Rule when they
disclose users’ sensitive health
information without authorization; 31 a
breach is ‘‘not limited to cybersecurity
intrusions or nefarious behavior.’’ 32
25 Statement of the Commission on Breaches by
Health Apps and Other Connected Devices, Fed.
Trade Comm’n (Sept. 15, 2021), https://
www.ftc.gov/system/files/documents/public_
statements/1596364/statement_of_the_commission_
on_breaches_by_health_apps_and_other_
connected_devices.pdf (‘‘Policy Statement’’).
26 16 CFR 318.2.
27 Id. § 318.2, incorporating in part the definition
from section 1171(6) of the Social Security Act (42
U.S.C. 1320d(6)).
28 Id. § 318.2; 42 U.S.C. 1320d(6), d(3).
29 See Policy Statement at 1.
30 The Policy Statement provided this example:
‘‘[I]f a blood sugar monitoring app draws health
information only from one source (e.g., a
consumer’s inputted blood sugar levels), but also
takes non-health information from another source
(e.g., dates from your phone’s calendar), it is
covered under the Rule.’’ Id. at 2.
31 16 CFR 318.2.
32 Policy Statement at 2. In the Statement of Basis
and Purpose to the 2009 Final Rule published in the
E:\FR\FM\30MYR2.SGM
Continued
30MYR2
47030
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
B. Enforcement History
In 2023, the Commission brought its
first enforcement actions under the Rule
against vendors of personal health
records. In February 2023, the
Commission brought an enforcement
action alleging a violation of the Rule
against GoodRx Holdings, Inc.
(‘‘GoodRx’’), a digital health company
that sells health-related products and
services directly to consumers,
including prescription medication
discount products and telehealth
services through its website and mobile
applications.33
In its complaint, the Commission
alleged that between 2017 and 2020,
GoodRx, as a vendor of personal health
records, disclosed more than 500
consumers’ unsecured PHR identifiable
health information to third party
advertising platforms like Facebook and
Google, without the authorization of
those consumers. As charged in the
complaint, these disclosures violated
explicit privacy promises the company
made to its users about its data sharing
practices (including about its sharing of
PHR identifiable health information).
The Commission alleged GoodRx broke
these promises and disclosed its users’
prescription medications and personal
health conditions, personal contact
information, and unique advertising and
persistent identifiers. The Commission
charged GoodRx with violating the Rule
by failing to provide the required
notifications, as prescribed by the Rule,
to (1) individuals whose unsecured PHR
identifiable health information was
acquired by an unauthorized person, (2)
the Federal Trade Commission, and (3)
media outlets. 16 CFR 318.3 through
318.6. The Commission entered into a
settlement that imposed injunctive relief
and required GoodRx to pay a $1.5
million civil penalty for its alleged
violation of the Rule.34
Similarly, on May 17, 2023, the
Commission brought its second
Federal Register (‘‘2009 Rule Commentary’’), the
Commission, in addressing questions about how the
extent of individual authorization should be
determined, stated data sharing to enhance
consumers’ experience with a PHR is authorized
only if such use is consistent with the entity’s
disclosures and individuals’ reasonable
expectations. For anything beyond such uses, the
Commission expects vendors of personal health
records and PHR related entities to limit the sharing
of consumers’ information, unless the consumers
exercise ‘‘meaningful choice’’ in allowing sharing.
The Commission believes burying disclosures in
lengthy privacy policies does not satisfy the
standard of ‘‘meaningful choice.’’ 74 FR 42967.
33 United States v. GoodRx Holdings, Inc., No.
23–cv–460 (N.D. Cal. Feb. 17, 2023), https://
www.ftc.gov/legal-library/browse/casesproceedings/2023090-goodrx-holdings-inc.
34 In addition, the Commission alleged GoodRx’s
data sharing practices were deceptive and unfair, in
violation of section 5 of the FTC Act.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
enforcement action under the Rule
against Easy Healthcare Corporation
(‘‘Easy Healthcare’’), a company that
publishes an ovulation and period
tracking mobile application called
Premom, which allows its users to input
and track various types of health and
other sensitive data. Similar to the
conduct alleged against GoodRx, Easy
Healthcare disclosed PHR identifiable
health information to third party
companies such as Google and
AppsFlyer, contrary to its privacy
promises, and did not comply with the
Rule’s notification requirements. The
Commission entered into a settlement
that imposed injunctive relief and
required Easy Healthcare to pay a
$100,000 civil penalty for its alleged
violation of the Rule.35
C. Notice of Proposed Rulemaking
Having considered the public
comments on the regulatory review
notification and its Policy Statement, on
June 9, 2023, the Commission issued a
notice of proposed rulemaking
(‘‘NPRM’’) 36 proposing to revise the
Rule, 16 CFR part 318, in seven ways:
• First, the Commission proposed to
revise several definitions in order to
clarify the Rule and better explain its
application to health apps and similar
technologies not covered by HIPAA.
Consistent with this objective, the
NPRM modified the definition of ‘‘PHR
identifiable health information’’ and
added two new definitions (‘‘health care
provider’’ and ‘‘health care services or
supplies’’). These proposed changes
were consistent with a number of public
comments supporting the Rule’s
coverage of these technologies.
• Second, the Commission proposed
to revise the definition of ‘‘breach of
security’’ to clarify that a breach of
security includes an unauthorized
acquisition of PHR identifiable health
information in a personal health record
that occurs as a result of a data security
breach or an unauthorized disclosure.
• Third, the Commission proposed to
revise the definition of ‘‘PHR related
entity’’ in two ways. Consistent with its
proposal to clarify that the Rule applies
to health apps, the Commission first
proposed clarifying the definition of
‘‘PHR related entity’’ to make clear that
the Rule covers entities that offer
products and services through the
online services, including mobile
applications, of vendors of personal
health records. In addition, the
35 United States v. Easy Healthcare Corporation,
No. 1:23–cv–3107 (N.D. Ill. June 22, 2023), https://
www.ftc.gov/legal-library/browse/casesproceedings/202-3186-easy-healthcare-corporationus-v.
36 88 FR 37819 (‘‘2023 NPRM’’).
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
Commission proposed revising the
definition of ‘‘PHR related entity’’ to
provide that entities that access or send
unsecured PHR identifiable health
information to a personal health
record—rather than entities that access
or send any information to a personal
health record—are PHR related entities.
• Fourth, the Commission proposed
to clarify what it means for a personal
health record to draw PHR identifiable
health information from multiple
sources.
• Fifth, in response to public
comments expressing concern that
mailed notice is costly and not
consistent with how consumers interact
with online technologies like health
apps, the Commission proposed to
revise the Rule to authorize electronic
notice in additional circumstances.
Specifically, the proposed Rule adjusted
the language in the ‘‘method of notice
section’’ and added a new definition of
the term ‘‘electronic mail.’’ The
proposed Rule also required that any
notice delivered by electronic mail be
‘‘clear and conspicuous,’’ a newly
defined term, which aligns closely with
the definition of ‘‘clear and
conspicuous’’ codified in the FTC’s
Financial Privacy Rule.37
• Sixth, the Commission proposed to
expand the required content of the
notice to individuals, to require that
consumers whose unsecured PHR
identifiable health information has been
breached receive additional important
information, including information
regarding the potential for harm from
the breach and protections that the
notifying entity is making available to
affected consumers. In addition, the
proposed Rule included exemplar
notices, which entities subject to the
Rule could use to notify consumers in
terms that are easy to understand.
• Seventh, in response to public
comments, the Commission proposed to
make a number of changes to improve
the Rule’s readability. Specifically, the
Commission proposed to include
explanatory parentheticals for internal
cross-references, add statutory citations
in relevant places, consolidate notice
and timing requirements in single
sections, respectively, of the Rule, and
add a new section that plainly states the
penalties for non-compliance.
The NPRM also included a section
discussing several alternatives the
37 16 CFR 313.3(b). The FTC’s Financial Privacy
Rule requires financial institutions to provide
particular notices and to comply with certain
limitations on disclosure of nonpublic personal
information. Using a comprehensive definition of
‘‘clear and conspicuous’’ based on the Financial
Privacy Rule definition aims to ensure consistency
across the Commission’s privacy-related rules.
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
Commission considered but did not
propose. Although the Commission did
not put forth any proposed
modifications on those issues, the
Commission nonetheless sought public
comment on them.
The Commission received
approximately 120 comments in
response to the NPRM from a wide
spectrum of stakeholders, including
consumers, consumer groups, trade
associations, think tanks, policy
organizations, private sector entities,
and members of Congress.38 As
discussed in detail below, commenters
addressed the seven topics on which the
Commission proposed changes,
responded to particular points on which
the Commission requested comment,
offered additional comment on
alternatives that the Commission
considered but did not propose, and
provided comment on other topics. The
majority of commenters expressed
support for the Commission’s proposed
changes.
The Commission believes the
amendments are consistent with the
language and intent of the Recovery Act,
address the concerns raised by the
public comments in response to the
NPRM, and will ensure the Rule
remains current in the face of changing
business practices and technological
developments.
II. Analysis of the Final Rule
The following discussion analyzes the
amendments to the Rule.
ddrumheller on DSK120RN23PROD with RULES2
A. Clarification of Entities Covered
1. The Commission’s Proposal To
Clarify the Entities Covered
The Commission proposed changes to
several definitions in § 318.2 to clarify
the Rule’s application to health apps
and similar technologies not covered by
HIPAA. First, the proposed Rule revised
the definition of ‘‘PHR identifiable
health information’’ to remove a crossreference and instead import language
from section 1171(6) of the Social
Security Act, 42 U.S.C. 1320d(6), which
is also referenced directly in section
13407 of the Recovery Act. The
proposed Rule defined ‘‘PHR
identifiable health information’’ as
information (1) that is provided by or on
behalf of the individual; (2) that
identifies the individual or with respect
to which there is a reasonable basis to
believe that the information can be used
to identify the individual; (3) relates to
the past, present, or future physical or
mental health or condition of an
38 Comments are available at https://
www.regulations.gov/document/FTC-2023-00370001/comment.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
individual, the provision of health care
to an individual, or the past, present, or
future payment for the provision of
health care to an individual; and (4) is
created or received by a health care
provider, health plan (as defined in 42
U.S.C. 1320d(5)), employer, or health
care clearinghouse (as defined in 42
U.S.C. 1320d(2)).
The Commission explained that this
proposed definition covers traditional
health information (such as diagnoses or
medications), health information
derived from consumers’ interactions
with apps and other online services
(such as health information generated
from tracking technologies employed on
websites or mobile applications or from
customized records of website or mobile
application interactions), as well as
emergent health data (such as health
information inferred from non-healthrelated data points, such as location and
recent purchases). The Commission
sought comment as to whether any
further amendment of the definition was
needed to clarify the scope of data
covered.
Second, the NPRM proposed to define
the term ‘‘health care provider’’ that
appears in the proposed definition of
‘‘PHR identifiable health information’’
(‘‘is created or received by a health care
provider’’). The Commission proposed
to define this term in a manner similar
to the definition of ‘‘health care
provider’’ found in 42 U.S.C. 1320d(3)
(and referenced in 42 U.S.C. 1320d(6),
which is directly referenced in section
13407 of the Recovery Act), to mean a
provider of services (as defined in 42
U.S.C. 1395x(u)), a provider of medical
or other health services (as defined in 42
U.S.C. 1395x(s)), or any other entity
furnishing health care services or
supplies. The Commission observed that
this proposed definition, which is
consistent with the statutory scheme,
differs from, but does not contradict, the
definitions or interpretations adopted by
HHS. The Commission sought comment
on defining this term more broadly than
the term is used in other contexts.
Third, the NPRM proposed to define
‘‘health care services or supplies’’ (the
final term in the definition of ‘‘health
care provider’’) to include any online
service, such as a website, mobile
application, or internet-connected
device that provides mechanisms to
track diseases, health conditions,
diagnoses or diagnostic testing,
treatment, medications, vital signs,
symptoms, bodily functions, fitness,
fertility, sexual health, sleep, mental
health, genetic information, diet, or that
provides other health-related services or
tools. The Commission explained that
this change clarified that the Rule
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
47031
applies generally to online services,
including websites, apps, and internetconnected devices that provide health
care services or supplies, and clarified
that the Rule covers online services
related not only to medical issues (by
including in the definition terms such
as ‘‘diseases, diagnoses, treatment,
medications’’) but also wellness issues
(by including in the definition terms
such as ‘‘fitness, sleep, and diet’’).
The Commission explained that these
proposed changes to the definitions
clarified that developers of health apps
and similar technologies providing
‘‘health care services or supplies’’
qualify as ‘‘health care providers,’’ such
that any individually identifiable health
information these products collect or
use would constitute ‘‘PHR identifiable
health information’’ covered by the
Rule. The Commission explained that
these proposed changes further clarified
that a mobile health application can be
a ‘‘personal health record’’ covered by
the Rule and the developers of such
applications can be ‘‘vendors of
personal health records.’’
2. Public Comments Regarding the
Commission’s Proposal To Clarify the
Entities Covered
The Commission received numerous
comments on the application of the Rule
to health apps and similar technologies.
A substantial number of commenters
supported the Rule’s application to
health apps and similar technologies not
covered by HIPAA as necessary in light
of the explosion of health apps and the
associated dangers to the privacy and
security of consumers’ health
information.39 Notably, support for the
39 See generally, Am. Acad. of Fam. Physicians
(‘‘AAFP’’); AHIP; AHIMA; Ass’n of Health Info.
Outsourcing Serv.’s (‘‘AHIOS’’); AMA; Am. Med.
Informatics Ass’n (‘‘AMIA’’); ANI; Anonymous 1;
Anonymous 2; Anonymous 3; Anonymous 4;
Anonymous 9; Anonymous 10; Anonymous 11 ;
Anonymous 14; Am. Osteopathic Ass’n (‘‘AOA’’);
Ella Balasa; Beth Barnett; Lauren Batchelor;
Bipartisan Pol’y Ctr. (‘‘BPC’’); Alan Brewington; Ctr.
for Democracy & Tech. (‘‘CDT’’); Ctr. for Digit.
Democracy (‘‘CDD’’); Confidentiality Coal.;
Consumer Rep.’s; Elec. Frontier Found. (‘‘EFF’’);
Elec. Priv. Info. Ctr. (‘‘EPIC’’); Dave K.; Members of
the House of Representatives; MRO Corp. (‘‘MRO’’);
Omada Health; Pharmed Out; Planned Parenthood
Federation of Amer. (‘‘Planned Parenthood’’); CB
Sanders; Robb Streicher; SYNGAP1 Foundation and
SYNGAP1 Foundation 2; Devin Thompson; Janice
Tufte; Michael Turner; U.S. Public Interest Research
Group (‘‘U.S. PIRG’’); UL Sol.’s; Grace Vinton;
WEDI; Anli Zhou. Some commenters elaborated on
the nature of the risks to consumers’ health data
and on the importance to consumers. Two
commenters, for example, described research they
had performed regarding mental health and/or
reproductive health apps’ disclosure of consumers’
health data to third parties. Mozilla at 3–4;
Consumer Reports at 2. Another commenter, a
public interest group and advocacy organization,
attached a petition containing 9,659 signatures
E:\FR\FM\30MYR2.SGM
Continued
30MYR2
47032
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
Commission’s proposals came from a
variety of commenters—industry
associations,40 businesses,41 members of
Congress,42 consumer or patient
advocacy groups,43 individual
consumers,44 and anonymous sources.45
Many commenters argued that
safeguards for non-HIPAA covered
health data are essential,46 particularly
because consumers generally are not
aware of varying legal protections for
health data.47 Indeed, according to some
commenters, requiring notification to
consumers of the breach of health
information not protected by HIPAA is
precisely what Congress intended by
authorizing the FTC to issue this Rule;
the Commission’s proposed changes are,
therefore, consistent with the goals of
the Recovery Act.48 Some commenters
argued that Federal privacy legislation
is needed to protect non-HIPAA covered
health data, but, in the interim, the
Commission should strengthen its Rule
to protect consumer health data to the
extent possible.49 Other commenters
asking for strong rules to protect digital health
privacy. US PIRG at 5–230.
40 E.g., AAFP, AHIMA, AHIOS, AMA, AMIA,
AOA; Network Advert. Initiative (‘‘NAI’’).
41 E.g., Mozilla; MRO; Omada Health; UL Sol.’s.
42 See Members of the House of Representatives
(six members of Congress expressing support for the
proposed changes).
43 E.g., CDD; CDT; EFF; U.S. PIRG.
44 Ella Balasa; Beth Barnett; Lauren Batchelor;
Alan Brewington; Sean Castillo; Dave K.; CB
Sanders; Robb Streicher; Devin Thompson; Janice
Tufte; Michael Turner; Grace Vinton; Anli Zhou.
45 Anonymous 1; Anonymous 2; Anonymous 3;
Anonymous 4; Anonymous 5; Anonymous 6;
Anonymous 9; Anonymous 10; Anonymous 11;
Anonymous 14.
46 See, e.g., AAFP at 1–2; AHIMA at 2; AHIOS at
2; Anonymous 5 at 1; AOA at 1; Am. SpeechLanguage-Hearing Ass’n (‘‘ASHA’’) at 1; Am.
Psychiatric Ass’n (‘‘APA’’) at 1; CDT at 3–4; CHIME
at 2; EFF at 1; Generation Patient at 1; HIMSS at
2; HIMSS Elec. Health Rec. Ass’n (‘‘HIMSS EHR
Ass’n’’) at 1; MRO at 1–2; Omada Health at 2;
PharmedOut at 1; Planned Parenthood at 2–3;
Michael Turner at 1; WEDI at 1–4.
47 AHIMA at 2; Anonymous 5 at 1; ASHA at 1;
EFF at 1; WEDI at 2. One commenter, a software
company that assists digital health companies with
legal compliance, argued that three factors, in
particular, support greater protection for digital
health data: (1) consumers mistakenly believe
HIPAA covers all health data; (2) there is a culture
within some digital health companies that favors
rapid adoption of products to secure venture capital
even when compliance infrastructure is lacking;
and (3) digital health products deal with sensitive
data and inherently present a greater privacy risk
given their heavy reliance on data and data
exchange compared to traditional medicine.
Tranquil Data at 1.
48 Confidentiality Coal. at 2; Consumer Rep.’s at
4.
49 See, e.g., AAFP at 2. One commenter, an
industry coalition focused on health IT and health
care information exchange, emphasized a
significant privacy problem adjacent to the Rule:
whether HIPAA covered entities should warn
patients about the privacy risks associated with
health apps and what the Federal government can
do to apply equal privacy protections to health data,
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
urged the Commission to take even
broader measures in this Rule, such as
imposing breach prevention measures,50
banning health-based surveillance
technologies or targeted advertising,51
banning selling or sharing of health data
not necessary to provide patient care or
mandating data retention limits and
deletion,52 or requiring adherence to
standardized terms of service with
strong privacy protections.53
Although many commenters
expressed support for the proposed
changes, several business coalitions,
industry associations and individual
firms opposed the changes, which, they
argued, are inconsistent with Congress’s
intent in the Recovery Act to address a
narrow subset of ‘‘personal health
records’’ and therefore exceed the FTC’s
statutory authority.54 According to some
comments, Congress should address any
privacy issues that exceed the narrow
scope of the Recovery Act. These
commenters also contend that if the
Commission believes there has been a
violation of section 5, then the
Commission needs to engage in an FTC
Act section 18 rulemaking.55 One
commenter argued further that
consumers have different privacy
expectations for an electronic health
record offered by their physician versus
a fitness app (for example) that they
download themselves, and the
Commission’s Rule should respect those
differing expectations.56
Some commenters opposed to the
changes also argued that the revised
definitions would reduce choice and
access in the marketplace,57 stifle
innovation,58 or create disincentives for
advertising 59 because (1) firms would
risk initiating breaches by sharing user
data with their partners and (2) in
notwithstanding HIPAA’s limitations. See WEDI at
3. One commenter supported the proposed changes
but argued the Commission should work with
Congress to update antiquated terms like ‘‘personal
health record.’’ HIMSS at 3.
50 Ella Balasa at 2; PharmedOut at 1.
51 Light Collective at 5.
52 EFF at 2.
53 Texas Med. Ass’n (‘‘TMA’’) at 1–2.
54 See, e.g., Ass’n of Nat’l Advertisers, Inc.
(‘‘ANA’’) at 4–5; Comput. & Commc’n’s Indus. Ass’n
(‘‘CCIA’’) at 2–3; Chamber of Com. (‘‘Chamber’’) at
1–3; CHI at 2; Consumer Tech. Ass’n (‘‘CTA’’) at 2;
Lab’y Access and Benefits Coal. (‘‘LAB’’) at 1; Priv.
for Am. at 1–2; TechNet at 2.
55 Priv. for Am. at 2–3; Chamber at 6–7; Health
Innovation All. (‘‘HIA’’) at 1. See also Advanced
Med. Tech. Ass’n (‘‘AdvaMed’’) at 1 (recommending
the Commission adopt a privacy framework
pursuant to the advanced notice of proposed
rulemaking (R111004) regarding commercial
surveillance and data security (87 FR 51273, Aug.
22, 2022)).
56 CCIA at 4.
57 Am. Telemedicine Ass’n (‘‘ATA Action’’) at 1.
58 TechNet at 1–2; CTA at 5.
59 ANA at 3.
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
accepting data from health apps,
partners such as advertising and
analytics firms would risk being covered
by the Rule.60 According to some
commenters, placing such strictures on
the advertising and service provider
ecosystem would raise prices (by, for
example, undermining ad-supported
services) and thereby harm
competition.61 One commenter argued
that while robust protections for
consumer health data are needed, the
Rule should not be a vehicle for such
protections, because it will result in
over-notification of consumers (who
have largely learned to disregard breach
notices) and be a barrier to legislative
change on privacy and data security
issues more generally.62 Another
commenter argued against a breach
notification rule altogether, asserting
that the Commission should instead
focus on requiring robust data security
practices to prevent breaches in the first
instance.63
Some commenters specifically
addressed the proposed changes to the
definitions of ‘‘PHR identifiable health
information’’ and the new definitions of
‘‘health care provider’’ and ‘‘health care
services or supplies.’’ First, a number of
comments addressed the scope of ‘‘PHR
identifiable health information.’’ Some
commenters urged greater breadth,
arguing, for example, that the definition
of ‘‘PHR identifiable health
information’’ should be expanded to
include other types of data, such as data
about an individual—not just data
provided by or on behalf of an
individual.64 Other commenters urged
the Commission to state expressly that
its definition encompasses particular
types of information, such as unique
persistent identifiers 65 or information
about sexual health 66 or substance use
or treatment.67 By contrast, some
commenters urged the Commission to
narrow the definition or otherwise
clarify its limits, by, for example,
exempting data relating to clinical
research or trials 68 or data that has been
de-identified.69
Relatedly, some commenters urged
the Commission to create a definition of
or standard for ‘‘identifiable data,’’ ‘‘deidentification’’ or ‘‘de-identified
60 Priv.
for Am. at 3.
ANA at 3; Priv. for Am. at 1, 3–4.
62 World Priv F. (‘‘WPF’’) at 4.
63 HIA at 2.
64 Consumer Rep.’s at 3.
65 Id.
66 BPC at 1–2; Planned Parenthood at 5.
67 Legal Action Ctr. & Opioid Pol’y Inst. at 1–2.
68 Soc’y for Clinical Rsch. Sites (‘‘SCRS’’) at 1.
69 Future of Priv. F. (‘‘FPF’’) at 3.
61 E.g.,
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
data,’’ 70 such as by adopting HHS’s deidentification standard,71 or by stating
that information is identifiable if it is
‘‘reasonably linkable to an identified or
identifiable individual.’’ 72 Commenters
argued that clarifying what constitutes
‘‘identifiable’’ data is necessary both
because of the increasing ability for deidentified data to be re-identified 73 and
because the market needs clarity to
enable uninhibited flow of de-identified
health data for research, public health,
and commercial activities.74 Indeed,
according to one commenter, failure to
clarify the standard could complicate or
chill public health research and other
innovation.75 One commenter argued
that an objective standard of
‘‘reasonable linkability’’ is better than
what the commenter described as the
Rule’s knowledge-based standard (i.e.,
whether the company has a reasonable
basis to believe it can be used to identify
an individual).76 One commenter urged
the Commission to issue a new notice of
proposed rulemaking on the issue of deidentification alone.77
Second, many commenters
specifically addressed the Commission’s
proposed new definition of ‘‘health care
provider.’’ One commenter applauded
the Commission’s revised definition of
‘‘health care provider,’’ arguing that
taking a crabbed view of that or related
terms would lead to further
fragmentation of health data, which is
already fragmented by HIPAA’s limited
purview.78 Another commenter noted
the Commission’s definition of ‘‘health
care provider’’ is simply a logical
outgrowth of how consumers interact
with health apps: consumers look to
health apps to provide health-related
services—the quintessential function of
a health care provider.79
Other commenters, however, raised
concerns that the proposed definition of
‘‘health care provider’’ is confusing in
its departure from HIPAA’s terminology
or is otherwise overbroad.80 Some
commenters argued this departure from
the traditional meaning of the term is
70 SCRS at 2; Chamber at 7; EPIC at 7–9; FPF at
3–4, LAB at 2; MRO at 4; Network for Pub. Health
L. and Texas A&M Univ. (‘‘Network’’) at 3.
71 LAB at 2; Network at 3; SCRS at 2.
72 FPF at 3.
73 SCRS at 2.
74 FPF at 3; Network at 3–4.
75 Network at 3.
76 FPF at 3.
77 Chamber at 7.
78 CDT at 11.
79 Confidentiality Coal. at 3–4.
80 AAFP at 2–3; AdvaMed at 3–4; AHIP at 2; AMA
at 2–3; ATA Action at 1; CARIN Alliance at 2–3;
CCIA at 3; CTA at 4, 6–9; Datavant at 2; Invitae
Corp. (‘‘Invitae’’) at 4; NAI at 3–4; Software & Info.
Indus. Ass’n (‘‘SIIA’’) at 1–2; TechNet at 2; TMA at
2–3; WPF at 7.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
not what Congress intended.81 A few
commenters suggested reducing the
confusion with the traditional term by
re-naming the definition. These
commenters suggested the Commission
instead use one of the following terms:
‘‘non-HIPAA-regulated health care
provider,’’ 82 ‘‘PHR provider,’’ 83
‘‘Health-related vendor,’’ 84 ‘‘HIPAA
covered entity,’’ 85 or ‘‘health-related
service provider.’’ 86 Another
commenter recommended eliminating
the confusion by stating within the
definition that it excludes HIPAAcovered entities and their business
associates.87 Another commenter urged
the Commission to affirm that its
definition would have no impact on the
term ‘‘health care provider’’ as used in
other regulations.88
Several comments also expressed
concern with the final phrase of the
definition of ‘‘health care provider’’
(‘‘any other entity furnishing health care
services or supplies’’), as overly broad
and confusing. Commenters argued its
breadth (and the breadth of the
accompanying definition of ‘‘health care
services or supplies’’) would have
perverse results, turning retailers of
tennis shoes, shampoo, or vitamins into
entities covered by the Rule, which is
not what Congress intended.89
Moreover, it would result not only in
compliance burdens for companies
(with the downstream effect of raising
prices for consumers) but also in
massive over-notification of consumers,
who will become desensitized to the
onslaught of notices.90
Several commenters urged the
Commission to address this problem by
dropping the phrase ‘‘any other entity
furnishing health care services or
supplies’’ entirely—or at least excising
the word ‘‘supplies’’—from the
definition of ‘‘health care provider.’’ 91
One commenter recommended
replacing the phrase with a different
phrase: ‘‘any other person or
organization who furnishes, bills, or is
paid for health care in the normal
course of business.’’ 92 Another
commenter recommended expressly
81 ANA at 5; ATA Action at 1; Invitae at 4–5; Priv.
for Am. at 4.
82 Planned Parenthood at 6.
83 WPF at 7.
84 AHIP at 2.
85 AMA at 3.
86 AHIP at 2.
87 Datavant at 2.
88 AAFP at 2–3.
89 ANA at 7–8; CCIA at 4; CHI at 3–4; CTA at 7–
8; SIIA at 2.
90 ANA at 3; SIIA at 1.
91 AdvaMed at 4; CHI at 4; CTA at 9; TechNet at
2.
92 AdvaMed at 4.
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
47033
excluding retailers.93 Commenters
requested further clarification of certain
terms within the definition of ‘‘health
care provider,’’ including the terms
‘‘furnishing’’ 94 and ‘‘health care.’’ 95
And another commenter argued a better
approach would be to jettison the
definitions of ‘‘health care provider’’
and ‘‘health care services and supplies’’
entirely and instead apply the Rule to
any entity that ‘‘promotes its offering as
addressing, improving, tracking or
informing matters about a consumer’s
health.’’ 96
Third, some commenters addressed
the proposed definition of ‘‘health care
services or supplies.’’ 97 Several
commenters requested more clarity as to
what constitutes an ‘‘online service,’’ 98
as nearly all commercial activities have
some online presence.99 Several
commenters recommended deleting the
final phrase of the definition (‘‘or that
provides other health-related services or
tools’’) to limit the definition’s
breadth.100 Conversely, some
commenters urged the Commission to
reinforce its breadth, by expressly
stating that ‘‘health care services or
supplies’’ include services related to
‘‘wellness’’ 101 or to specific health
conditions, such as substance abuse
disorder diagnosis, treatment,
medication, recurrence of use
(‘‘relapse’’) and recovery.102
3. The Commission Adopts the
Proposed Changes To Clarify the
Entities Covered
After considering the comments
received, the Commission adopts the
proposed changes to the Rule (with only
non-substantive, organizational
improvements noted below) to clarify
that the Rule applies to mobile health
applications and similar technologies.
The Commission agrees with the
substantial number of comments, from
many different types of entities and
individuals, who argued that such
clarification is necessary in light of
changing technology (i.e., the mass
adoption of health apps) and the privacy
and data security risks to consumer
health data collected by that technology.
The Commission also agrees with
93 CTA
at 8–9.
at 2.
95 AdvaMed at 3 (urging the Commission to
define ‘‘health care’’ and ‘‘health care provider’’ as
in 45 CFR 160.103).
96 WPF at 10.
97 AdvaMed at 3; AAFP at 3; AHIP at 3; Priv. for
Am. at 6–7.
98 MRO at 2; WPF at 7–8.
99 WPF at 8.
100 NAI at 4.
101 EPIC at 4.
102 Legal Action Ctr. & Opioid Pol’y Inst. at 3.
94 EPIC
E:\FR\FM\30MYR2.SGM
30MYR2
47034
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
commenters who argued that the
proposed changes to the Rule are
consistent with the Recovery Act, which
was intended to bolster breach
notifications for consumer health data
that falls outside HIPAA. Although the
Commission agrees with commenters
who argue that consumer health data
should enjoy substantial and
unfragmented privacy protections, this
Rule addresses breach notification, not
omnibus privacy protections. While this
rulemaking does not address omnibus
privacy protections, the Commission
observes that companies collecting or
holding consumers’ sensitive health
data should engage in many of the
practices commenters described, such as
imposing data retention limits, enabling
deletion options, and preventing
breaches through robust privacy and
data security practices.103
The Commission is not persuaded
that applying the Rule to health apps
and similar technologies will have
deleterious consequences for individual
firms or competition or result in overnotification of consumers. Importantly,
the only obligation the Rule imposes is
to notify the Commission, consumers,
and, in some cases, the media of a
breach of unsecured PHR identifiable
health information. As noted in the
NPRM, many State laws already impose
similar, or significantly broader, data
breach obligations.104 Moreover, firms
can avoid notification costs entirely by
avoiding breaches—by reducing the
amount of unsecured PHR identifiable
health information they access and
maintain (which can be achieved by
securing PHR identifiable health
information), by de-identifying health
information, and by implementing other
privacy and data security measures
appropriate to the sensitivity of the data.
Congress intended for consumers to
learn of breaches of their unsecured
PHR identifiable health information that
fall outside HIPAA; the changes to the
Rule help ensure consumers will receive
the notification Congress intended.
The Commission carefully considered
the arguments commenters raised that
the definitional changes depart from the
language or spirit of the Recovery Act.
The Commission does not agree. The
definitions hew closely to the language
of the Recovery Act and to the
103 In the 2009 Final Rule, the Commission
similarly underscored the importance of
maintaining protections for health information,
stating: ‘‘In addition, as noted in the NPRM, the
Commission expects entities that collect and store
unsecured PHR identifiable health information to
maintain reasonable security measures, including
breach detection measures, which should assist
them in discovering breaches in a timely manner.’’
74 FR 42971 n.93 (2009).
104 88 FR 37832 n.103.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
definitions directly referenced by the
Recovery Act in section 1171(6) of the
Social Security Act, 42 U.S.C. 1320d(6).
As many commenters noted, while
health apps did not exist when Congress
passed the Recovery Act, they function
in a similar manner to the personal
health records that existed at the time.
For these reasons, the Commission is
adopting the proposed definitions, with
minor clarifications. First, the
Commission has retained the definition
of ‘‘PHR identifiable health
information’’ as set out in the NPRM,
with non-substantive organizational
changes noted below. In response to
comments that the definition of ‘‘PHR
identifiable health information’’ should
be broader, the Commission notes the
definition, which closely follows the
statutory language, already encompasses
most of the categories of data that
commenters identified. For example,
unique, persistent identifiers (such as
unique device and mobile advertising
identifiers), when combined with health
information, constitute ‘‘PHR
identifiable health information,’’ if these
identifiers can be used to identify or reidentify an individual. Moreover, ‘‘PHR
identifiable health information’’
encompasses information about sexual
health and substance abuse disorders,
because the information ‘‘relates to the
past, present, or future physical or
mental health or condition of an
individual, the provision of health care
to an individual, or the past, present, or
future payment for the provision of
health care to an individual.’’ The
Recovery Act states PHR identifiable
health information is information
provided ‘‘by or on behalf of the
individual,’’ so the Commission
declines to change this phrase to
‘‘about,’’ as one commenter
suggested.105 The Commission notes,
however, that information provided ‘‘by
or on behalf of the individual’’ will
encompass much information ‘‘about’’
an individual, as the consumer is the
original source of most data; many
inferences ‘‘about’’ the individual
originate from information provided ‘‘by
or on behalf of the individual.’’
The Commission does not agree with
commenters who sought to narrow the
definition of PHR identifiable health
information out of concern for the
Rule’s overall breadth. The Commission
notes that liability under the Rule does
not arise from a single definition. While
data used for public health research, for
example, may, in some instances, meet
the definition of ‘‘PHR identifiable
health information,’’ the firm using that
data is subject to the Rule only if other
105 Consumer
PO 00000
Frm 00008
Rep.’s at 4.
Fmt 4701
conditions are met (i.e., the firm is an
entity covered by the Rule).
The Commission declines to create a
new definition of ‘‘de-identified data’’
or another similar term, because the
definition of de-identification is already
embedded in the second part of the
definition of PHR identifiable health
information (‘‘that identifies the
individual or with respect to which
there is a reasonable basis to believe that
the information can be used to identify
the individual’’). Where there is no
‘‘reasonable basis to believe that the
information can be used to identify the
individual,’’ the information is not
identifiable; rather, it is de-identified. If
data has been de-identified according to
standards set forth by HHS, then there
is not a ‘‘reasonable basis to believe that
the information can be used to identify
the individual,’’ as the definition of PHR
identifiable health information requires.
Because the Commission’s standard is
consistent with HHS’s, the
Commission’s Rule poses no
impediment to health-related research
or other flows of de-identified data. The
Commission does not view the existing
language as a subjective standard that
turns on a company’s knowledge, as one
commenter suggested; by requiring a
‘‘reasonable basis to believe’’ that the
information is not identifiable, the Rule
creates an objective standard. Whether
such reasonable basis exists will depend
on whether the data can reasonably be
linked to an individual consumer. There
is no need for a supplemental notice of
proposed rulemaking on this issue, as
the Commission is not changing this
aspect of the Rule, which closely
follows the statute.106
Second, the Commission is modifying
the proposed definition of ‘‘health care
provider’’ to ‘‘covered health care
provider’’ to distinguish that term from
interpretations of the term ‘‘health care
provider’’ in other contexts, which may
be more limited in scope. As
commenters requested, the Commission
affirms its definition of ‘‘covered health
care provider’’ is unique to the Rule; it
does not bear on the meaning of ‘‘health
care provider’’ as used in other
regulations enforced by other
government agencies. The Commission
adopts this change merely to dispel
confusion in terminology; the
Commission is not making any
substantive change from the definition
as proposed. The Commission does not
need to state expressly, either in this
definition or elsewhere, that the Rule’s
notification requirements do not apply
to HIPAA-covered entities and their
business associates, as § 318.1 of the
106 42
Sfmt 4700
E:\FR\FM\30MYR2.SGM
U.S.C. 17937(f)(2).
30MYR2
ddrumheller on DSK120RN23PROD with RULES2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
Rule already includes this proviso. The
Commission declines to remove the
phrase ‘‘any other entity furnishing
health care services or supplies’’ from
the definition of ‘‘health care provider,’’
because this phrase is nearly identical to
the language that appears in 42 U.S.C.
1320d(3), which is referenced in the
definition of individually identifiable
health information in 42 U.S.C.
1320d(6), which is in turn referenced in
the definition of PHR identifiable health
information in section 13407(f)(2) of the
Recovery Act, 42 U.S.C. 17937.107 The
Commission declines to define the
terms ‘‘furnish’’ and ‘‘health care’’ as the
Commission believes the plain meaning
of the term ‘‘furnish’’ (to supply
someone with something) is already
clear and adding a definition of ‘‘health
care’’ is unnecessary in light of the
definition of ‘‘covered health care
provider’’ and ‘‘health care services and
supplies.’’ Differences from HHS’s
regulations pursuant to HIPAA are
appropriate, as the Recovery Act differs
from HIPAA, and the Recovery Act’s
mandate is specifically to cover entities
not covered by HIPAA.
Third, the Commission is adopting
the proposed definition of ‘‘health care
services or supplies,’’ with one minor
modification: the Commission has
substituted the word ‘‘means’’ for
‘‘includes’’ to avoid implying greater
breadth than the Commission intends.
The Commission adopts this change
merely to dispel confusion about undue
breadth; the Commission does not
intend any substantive change from the
definition proposed. The Commission
otherwise affirms the proposed
definition without change. The
Commission believes the term ‘‘online
service’’ in the definition of ‘‘health care
services or supplies’’ is sufficiently clear
because of the examples of ‘‘online
services’’ given within the definition
itself: website, mobile application, or
internet-connected device. Providing an
exhaustive list of what constitutes an
online service would prevent the
definition from being sufficiently
flexible to account for future innovation
in types of online services. The
Commission also retains the catch-all
‘‘or that provides other health-related
services or tools’’ for the same reason:
to ensure the Rule’s language can
accommodate future changes in
technology. There is no undue breadth,
because that phrase’s meaning is in the
107 The definition of ‘‘covered health care
provider’’ in § 318.2 substitutes ‘‘entity’’ for
‘‘person’’—i.e., ‘‘any other entity furnishing health
care services or supplies’’—because the rest of the
Rule speaks in terms of ‘‘entities,’’ but the
definition in § 318.2 is otherwise identical to the
statutory definition in 42 U.S.C. 1320d(3).
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
context of the preceding phrase
(‘‘provides mechanisms to track
diseases, health conditions, diagnoses or
diagnostic testing, treatment,
medications, vital signs, symptoms,
bodily functions, fitness, fertility, sexual
health, sleep, mental health, genetic
information, diet’’).
In response to some commenters’
concerns that the proposed Rule’s
definition of ‘‘health care provider’’ and
‘‘health care services or supplies’’
would impermissibly cause the Rule to
cover retailers of general-purpose items
like tennis shoes, shampoo, or vitamins,
the Commission disagrees this would
necessarily be the case. A threshold
inquiry under the Rule is whether an
entity is a ‘‘vendor of personal health
records,’’ which the Recovery Act
defines as ‘‘an entity . . . that offers or
maintains a personal health record.’’ 108
The Recovery Act usage of the term
‘‘vendor of’’ in connection with
‘‘personal health records’’ underscores
that entities that are not in the business
of offering or maintaining (e.g., selling,
marketing, providing, or promoting) a
health-related product or service are not
covered—in other words, they are not
‘‘vendors’’ of personal health records.
Thus, to be a vendor of personal health
records under the Rule, an app, website,
or online service must provide an
offering that relates more than
tangentially to health.109
The Commission notes a general
retailer (one that sells food products,
children’s toys, garden supplies,
healthcare products (such as pregnancy
tests), or apparel (such as maternity
clothes)) offering consumers an app to
purchase and access purchases of these
products—by itself—would not make
the retailer a vendor of personal health
records. In this scenario, purchase
information relating to certain items—
such as a pregnancy test or maternity
clothes from a retailer—may reveal
information about that person’s health.
While this purchase information may be
PHR identifiable health information, the
retailer in this scenario is not a vendor
of personal health records because the
app is only tangentially related to
108 42
U.S.C. 17921(18); see also 42 U.S.C. 17937.
least one commenter urged a somewhat
similar interpretation, contending that a relevant
inquiry in determining whether a service offers a
personal health record is ‘‘the terms under which
a product or service is offered to consumers. If an
entity promotes its offering as addressing,
improving, tracking, or informing matters about a
consumer’s health, then that entity’s offering would
be subject to the rule. Thus, any product or services
that tracks or addresses physical activity, blood
pressure, heart rate, digestion, strength, genetics,
sleep, weight, allergies, pain, and similar
characteristics would be subject to a PHR rule.’’ See
WPF at 10.
109 At
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
47035
health. The Commission notes,
however, there may be scenarios where
a general-purpose retailer described
above may become a vendor of personal
health records under the Rule, such as
where the retailer offers an app with
features or functionalities that are sold,
marketed, or promoted as more than
tangentially relating to health.
In addition, the Commission reiterates
a personal health record must be an
electronic record of PHR identifiable
health information on an individual,
must have the technical capacity to
draw information from multiple
sources, and must be managed, shared,
and controlled by or primarily for the
individual. The Commission also notes
that purchases of items at a brick and
mortar retailer where there is no app,
website, or online service to access or
track that purchase information
electronically is not a personal health
record, because there is no electronic
record at issue. Contrary to the
assertions of some commenters, these
definitions do not result in undue
breadth, because they do not function in
isolation. The Commission provides the
following examples to illustrate the
interplay of these definitions with the
definition of ‘‘personal health record’’:
• Example 1: Health advice app or
website A, which is not covered by
HIPAA, provides information to
consumers about various medical
conditions. Its function is purely
informational; it does not provide any
mechanism through which the
consumer may track or record
information. Health advice app or
website A is not a personal health
record, because it is not an electronic
record of PHR identifiable health
information on an individual.
• Example 2: Health advice app or
website B, which is not covered by
HIPAA, provides information to
consumers about various medical
conditions and provides a symptom
tracker, available to consumers who log
into the site with a username and
password, in which consumers may
input symptoms and receive potential
diagnoses. Health advice app or website
B is an electronic record of PHR
identifiable health information on an
individual, because its information is
provided by the individual, it identifies
the individual (via username and
password), it relates to the individual’s
health conditions (the symptoms), and
is received by a health care provider
(i.e., the entity providing the site itself,
as that entity is furnishing the health
care service of an online service that
provides mechanisms to track
symptoms). However, health advice app
or website B is not a personal health
E:\FR\FM\30MYR2.SGM
30MYR2
ddrumheller on DSK120RN23PROD with RULES2
47036
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
record to the extent the site does not
have the technical capacity to draw
information from multiple sources (i.e.,
if the consumer is its only source of
information).
• Example 3: Health advice website
C, which is not covered by HIPAA,
functions in the same way as health
advice app or website B, except that it
collects geolocation data via an
application programming interface
(‘‘API’’). For the reasons stated in
Example 2, it is an electronic record of
PHR identifiable health information on
an individual. It also has the technical
capacity to draw information from
multiple sources (consumer inputs and
collection of geolocation data through
the API. It is managed primarily for the
individual (i.e., to provide the
individual health advice). Therefore,
health advice app or website C is a
personal health record.
• Example 4: Health advice app or
website D, which is not covered by
HIPAA, functions in the same way as
health advice app or website B, except
that it also draws information from a
data broker and connects that
information to some of its individual
users to provide them with more
accurate diagnostic suggestions. For the
reasons stated in Example 2, it is an
electronic record of PHR identifiable
health information on an individual. It
also has the technical capacity to draw
information from multiple sources (the
consumer and the data broker) and is
managed by or primarily for the
individual. Therefore, health advice app
or website D is a personal health record.
Whether a health app or other
electronic record constitutes a personal
health record (and is therefore subject to
the Rule) is a fact-intensive inquiry
whose outcome depends not only on the
nature of the information contained in
that record, but also on numerous other
factors, such as its ‘‘technical capacity,’’
its source(s) of information, and its
relationship to the individual.
Finally, the Commission notes a nonsubstantive, organizational change
relating to the definition of ‘‘PHR
identifiable health information.’’ In the
2023 NPRM, the Commission proposed
revising ‘‘PHR identifiable health
information’’ by importing language
from section 1171(6) of the Social
Security Act, 42 U.S.C. 1320d(6), which
is referenced directly in section 13407
of the Recovery Act. To hew more
closely to the organization of the
Recovery Act, and to preserve the word
‘‘includes’’ in the phrase ‘‘includes
information that is provided by or on
behalf of the individual,’’ the
Commission revised slightly the order of
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
the elements in the definition of ‘‘PHR
identifiable health information.’’
B. Clarification of What It Means for a
Personal Health Record To Draw
Information From Multiple Sources
1. The Commission’s Proposal
Regarding What It Means for a Personal
Health Record To Draw Information
From Multiple Sources
The Commission proposed amending
the definition of the term ‘‘personal
health record’’ to clarify what it means
for a personal health record to draw
information from multiple sources.
Under the 2009 Rule, a personal health
record is defined as an electronic record
of PHR identifiable health information
that can be drawn from multiple sources
and that is managed, shared, and
controlled by or primarily for the
individual. Under the Commission’s
proposed definition, a ‘‘personal health
record’’ would be defined as an
electronic record of PHR identifiable
health information on an individual that
has the technical capacity to draw
information from multiple sources and
that is managed, shared, and controlled
by or primarily for the individual.
Changing the phrase ‘‘that can be
drawn from multiple sources’’ to ‘‘has
the technical capacity to draw
information from multiple sources’’
serves several purposes. First, it clarifies
a product is a personal health record if
it can draw information from multiple
sources, even if the consumer elects to
limit information to a single source
only, in a particular instance. For
example, a depression management app
that accepts consumer inputs of mental
health states and has the technical
capacity to sync with a wearable sleep
monitor is a personal health record,
even if some customers choose not to
sync a sleep monitor with the app.
Thus, whether an app qualifies as a
personal health record would not
depend on the prevalence of consumers’
use of a particular app feature, like sleep
monitor-syncing. Instead, the analysis of
the Rule’s application would be
straightforward: either the app has the
technical means (e.g., the application
programming interface or API) to draw
information from multiple sources, or it
does not. Next, adding the phrase
‘‘technical capacity to draw
information’’ clarifies a product is a
personal health record if it can draw any
information from multiple sources, even
if it only draws health information from
one source. This change further clarifies
the Commission’s interpretation of the
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
Recovery Act, as explained in the Policy
Statement.110
The Commission sought public
comment as to whether this revised
language sufficiently clarifies the Rule’s
application to developers and purveyors
of products that have the technical
capacity to draw information from more
than one source. The Commission
invited comment on its interpretation
that an app is a personal health record
because it has the technical capacity to
draw information from multiple
sources, even if particular users of the
app choose not to enable the syncing
features. The Commission also
requested comment about whether an
app (or other product) should be
considered a personal health record
even if it only draws health information
from one place (in addition to nonhealth information drawn elsewhere); or
only draws identifiable health
information from one place (in addition
to non-identifiable health information
drawn elsewhere). The Commission
further requested comment about
whether the Commission’s bright-line
rule (apps with the ‘‘technical capacity
to draw information’’ are covered)
should be adjusted to take into account
consumer use, such as where no
consumers (or only a de minimis
number) use a feature, and about the
likelihood of such scenarios. For
example, the Commission offered an
example of an app that might have the
technical capacity to draw information
from multiple sources, but its API is
entirely or mostly unused, either
because it remains a Beta feature, has
not been publicized, or is not popular.
2. Public Comments Regarding What It
Means for a Personal Health Record To
Draw Information From Multiple
Sources
Many commenters supported the
Commission’s proposal amending the
definition of a ‘‘personal health
record.’’ 111 Commenters noted, for
instance, this change would help to
ensure that many services that collect
PHR identifiable health information are
covered by the Commission’s Rule,112
and would help to promote greater
privacy and security for health
information,113 while still ‘‘hewing to
110 Policy
Statement at 2.
Balasa at 1; TMA at 4 (arguing that ‘‘PHRs
include applications with the technical capacity to
draw information from multiple sources, regardless
of the patient’s preference to activate the technical
capability.’’); Consumer Rep.’s at 6; AAFP at 3;
AHIMA at 4–5; AMA at 4; CHIME at 4; CDT at 13;
AOA at 3.
112 AHIMA at 4–5.
113 AAFP at 3.
111 Ella
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
the limitations of the statute.’’ 114 Some
commenters noted without this change,
developers of personal health records
(such as app developers) might have
incentives to design their products in
ways that would intentionally skirt the
Rule’s requirements (such as by
restricting a consumer’s ability to
import data from other sources).115
Others noted the importance of the Rule
covering apps with the technical
capacity to draw information from
multiple sources even where such
capacity is not used by the consumer.116
Other commenters opposed this
proposal.117 Some argued the proposed
clarification regarding what drawing
information from multiple sources
means runs counter to Congress’s
statutory intent,118 because virtually
every app has some sort of integration
(e.g., for analytics) through which it
draws information other than from the
consumer.119 One commenter asserted
the change would broaden the scope of
the Rule to the point that it would
sweep in online services that should not
be thought of as a personal health record
(such as email apps),120 or otherwise
create confusing standards for app
developers or reduce innovation.121 In
addition, commenters expressed
concern this change would sweep in
apps or online services that have the
technical capacity to draw from
multiple sources during the
development or testing phase of the
product, or would sweep in products
with unused, unavailable, or
unpublicized APIs or integrations that
count as a source.122 One commenter
114 Consumer
Reports at 5–6.
at 2–3; CDT at 13 (arguing that changes
remove ‘‘incentives for companies to technically
design products and services to not trigger the
HBNR to avoid any need to provide consumer
notice.’’).
116 AHIOS at 4; CARIN Alliance at 4.
117 NAI at 6 (urging that the Commission make
clear that a personal health record is one that ‘‘not
only has the technical capacity to draw PHR
identifiable health information from multiple
sources, but that it also has the functionality and
actually does incorporate data from multiple
sources.’’); ANA at 7; ACLA at 1–2.
118 NAI at 6.
119 Chamber at 4–5; Priv. for Am. at 5–6; NAI at
6.
120 CCIA at 6.
121 CTA at 11; AdvaMed at 5; CHI at 5.
122 CHI at 5 (asking the Commission to clarify that
an ‘‘app having the ability to draw from multiple
sources with some changes to the app’s coding/APIs
is not within this definition’s threshold.’’); ACLA at
1 (arguing ‘‘[i]f a feature is unused by individuals
‘because it remains a Beta feature,’ then in fact it
does not have the ‘technical capacity’ to draw an
individual’s information from other sources, unless
and until its functionality has been enabled by the
vendor. The mere possibility that an application
vendor might sometime in the future enable that
functionality should not bring the electronic record
within the scope of the definition of ‘personal
ddrumheller on DSK120RN23PROD with RULES2
115 AHIP
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
expressed concern about lack of clarity,
such as in scenarios where a user is
required to pay for an upgrade to access
a feature or integration that draws
information from another source.123
Some commenters also expressed
concern that apps and online services
that are subject to HIPAA (i.e., HIPAAcovered entities or business associates)
should be carved out of the definition of
a personal health record.124 Other
commenters expressed broader concern
with the definition of ‘‘personal health
record,’’ urging the Commission to, for
example, abandon the purportedly
outdated term in favor of a more modern
one.125 For instance, some commenters
urged that the Commission abandon or
tweak the requirement that the personal
health record be ‘‘managed, shared, and
controlled by or primarily for the
individual.’’ 126
Another commenter expressed
concern the proposed change could
sweep in services that draw any
information from multiple sources,
regardless of whether that information is
identifiable health information.127
3. The Commission Adopts the
Proposed Changes Clarifying What It
Means for a Personal Health Record To
Draw Information From Multiple
Sources
After considering the comments
received, the Commission adopts the
proposed amendment without change.
This amendment will help clarify the
types of entities covered by the Rule.
The definition does not create undue
breadth or deviate from Congressional
intent; rather, the changes are consistent
with the language of the Recovery Act,
and only serve to give meaning to the
phrase ‘‘can be drawn’’ in the Recovery
Act in a way that is consistent with the
current state of technology. They are
also necessary to keep pace with
technological change, which has
enabled firms to offer consumers mobile
electronic records of their health
information that contain numerous
integrations. To illustrate the intended
meaning of the proposed revisions to
health record.’ ’’) (emphasis in original); CTA at 11
(arguing Rule should instead have bright-line test
that assesses whether the app actually draws health
information from multiple sources); AdvaMed at 5
(arguing the Commission should decline to adopt
multiple sources changes because it could cause
confusion and potentially sweep in apps or services
with features that have not been made available to
consumers, such as APIs connected to the PHR that
have not been publicized).
123 WPF at 9.
124 Omada at 5; Datavant at 3.
125 HIMSS at 3 (urging the Commission to work
with Congress to craft a definition more consonant
with technological realities).
126 AHIOS at 4; MRO at 4.
127 NAI at 6.
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
47037
the term ‘‘personal health record,’’ the
Commission reiterates examples from
the 2023 NPRM of two non-HIPAA
covered diet and fitness apps available
for consumer download in an app store.
Under the amended Rule, each is a
personal health record.
• Example 1: Diet and fitness app Y
allows users to sync their app with
third-party wearable fitness trackers.
Diet and fitness app Y has the technical
capacity to draw identifiable health
information both from the user (e.g.,
name, weight, height, age) and the
fitness tracker (e.g., user’s name, miles
run, heart rate), even if some users elect
not to connect the fitness tracker.
• Example 2: Diet and fitness app Y
has the ability to pull information from
the user’s phone calendar via the
calendar API to suggest personalized
healthy eating options. Diet and fitness
app Y has the technical capacity to draw
identifiable health information from the
user (e.g., name, weight, height, age) and
non-health information (e.g., calendar
entry info, location, and time zone) from
the user’s calendar.
As these examples make clear, and in
response to one commenter’s concern
that the changes would sweep in
services that do not draw any health
information,128 the Commission notes
the Rule still requires drawing PHR
identifiable health information from at
least one source to count as a personal
health record.
The Commission declines to make
other requested changes to the
definition of personal health record.
First, the Commission declines to
include an express exemption for
HIPAA-covered entities within the
definition of personal health record
because § 318.1 of the Rule already
specifically exempts businesses or
organizations covered by HIPAA.129
Second, the Commission declines to
exempt apps and services where there
are available but unused or
unpublicized APIs or integrations.
Similarly, the Commission declines to
exempt apps and services from the
definition just because they are drawing
information from multiple sources
while undergoing product or beta
testing and are not yet in their final
form.130 The Commission notes a
product feature or integration that exists
128 NAI
at 6.
e.g., 16 CFR 318.1(a) (Rule ‘‘does not
apply to HIPAA-covered entities, or to any other
entity to the extent that it engages in activities as
a business associate of a HIPAA-covered entity.’’);
see also 16 CFR 318.2 (exempting business
associates and HIPAA-covered entities from the
Rule’s definitions of ‘‘PHR related entity’’ and
‘‘vendor of personal health records.’’).
130 ACLA at 1–2; CTA at 11; AdvaMed at 5.
129 See,
E:\FR\FM\30MYR2.SGM
30MYR2
47038
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
and that is able to draw PHR identifiable
health information counts as a source
under the Rule. Exempting such
instances would be contrary to the
purpose of the Rule and would
impermissibly limit notification of
breaches just because a product feature
is not widely disseminated, used, or in
its final form. The Commission notes
under the Rule, a covered entity that
experienced a breach of security of
unsecured PHR identifiable health
information triggering the Rule would
not be exempt because the breach
occurred in the context of such
scenarios.
Further, and importantly, the Rule is
triggered only by breaches of unsecured
PHR identifiable health information and
does not apply to information that is
protected or ‘‘secured’’ through the use
of a technology or methodology
specified by the Secretary of Health and
Human Services in the guidance issued
under section 13402(h)(2) of the
American Reinvestment and Recovery
Act of 2009, 42 U.S.C. 17932(h)(2).131
The Rule, therefore, creates appropriate
incentives for product testing with deidentified data or that secures
information through certain
specifications, such as through specified
encryption methods.
Third, the Commission declines, as
one commenter requested,132 to
expressly exempt scenarios where a
change is required to an app’s coding to
draw information from another source.
The Commission notes, however, it does
not intend to cover instances where an
app can draw from multiple sources
only through changes to the design or
underlying software code and where the
app developer does not implement
those changes.
131 Per HHS guidance, electronic health
information is ‘‘secured’’ if it has been encrypted
according to certain specifications set forth by HHS,
or if the media on which electronic health
information has been stored or recorded is
destroyed according to HHS specifications. See 74
FR 19006; see also U.S. Dep’t of Health & Human
Servs., Guidance to Render Unsecured Protected
Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals (July
26, 2013), https://www.hhs.gov/hipaa/forprofessionals/breach-notification/guidance/
index.html. PHR identifiable health information
would be considered ‘‘secured’’ if such information
is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third
party service provider, in an encrypted format
meeting HHS specifications, and the PHR related
entity or third party service provider stores the data
in an encrypted format that meets HHS
specifications and also stores the encryption and/
or decryption tools on a device or at a location
separate from the data.
132 CHI at 5 (asking the Commission to clarify that
an ‘‘app having the ability to draw from multiple
sources with some changes to the app’s coding/APIs
is not within this definition’s threshold.’’).
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
In addition, the Commission declines
to remove from the definition of
personal health record the requirement
that it be ‘‘managed, shared, and
controlled by or primarily for the
individual.’’ This language mirrors the
Recovery Act’s statutory definition of
personal health record.133 Further, this
language provides a boundary to the
definition. Even if a website or app has
the technical capacity to draw
information from multiple sources (for
example, because it has integrations for
advertising or analytics), it must still be
‘‘managed, shared, and controlled by or
primarily for the individual’’ to be
covered by the Rule.
Generally, a personal health record is
an electronic record of an individual’s
health information by which the
individual maintains access to the
information and may have, for example,
the ability to manage, track, control, or
participate in his or her own health
care. If these elements are not present,
the website or app may not be
‘‘managed, shared, and controlled by or
primarily for the individual,’’ and
would not, therefore, constitute a
personal health record.
following sentence to the end of the
existing definition: ‘‘[a] breach of
security includes an unauthorized
acquisition of unsecured PHR
identifiable health information in a
personal health record that occurs as a
result of a data breach or an
unauthorized disclosure.’’ The change
was intended to make clear to the
marketplace that a breach includes an
unauthorized acquisition of identifiable
health information that occurs as a
result of a data breach or an
unauthorized disclosure, such as a
voluntary disclosure made by the PHR
vendor or PHR related entity where
such disclosure was not authorized by
the consumer.
The NPRM, like the 2009 Rule,
continued to include a rebuttable
presumption for unauthorized access to
an individual’s data; it stated when
there is unauthorized access to data,
unauthorized acquisition will be
presumed unless the entity that
experienced the breach ‘‘has reliable
evidence showing that there has not
been, or could not reasonably have
been, unauthorized acquisition of such
information.’’
C. Clarification Regarding Types of
Breaches Subject to the Rule
b. The Commission’s Related Proposal
To Not Define the Term
‘‘Authorization’’ in the Rule
In the 2023 NPRM, the Commission
stated it had considered defining the
term ‘‘authorization,’’ which appears in
§ 318.2’s definition of ‘‘breach of
security,’’ but did not propose any such
change in the NPRM.
The Commission considered defining
‘‘authorization’’ to mean the affirmative
express consent of the individual and
then defining ‘‘affirmative express
consent’’ consistent with State laws that
define consent, such as the California
Consumer Privacy Rights Act, Cal. Civ.
Code 1798.140(h).134 Such changes
would have ensured notification is
required anytime there is acquisition of
1. The Commission’s Proposals
a. The Commission’s Proposal
Regarding ‘‘Breach of Security’’
The Commission proposed a
definitional change to clarify that a
breach of security under the Rule
encompasses unauthorized acquisitions
that occur as a result of a data breach
or an unauthorized disclosure. The
Commission’s proposal underscores that
a breach of security is not limited to
data exfiltration, and includes
unauthorized disclosures (such as, but
not limited to, a company’s
unauthorized sharing or selling of
consumers’ information to third parties
that is inconsistent with the company’s
representations to consumers). The Rule
previously defined ‘‘breach of security’’
as the acquisition of unsecured PHR
identifiable health information of an
individual in a personal health record
without the authorization of the
individual, which language mirrored the
definition of ‘‘breach of security’’ in
section 13407(f)(1) of the Recovery Act.
Accordingly, consistent with the
Recovery Act definition, the Policy
Statement, FTC enforcement actions
under the Rule, and public comments
received, the Commission proposed
amending the definition of ‘‘breach of
security’’ in § 318.2 by adding the
133 42
PO 00000
U.S.C. 17921(11).
Frm 00012
Fmt 4701
Sfmt 4700
134 As noted in the 2023 NPRM, the Commission
considered defining ‘‘affirmative express consent’’
as any freely given, specific, informed, and
unambiguous indication of an individual’s wishes
demonstrating agreement by the individual, such as
by a clear affirmative action, following a clear and
conspicuous disclosure to the individual, apart
from any ‘‘privacy policy,’’ ‘‘terms of service,’’
‘‘terms of use,’’ or other similar document, of all
information material to the provision of consent.
Acceptance of a general or broad terms of use or
similar document that contains descriptions of
agreement by the individual along with other,
unrelated information, does not constitute
affirmative express consent. Hovering over, muting,
pausing, or closing a given piece of content does not
constitute affirmative consent. Likewise, agreement
obtained through use of user interface designed or
manipulated with the substantial effect of
subverting or impairing user autonomy, decisionmaking, or choice, does not constitute affirmative
express consent. See 88 FR 37830 n.78.
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
unsecured PHR identifiable health
information without the individual’s
affirmative express consent for that
acquisition—such as when an app
discloses unsecured PHR identifiable
health information to another company,
having obtained nominal ‘‘consent’’
from the individual by using a small,
greyed-out, pre-selected checkbox
following a page of dense legalese.
The Commission did not, however,
propose to define ‘‘authorization’’
because (1) the 2009 Rule Commentary
already provided guidance on the types
of disclosures the Commission
considers to be ‘‘unauthorized’’; 135 (2)
recent Commission orders, such as the
Commission’s enforcement actions
against GoodRx and Easy Healthcare,136
also make clear that the use of ‘‘dark
patterns,’’ which have the effect of
manipulating or deceiving consumers,
including through use of user interfaces
designed with the substantial effect of
subverting or impairing user autonomy
and decision-making, do not satisfy the
standard of ‘‘meaningful choice’’; and
(3) Commission settlements establish
important guidelines involving
authorization (the Commission’s recent
settlement with GoodRx, alleging
violations of the Rule, highlights that
disclosures of PHR identifiable health
information inconsistent with a
company’s privacy promises constitute
an unauthorized disclosure).
The Commission sought public
comment about:
• Whether the commentary above and
FTC enforcement actions under the Rule
provide sufficient guidance to put
companies on notice about their
obligations for obtaining consumer
authorization for disclosures, or
whether defining the term
‘‘authorization’’ would better inform
companies of their compliance
obligations.
• To the extent that including such
definitions would be appropriate, the
definitions of ‘‘authorization’’ and
‘‘affirmative express consent,’’ as
described above, and the extent to
which such definitions are consistent
with the language and purpose of the
Recovery Act.
• What constitutes an acceptable
method of authorization, particularly
135 See,
e.g., 74 FR 42967.
States v. GoodRx Holdings, Inc., No.
23–cv–460 (N.D. Cal. 2023), https://www.ftc.gov/
legal-library/browse/cases-proceedings/2023090goodrx-holdings-inc; United States v. Easy
Healthcare Corp., No. 1:23–cv–3107 (N.D. Ill. 2023),
https://www.ftc.gov/legal-library/browse/casesproceedings/202-3186-easy-healthcare-corporationus-v.
136 United
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
when unauthorized sharing is
occurring.137
• Whether there are certain types of
sharing for which authorization by
consumers is implied because such
sharing is expected and/or necessary to
provide a service to consumers.
2. Public Comments
a. Public Comments Regarding ‘‘Breach
of Security’’
Many commenters supported the
Commission’s proposed amendment to
the definition of ‘‘breach of
security.’’ 138 One commenter noted the
change is consistent with the broad
definition of ‘‘breach of security’’ in the
Recovery Act, which refers explicitly to
the acquisition of PHR identifiable
health information without the
authorization of an individual (rather
than the authorization of an entity
holding the data, as is the case where a
breach involves data theft or
exfiltration).139 Commenters also noted
the amendment would ensure notice,
accountability, and regulatory oversight,
regardless of the underlying cause of the
unauthorized acquisition.140
Commenters noted that breaches
encompass more than just cybersecurity
intrusions.141 Commenters also argued
that a company’s voluntary
unauthorized disclosure can be just as
damaging as data theft.142 For instance,
a commenter noted that unauthorized
disclosures of health information may
cause embarrassment, perpetuate stigma
about patients’ conditions, deter
patients from seeking care, interfere in
the patient-physician relationship, or
impact patients’ employment.143
Moreover, voluntary, unauthorized
disclosures increase the risk of
additional unauthorized acquisition and
137 For example, the Commission sought
comment about when a vendor of personal health
records or a PHR-related entity is sharing
information covered by the Rule, is it acceptable for
that entity to obtain the individual’s authorization
to share that information when an individual clicks
‘‘agree’’ or ‘‘accept’’ in connection with a prechecked box disclosing such sharing? Is it sufficient
if an individual agrees to terms and conditions
disclosing such sharing but that individual is not
required to review the terms and conditions? Or is
it sufficient if an individual uses a health app that
discloses in its privacy policy that such sharing
occurs, but the app knows via technical means that
the individual never interacts with the privacy
policy? See 88 FR 37832.
138 See, e.g., TMA at 3; U.S. PIRG at 2–3; AAFP
at 3; AHIMA at 3; AMA at 3–4; AMIA at 3; AOA
at 2–3; AHIOS at 3; CDT at 11–12; CHIME at 4; EPIC
at 5–6.
139 Consumer Rep.’s at 4.
140 CDT at 11–12; U.S. PIRG at 2–3.
141 AMA at 4; CDT at 11–12; EPIC at 5.
142 AAFP at 3; CDT at 11–12.
143 AOA at 2.
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
47039
sharing of this information among bad
actors.144
Some commenters supported
expanding or changing the definition
further. Specifically, some commenters
urged the Commission to amend the
definition to encompass (1) exceeding
authorized access or use of PHR
identifiable health information, such as
where a company collects data for one
purpose, but later uses or discloses that
data for a second, undisclosed
purpose; 145 or (2) the collection or
retention of PHR identifiable health
information beyond what is necessary to
provide the associated service to an
individual consumer.146 One
commenter asked the Commission to
clarify that the Rule would be triggered
by unauthorized use of or access to
information derived from PHR
identifiable health information, and to
define the phrase acquisition.147
Some commenters, however, urged
the Commission to not amend the
definition at all. These commenters
expressed concern the amendment
would cause the Rule to exceed what
Congress intended in the Recovery Act
and transform the Rule into an opt-in
notice and consent privacy regime.148
Commenters argued further the
proposed changes would cause
consumer notice fatigue,149 consumer
panic,150 or over-reporting by
companies.151 One commenter urged
the Commission to limit the definition
of ‘‘acquisition’’ to actual acquisition,
and exclude instances of access or
disclosure where the information was
not actually acquired by a third party.152
Commenters argued the proposed
definition would be burdensome and
force companies to limit certain
beneficial disclosures to certain third
parties, such as disclosures to support
internal operations, detect security
vulnerabilities or fraud, for law
enforcement, and other purposes.153
Some commenters also urged that the
Commission adopt carve-outs so that
certain conduct would not be deemed
breaches of security under the Rule.
Commenters requested exemptions
consistent with or found in HIPAA or
144 AHIMA
at 3.
at 12–15.
146 EPIC at 5–7; U.S. PIRG at 2–3.
147 Mozilla at 6–7.
148 Chamber at 6; Priv. for Am. at 2–5; ANA at
6–7.
149 SIIA at 3; CTA at 13–14.
150 CCIA at 4–5, 7 (arguing that requiring
notification for unauthorized disclosures could
cause consumers to worry in the absence of harm,
such as where it is ‘‘typical’’ to disclose such
information.)
151 CTA at 13–14.
152 Id. at 14–16.
153 TechNet at 3; Chamber at 7; CCIA at 5–6.
145 FPF
E:\FR\FM\30MYR2.SGM
30MYR2
47040
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
under State breach notification laws,
such as exemptions for disclosures to
certain types of entities or for certain
purposes, or where there is inadvertent
or unintentional access, use, or
disclosure.154 Commenters also
proposed safe harbors for companies
that implement recognized security or
privacy safeguards; 155 and one
commenter proposed safe harbors that
would apply where data is shared with
‘‘affiliated businesses,’’ where there is
inadvertent but ‘‘good-faith’’ access by a
company employee, where a company
makes good faith efforts to inform
consumers of disclosures to third
parties, and where companies take steps
to contractually limit downstream uses
of the data.156 Other commenters
expressed support for exempting
disclosures of PHR identifiable health
information to public health authorities
for public health purposes, noting the
amended definition could discourage
such disclosures.157
b. Public Comments Regarding Defining
‘‘Authorization’’
ddrumheller on DSK120RN23PROD with RULES2
Commenters were divided as to
whether the Commission should define
‘‘authorization.’’ Some commenters
supported defining ‘‘authorization’’ to
provide greater guidance to companies,
to promote transparency, and to
discourage buried or inconspicuous
disclosures relating to health
information, or approaches to consent
that are not meaningful because they are
154 CHI at 4 (stating the FTC ‘‘should explicitly
except the same situations from disclosure that are
excepted from HIPAA disclosures, and/or try to
align exceptions with those found in State privacy
statutes.’’); CTA at 16; HIA at 2; TechNet at 3
(arguing the Rule should adopt exemptions that
encompass ‘‘actions taken to prevent and detect
security incidents, to comply with a civil, criminal,
or regulatory inquiry or investigation, to cooperate
with law enforcement agencies concerning conduct
or activity that the data controller reasonably and
in good faith believes may be illegal, to perform
internal operations consistent with a consumer’s
expectations, and to provide a product or service
that a consumer requested.’’); CCIA at 5–6 (arguing
the Rule should exempt disclosures relating to a
host of purposes, including: preventing and
detecting security incidents and fraud, complying
with legal process, cooperating with law
enforcement, performing internal operations
consistent with consumer expectations, providing a
service requested by the consumer, protecting ‘‘the
vital interests of the consumer,’’ or processing data
relating to public health); Chamber at 7 (arguing if
the Commission does amend the definition of
breach of security, it ‘‘should provide exceptions for
legitimate and societally beneficial uses of data that
other privacy laws have for failure to honor opt-in
including but not limited to network security,
prevention and detection of fraud, protection of
health, network maintenance, and service/product
improvement.’’); LAB at 2.
155 DirectTrust at 1–2.
156 ATA Action at 2.
157 Network for Pub. Health L. and Texas A&M
Univ. at 1–2.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
confusing or coercive.158 To further
regulatory consistency, some
commenters supported adding a
definition of ‘‘authorization’’ that is
consistent with how that term is defined
in other health-related laws, such as
under HIPAA 159 or State health privacy
laws that define consent or
authorization (such as the California
Consumer Privacy Rights Act 160 or the
Washington My Health, My Data
Act).161
By contrast, some commenters
opposed defining the term—or opposed
a requirement under the Rule that
entities be required to get authorization
before disclosing PHR identifiable
health information.162 Commenters
argued that Congress had not granted
the Commission the authority to define
‘‘authorization’’ in the Recovery Act,163
or that doing so would import a
substantive consent requirement that is
outside the scope of the Rule,
converting a breach notice Rule into an
opt-in privacy regime.164 Other
commenters noted that requiring a
specifically defined authorization
would create an inflexible standard that
would not evolve with changes in
technology.165 Other commenters
opposed a requirement that consumers
should be required to review terms
before agreeing to use a service,
contending that this would not increase
consumer understanding of terms.166
Some commenters endorsed other
approaches that would exempt from any
requirement of affirmative express
consent certain types of disclosures of
158 AHIP at 4; Light Collective at 4; MRO at 2–
3; Mozilla at 4; CARIN Alliance at 10; Consumer
Rep.’s at 9; see also PharmedOut at 3 (arguing that
defining ‘‘authorization’’ is crucial but urging the
Commission go further and place substantive
restrictions on what companies can do with
consumer health data.).
159 AdvaMed at 7 (arguing that any definition of
‘‘authorization’’ or ‘‘affirmative express consent’’
should take into account the necessity for medical
technologies and medical technology companies to
be able to operate and communicate under
standards consistent with those governing HIPAA
covered entities and others in the health care
ecosystem. These standards permit certain uses and
disclosures of individually identifiable health
information without express consent where
necessary for the provision of timely and effective
health care); MRO at 3; AHIMA at 7–8.
160 AHIOS at 3.
161 Consumer Rep.’s at 9.
162 HIA at 2 (arguing that ‘‘[r]outine disclosures of
data should be allowed in certain contexts without
additional need for authorizations’’); CTA at 16–17;
AdvaMed at 7–8; ACLA at 6; Confidentiality Coal.
at 4–5.
163 Confidentiality Coal. at 4–5.
164 CTA at 16–17 (arguing that the Rule does not
allow the Commission to impose ‘‘substantive
consent requirements’’ that would be burdensome
and ‘‘likely not administrable for many
companies.’’).
165 SIIA at 4.
166 CHI at 7.
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
PHR identifiable health information,
such as to service providers, data
processors, and entities that assist with
combatting fraud and promoting
safety.167 Some commenters urged a
disclosure be deemed authorized if the
disclosure is consistent with a
company’s privacy notices or policies or
where applicable State privacy laws
require affirmative consent or provide
for the right to opt-out, without the need
to define affirmative express consent
under the Rule.168 One commenter
argued that authorization should be met
when a consumer agrees to opt-in to
certain data sharing, such as by clicking
a box proximate to a disclosure of
material terms.169
3. The Commission Adopts the
Proposed Changes to the Definition of
‘‘Breach of Security’’
After carefully considering the public
comments, the Commission adopts the
proposed amendment without change.
The final rule definition is consistent
with the statutory definition in the
Recovery Act, the Policy Statement,170
and recent Commission enforcement
actions under the Rule. The
Commission notes the statutory
definition in the Recovery Act is
sufficiently broad to cover both
cybersecurity intrusions as well as a
company’s intentional but unauthorized
disclosures of consumers’ PHR
identifiable health information to third
party companies. In addition, the
Commission finds persuasive the
comment noting the Recovery Act’s
definition of ‘‘breach of security’’ refers
to the acquisition PHR identifiable
health information without the
authorization of an individual, rather
than the authorization of the entity
holding the data.171 The definition is
167 FPF at 10 (arguing that ‘‘an organization may
share information with a service provider operating
on their behalf to provide storage; may share
information to protect the safety or vital interests
of an individual or react to a public health
emergency; or to protect themselves against security
incidents and fraud. In each of these situations, data
protection laws typically invoke a variety of nonconsent measures, including data minimization,
transparency, notice to the end-user or the
regulator, and opportunities to object.’’); Chamber at
7.
168 Confidentiality Coal. at 4–5; SIIA at 4; CHI at
7.
169 CTA at 17.
170 The Commission’s Policy Statement makes
clear that ‘‘[i]ncidents of unauthorized access,
including sharing of covered information without
an individual’s authorization, triggers notification
obligations under the Rule,’’ and that a breach ‘‘is
not limited to cybersecurity intrusions or nefarious
behavior.’’ Policy Statement at 2.
171 Consumer Rep.’s at 5 (noting ‘‘the Recovery
Act frames breaches of security in relation to
individuals, rather than to vendors of personal
health records or PHR related entities,’’ and defines
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
also consistent with public comments
received by the Commission in 2020
(when the Commission announced its
regular, ten-year review of the Rule and
requested public comments about
potential Rule changes 172), which urged
the Commission to clarify what
constitutes an unauthorized acquisition
under the Rule.173 Importantly, the
amendment to the definition of ‘‘breach
of security’’ in § 318.2 does not depart
from the 2009 Rule Commentary or the
Commission’s enforcement policy under
the Rule. Instead, it further underscores
the 2009 Rule Commentary and
subsequent Commission enforcement
actions that unauthorized disclosures
(i.e., sharing inconsistent with
consumer expectations) can be a
‘‘breach of security’’ that triggers the
Rule.174
The Commission declines to adopt
any specific exemptions or safe harbors
to the definition of breach of security.
Unlike the section of the Recovery Act
that governs breach notifications under
HIPAA,175 Congress did not provide for
breach of security as ‘‘acquisition of such
information without the authorization of the
individual.’’)
172 85 FR 31085 (May 22, 2020).
173 See Public Comments in response to May 2020
Request for Public Comments in connection with
regular, ten-year review of Rule: AMA at 5–6 (‘‘The
FTC should define ‘unauthorized access’ as
presumed when entities fail to disclose to
individuals how they access, use, process, and
disclose their data and for how long data are
retained. Specifically, an entity should disclose to
individuals exactly what data elements it is
collecting and the purpose for their collection’’;
‘‘[T]he FTC should define ‘unauthorized access’ as
presumed when an entity fails to disclose to an
individual the specific secondary recipients of the
individual’s data.’’); AMIA at 2 (recommending the
FTC ‘‘[e]xpand on the concept of ‘unauthorized
access’ under the definition of ‘Breach of security,’
to be presumed when a PHR or PHR related entity
fails to adequately disclose to individuals how user
data is accessed, processed, used, reused, and
disclosed.’’); OAG–CA at 5–6 (urging the FTC to
include ‘‘impermissible acquisition, access, use,
disclosure’’ under the definition of breach.). These
comments can be found at https://
www.regulations.gov/docket/FTC-2020-0045.
174 The 2009 Rule Commentary noted other
examples illustrating that unauthorized sharing or
transferring of information constitutes a breach of
security, including that the unauthorized
downloading or transfer of information by an
employee can constitute a breach of security; that
inadvertent access by an unauthorized employee
reading or sharing information triggers the Rule’s
notification obligations; and notes that given the
highly personal nature of health information, ‘‘the
Commission believes that consumers would want to
know if such information was read or shared
without authorization.’’ See 74 FR 42966–67.
175 42 U.S.C. 17921; see also U.S. Dep’t of Health
& Human Servs., Breach Notification (July 26,
2013), https://www.hhs.gov/hipaa/forprofessionals/breach-notification/.
Under the Recovery Act’s definition of ‘‘breach of
security’’ for the Rule governing HIPAA-covered
entities and business associates, the statute
explicitly provides for three exceptions: (1)
unintentional acquisition, access, or use of
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
any specific, enumerated exemptions for
breaches under the Commission’s Rule.
Moreover, the Commission’s Rule
provides for a rebuttable presumption
for certain types of access: when there
is unauthorized access to data,
unauthorized acquisition will be
presumed unless the entity that
experienced the breach ‘‘has reliable
evidence showing that there has not
been, or could not reasonably have
been, unauthorized acquisition of such
information.’’ That is, companies can
rebut the presumption of acquisition in
instances of unauthorized access by
providing reliable evidence disproving
acquisition. The Commission has
previously offered guidance on what
counts as unauthorized access and
reiterates that guidance here.176
protected health information by a workforce
member or person acting under the authority of a
covered entity or business associate, if such
acquisition, access, or use was made in good faith
and within the scope of authority; (2) the
inadvertent disclosure of protected health
information by a person authorized to access
protected health information at a covered entity or
business associate to another person authorized to
access protected health information at the covered
entity or business associate, or organized health
care arrangement in which the covered entity
participates; and (3) if the covered entity or
business associate has a good faith belief that the
unauthorized person to whom the impermissible
disclosure was made, would not have been able to
retain the information. See 45 CFR 164.400 through
164.414. In the first two cases, the information
cannot be further used or disclosed in a manner not
permitted by the Privacy Rule. These exceptions are
not found in the provisions of the Recovery Act
authorizing the FTC’s Health Breach Notification
Rule; this makes sense, given there is no analogous
Privacy Rule, Security Rule, or required Business
Associate agreements outside the HIPAA sphere
governing entities covered by the FTC’s Health
Breach Notification Rule.
176 The Rule continues to provide that, when
there is unauthorized access to data, unauthorized
acquisition will be presumed unless the entity that
experienced the breach ‘‘has reliable evidence
showing that there has not been, or could not
reasonably have been, unauthorized acquisition of
such information.’’ As noted in the 2009 Rule
Commentary, the presumption was intended to
address the difficulty of determining whether
access to data (i.e., the opportunity to view the data)
did or did not lead to acquisition (i.e., the actual
viewing or reading of the data). In these situations,
the Commission stated that the entity that
experienced the breach is in the best position to
determine whether unauthorized acquisition has
taken place. In describing the rebuttable
presumption, the Commission provided several
examples. It noted that no breach of security has
occurred if an unauthorized employee inadvertently
accesses an individual’s PHR and logs off without
reading, using, or disclosing anything. If the
unauthorized employee read the data and/or shared
it, however, he or she ‘‘acquired’’ the information,
thus triggering the notification obligation in the
Rule. Similarly, the Commission provided an
example of a lost laptop: If an entity’s employee
loses a laptop in a public place, the information
would be accessible to unauthorized persons, giving
rise to a presumption that unauthorized acquisition
has occurred. The entity can rebut this presumption
by showing, for example, that the laptop was
recovered, and that forensic analysis revealed that
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
47041
4. The Commission Affirms Its Proposal
Not To Define ‘‘Authorization’’
After carefully considering the public
comments, the Commission declines to
define ‘‘authorization,’’ as that term
appears in § 318.2’s definition of
‘‘breach of security.’’ The Commission
finds persuasive the public comments
suggesting that imposing an affirmative
express consent requirement would not
be appropriate or warranted in all cases.
The Commission believes whether a
disclosure is authorized under the Rule
is a fact-specific inquiry that will
depend on the context of the
interactions between the consumer and
the company; the nature, recipients, and
purposes of those disclosures; the
company’s representations to
consumers; and other applicable laws.
The Commission reiterates the 2009
Rule Commentary, which states a use of
data is ‘‘authorized’’ only where it is
consistent with a company’s disclosures
and consumers’ reasonable expectations
and where there is meaningful choice in
consenting to sharing—buried
disclosures do not suffice.177
The Commission’s recent enforcement
actions alleging violations of the Rule
against GoodRx and Easy Healthcare
further highlight that disclosures of PHR
identifiable health information
inconsistent with a company’s privacy
promises constitute an unauthorized
disclosure. These recent Commission
orders also make clear that the use of
‘‘dark patterns,’’ which have the effect
of manipulating or deceiving
consumers, including through use of
user interfaces designed with the
substantial effect of subverting or
impairing user autonomy and decisionmaking, undercut an entity’s assertion
that consumers exercised ‘‘meaningful
choice.’’
In response to public comments
seeking more guidance on what
constitutes an unauthorized disclosure
under the Rule,178 the Commission
files were never opened, altered, transferred, or
otherwise compromised. See 74 FR 42966.
177 The 2009 Rule Commentary states: ‘‘[g]iven
the highly personal nature of health information,
the Commission believes that consumers would
want to know if such information was read or
shared without authorization.’’ It further states that
data sharing to enhance consumers’ experience
with a PHR is authorized only ‘‘as long as such use
is consistent with the entity’s disclosures and
individuals’ reasonable expectations’’ and that
‘‘[b]eyond such uses, the Commission expects that
vendors of personal health records and PHR related
entities would limit the sharing of consumers’
information, unless the consumers exercise
meaningful choice in consenting to such sharing.
Buried disclosures in lengthy privacy policies do
not satisfy the standard of ‘meaningful choice.’ ’’ 74
FR 42967.
178 TechNet at 4; Tranquil Data at 4.
E:\FR\FM\30MYR2.SGM
30MYR2
ddrumheller on DSK120RN23PROD with RULES2
47042
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
offers the following, non-exhaustive
examples relating to authorization:
• Example 1—Unauthorized
Disclosure (Affirmative
Misrepresentation): A medication app
offers a personal health record (not
covered by HIPAA) which allows users
to track information about their
prescription medication history, such as
prescription names, dosages, pharmacy
and refill information, and the user’s
health conditions. The app voluntarily
discloses PHR identifiable health
information to third party companies for
advertising and advertising-related
analytics, in violation of the app’s
privacy representations to its users. The
third parties that receive the PHR
identifiable health information are able
to use the information for their own
business purposes, such as to improve
the third party’s own products and
services, to infer information about
consumers, or to compile profiles about
consumers to use for targeted
advertising. These disclosures are not
authorized under the Rule because they
are inconsistent with consumer
expectations—the disclosures violate
the app’s privacy representations, and
consumers would also not expect their
PHR identifiable health information
(which they input into the app to track
their medications and health
conditions) would be disclosed to, and
used by, third party companies that use
the data for their own economic benefit.
• By contrast, disclosures of PHR
identifiable health information by the
app in Example 1 would be authorized
if made to service providers in the
following circumstances: (1) the service
providers assist with functions that are
necessary to the operation and
functioning of the medication app, or
with services the consumer requested;
(2) the service providers are
contractually prohibited from using,
sharing, or disclosing the PHR
identifiable health information for any
purpose beyond providing services to
the medication app; and (3) the
medication app’s privacy notice clearly
and conspicuously discloses the specific
purposes for which it shares users’ PHR
identifiable health information with
these service providers. Such authorized
disclosures could include those to cloud
storage providers that host user data in
the health record in a secure fashion;
payment processors who process user
payments to the app; vendors that
facilitate refill reminders or other
communications from the app developer
that directly relate to the provision of
the personal health record or services
the consumer requested; analytics
providers that assist with tracking
analytics relating to the app’s
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
functionality; 179 or companies that help
to detect, prevent, or mitigate fraud or
security vulnerabilities. Such
disclosures are authorized because they
are consistent with consumer
expectations. Importantly, this sharing
is disclosed to consumers in a clear and
conspicuous manner, and is essential,
and limited to, sharing the PHR
identifiable health information with
service providers solely to provide users
with a safe and reliable personal health
record experience.
• Example 2—Unauthorized
Disclosure (Deceptive Omission). The
medication app from Example 1 shares
PHR identifiable health information
with a third party for purposes of
targeting consumers with ads. The app
does not disclose the sharing and also
fails to obtain affirmative express
consent from users whose information it
shares. The third party company can use
the PHR identifiable health information
to market and advertise—on behalf of
the medication app, on behalf of other
companies, or on behalf of itself. It can
also use the information to improve its
own products and services. Such
disclosures are not authorized because
they are not consistent with consumer
expectations (i.e., without disclosure
and without affirmative express
consent, consumers would not expect
that their PHR identifiable health
information would be shared, sold, or
otherwise exploited for a purpose other
than providing the user with a personal
health record, and are neither essential
nor limited to sharing the PHR
identifiable health information solely to
provide users with a safe and reliable
personal health record experience). This
conclusion is also consistent with
Commission enforcement actions
relating to the sharing of health
information (e.g., GoodRx and Easy
Healthcare), and those relating to the
sharing of other types of sensitive
information.180
• Example 3—Authorized Disclosure
(Public Health Reporting): A COVID–19
contact tracing app not covered by
HIPAA allows users to self-report their
COVID–19 diagnosis, and to notify the
user’s contacts of their diagnosis, or
others with whom the individual may
have come into physical contact. PHR
identifiable health information about
179 This would include an analytics provider
whose services are essential to the proper
functioning of the app and not tied to marketing or
advertising—this includes analytics tools to assist
with crash reporting or to assess usage patterns
(such as the frequency of use of certain features).
180 Fed. Trade Comm’n et al. v. Vizio, Inc. et al.,
No. 17–cv–00758 (D.N.J. 2017), https://www.ftc.gov/
legal-library/browse/cases-proceedings/162-3024vizio-inc-vizio-inscape-services-llc.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
the individual’s COVID–19 diagnosis is
transmitted to public health authorities
for public health-related purposes, such
as public health reporting and analysis
or to track areas where the virus is
spreading the most rapidly. The contact
tracing app discloses to users clearly
and conspicuously the specific purposes
for which it shares their PHR
identifiable health information with
public health authorities. These
disclosures are authorized, and
consistent with consumer expectations,
because they are consistent with the
company’s relationship with the
consumer (a PHR that allows a user to
report their COVID–19 diagnosis in
order to notify others) and are also
appropriately disclosed.
Examples 1 and 3 provide guidance
about scenarios in which limited
disclosures of PHR identifiable health
information are permitted without optin consent because it is necessary to
provide a personal health record to a
consumer, is consistent with consumer
expectations, the sharing is disclosed to
consumers, and (in the case of Example
1) the sharing is subject to protections
like service provider agreements that
limit the use of the data only for the
purpose of providing that service to the
consumer. Examples 1 and 3 are also
consistent with HIPAA and State health
privacy laws.181 For instance, HIPAA
permits disclosures for treatment,
payment, and operations without
patient authorization.
The Commission notes ‘‘breach of
security’’ could cover more than just an
unauthorized disclosure to a third party.
For example, depending on the facts
and scope of the authorizations, such as
in the company’s promises and
disclosures to consumers, a ‘‘breach of
security’’ could include unauthorized
uses. There may be a ‘‘breach of
security’’ where an entity exceeds
authorized access to use PHR
identifiable health information, such as
where it obtains the data for one
legitimate purpose, but later uses that
data for a secondary purpose that was
not originally authorized by the
individual.
Finally, the Commission notes
unauthorized access or use of derived
PHR identifiable health information
may also constitute a breach of security.
The Commission noted in its 2023
NPRM that PHR identifiable health
information includes ‘‘health
181 For example, Washington State’s My Health,
My Data Act permits sharing consumer health data
to the ‘‘extent necessary to provide a product or
service that the consumer to whom such consumer
health data relates has requested from such
regulated entity or small business.’’ See Revised
Code of Washington (RCW) 19.373.030 (1)(b)(ii).
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
information derived from consumers’
interactions with apps and other online
services (such as health information
generated from tracking technologies
employed on websites or mobile
applications or from customized records
of website or mobile application
interactions), as well as emergent health
data (such as health information
inferred from non-health-related data
points, such as location and recent
purchases).’’ 182
D. Clarification of What Constitutes a
‘‘PHR Related Entity’’
1. The Commission’s Proposal
Regarding ‘‘PHR Related Entity’’
The NPRM proposed to revise the
definition of ‘‘PHR related entity’’ in
two ways. Consistent with its
clarification that the Rule applies to
health apps, the Commission proposed
amending the definition of ‘‘PHR related
entity’’ to make clear the Rule covers
entities that offer products and services
through the online services, including
mobile applications, of vendors of
personal health records. In addition, the
Commission proposed revising the
definition of ‘‘PHR related entity’’ to
provide that entities that access or send
unsecured PHR identifiable health
information to a personal health
record—rather than entities that access
or send any information to a personal
health record—are PHR related entities.
The Commission explained the first
change (to cover online services) was
necessary as websites are no longer the
only means through which consumers
access health information online. The
Commission explained the second
change—narrowing the scope of ‘‘PHR
related entities’’ to entities that access or
send unsecured PHR identifiable health
information—was intended to eliminate
potential confusion about the Rule’s
breadth and promote compliance by
narrowing the scope of entities that
qualify as PHR related entities.183 The
182 88
FR 37823.
proposed definition stated that a PHR
related entity is an entity, other than a HIPAAcovered entity or an entity to the extent that it
engages in activities as a business associate of a
HIPAA-covered entity, that (1) offers products or
services through the website, including any online
service, of a vendor of personal health records; (2)
offers products or services through the websites,
including any online services, of HIPAA-covered
entities that offer individuals personal health
records; or (3) accesses unsecured PHR identifiable
health information in a personal health record or
sends unsecured PHR identifiable health
information to a personal health record. Although
the Rule is only triggered when there is a breach
of security involving unsecured PHR identifiable
health information, the Commission explained it
believed there is a benefit to revising the third
prong of PHR related entity to make clear that only
entities that access or send unsecured PHR
ddrumheller on DSK120RN23PROD with RULES2
183 The
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
Commission identified remote blood
pressure cuffs, connected blood glucose
monitors, and fitness trackers as
examples of internet-connected devices
that could qualify as a PHR related
entity when individuals sync them with
a personal health record (e.g., a health
app).184 The Commission explained,
however, that a grocery delivery service
that sends information about food
purchases to a diet and fitness app
would not be a PHR related entity if it
does not access unsecured PHR
identifiable health information in a
personal health record or send
unsecured PHR identifiable health
information to a personal health record.
The proposed Rule also revised
§ 318.3(b) by adding language
establishing that a third party service
provider is not rendered a PHR related
entity when it accesses unsecured PHR
identifiable health information in the
course of providing services. The
Commission explained it did not intend
for any entity (such as a firm performing
attribution and analytics services for a
health app) to be considered both a PHR
related entity (to the extent it accesses
unsecured PHR identifiable health
information in a personal health record)
and a third party service provider,
which could create competing notice
obligations and confuse consumers with
notice from an unfamiliar company. The
Commission explained it considers such
firms to be third party service providers
that must notify the health app
developers for whom they provide
services, who in turn would notify
affected individuals.
The Commission explained that
distinguishing between third party
service providers and PHR related
entities would create incentives for
responsible data stewardship and for deidentification because a firm would only
identifiable health information to a personal health
record—rather than entities that access or send any
information to a personal health record—are PHR
related entities. Otherwise, many entities could be
a PHR related entity under the definition’s third
prong and such entities would then, in the event
of a breach, need to analyze whether they
experienced a reportable breach under the Rule. If
an entity, per the proposed revision, does not
qualify as a PHR related entity in the first place,
there would be no need to consider whether it
experienced a reportable breach. 88 FR 37825 n.54.
184 The Commission explained, for example, the
maker of a wearable fitness tracker may be both a
vendor of personal health records (to the extent that
its tracker interfaces with its own app, which also
accepts consumer inputs) and a PHR related entity
(to the extent that it sends information to another
company’s health app). The Commission noted that
regardless of whether the maker of the fitness
tracker is a vendor of personal health records or a
PHR related entity, its notice obligations are the
same: it must notify individuals, the FTC, and in
some case, the media, of a breach. 16 CFR 318.3(a),
318.5(b). 88 FR 37825 n.55.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
47043
become an entity covered by the Rule in
relation to unsecured PHR identifiable
health information. To the extent that
firms must deal with unsecured PHR
identifiable health information, PHR
vendors would have incentives to select
and retain service providers capable of
treating data responsibly (e.g., by not
engaging in any onward disclosures of
data that could result in a reportable
breach) and incentives to oversee their
service providers to ensure ongoing
responsible data stewardship (which
would avoid a breach).
The Commission observed in most
cases, third party service providers are
likely to be non-consumer facing. The
Commission noted examples of PHR
related entities would include, as noted
above, makers of fitness trackers and
health monitors when consumers sync
their devices with a mobile health app.
The Commission noted further
examples of third party service
providers would include entities that
provide support or administrative
functions to vendors of personal health
records and PHR related entities.
2. Public Comments Regarding ‘‘PHR
Related Entity’’
The Commission received numerous
public comments about the changes to
the definition of PHR related entity.
Most commenters supported the
Commission’s approach.185 One
commenter, an industry association for
advertisers, noted that addition of the
term ‘‘unsecured’’ in the definition of
‘‘PHR related entity’’ created a
limitation on the definition’s scope that
counterbalances the breadth of
including ‘‘any online service’’ in the
definition.186 Moreover, this commenter
noted, the addition of ‘‘unsecured’’
creates appropriate incentives for firms
to secure PHR identifiable health
information and to choose partners who
will be good data stewards.187 This
commenter noted that limiting the
definition to ‘‘unsecured’’ PHR
identifiable health information was
consistent with the original intent of the
Rule, to cover only the most sensitive
types of data not covered by HIPAA.188
A few commenters proposed changes
to the definition of ‘‘third party service
provider’’ to further distinguish the term
from ‘‘PHR related entity.’’ One
commenter recommended defining
‘‘third party service provider’’ as an
185 ANI at 1; AAFP at 3; AHIMA at 3; AHIOS at
4; AOA at 3; CARIN Alliance at 3; CDT at 12;
CHIME at 3; Confidentiality Coal. at 6; Consumer
Rep.’s at 6; CHI at 5; DirectTrust at 4; EFF at 2; EPIC
at 7.
186 NAI at 4–5.
187 Id. at 5.
188 Id. at 4.
E:\FR\FM\30MYR2.SGM
30MYR2
47044
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
entity that only processes data.189 This
commenter argued the Commission
could then impose liability on service
providers for further use, sale,
disclosure for incompatible purposes.190
Another commenter recommended
aligning the definition of ‘‘third party
service provider’’ with the definition of
‘‘business associate’’ under HIPAA.191
Some commenters raised concerns
that the Commission’s approach did not
provide sufficient clarity for companies
trying to understand their obligations as
either a third party service provider or
PHR related entity.192 Some
commenters requested more examples
of types of firms falling within each
definition (e.g., examples clearly
establishing the status of health data
brokers, health marketing firms, search
engines, email providers, cloud storage
providers) 193—to facilitate
compliance,194 avoid overlapping notice
requirements 195 and to prevent a
loophole through which firms may
attempt to avoid obtaining consumers’
authorization for data disclosures and to
avoid providing breach notifications.196
One commenter urged the Commission
to exempt from the definition of ‘‘PHR
related entity’’ any firm that complies
with the privacy and data security
requirements of HIPAA.197
In response to the Commission’s
request for comment on whether an
analytics firm would be a third party
service provider, many commenters
responded that an analytics firm should
fall within that definition 198 for the
reasons the Commission articulated: It
would be confusing to consumers to
receive a notice from a back-end service
provider rather than the firm with
whom the consumer has the
relationship, and categorizing analytics
firms (and firms that provide other
services) as service providers will create
incentives for PHR vendors and PHR
related entities to choose their service
providers with care. A few commenters,
however, expressed concern about
covering advertising, analytics, and
cloud firms—and health information
service providers (‘‘HISPs’’) more
generally—as they are unable to
determine whether the data they receive
contains unsecured PHR identifiable
health information; only the vendor of
189 FPF
at 10.
ddrumheller on DSK120RN23PROD with RULES2
190 Id.
191 AdvaMed
at 8.
at 3; CARIN Alliance at 4.
193 AHIMA at 3–4; AMIA at 3–4; CHI at 5; Direct
Trust at 1; Light Collective at 4–5.
194 SCRS at 1.
195 NAI at 5.
196 MRO at 3.
197 AdvaMed at 5.
198 NAI at 5; TMA at 3; Consumer Rep.’s at 11.
192 SIIA
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
the PHR knows what their data
transmissions contain.199 One
commenter urged the Commission to
address the data recipient’s
unawareness of the content of the data
by creating a safe harbor that exempts
advertising, analytics and cloud
providers that contractually limit their
customers, vendors, or partners from
sharing health information with
them.200
3. The Commission Adopts the
Proposed Changes to ‘‘PHR Related
Entity’’
After considering the comments
received, the Commission adopts the
proposed changes regarding ‘‘PHR
related entity’’ without further change.
The Commission affirms that (1) PHR
related entities include entities offering
products and services not only through
the websites of vendors of personal
health records, but also through any
online service, including mobile
applications; (2) PHR related entities
encompass only entities that access or
send unsecured PHR identifiable health
information to a personal health record;
and (3) while some third party service
providers may access unsecured PHR
identifiable health information in the
course of providing services, this does
not render the third party service
provider a PHR related entity.
In response to commenters who
expressed concern that certain data
recipients will not be able to understand
their obligations under the Rule because
they are unaware of the content of the
data transmissions they receive, the
Commission highlights § 318.3(b),
which states: ‘‘For purposes of ensuring
implementation of this requirement,
vendors of personal health records and
PHR related entities shall notify third
party service providers of their status as
vendors of personal health records or
PHR related entities subject to this
Part.’’ This requirement puts data
recipients on notice about the potential
content of the data transmissions they
receive.
Firms may also facilitate compliance
by stipulating by contract whether
transmissions of data will contain
unsecured PHR identifiable health
information. Both the sender and
recipient of the data can monitor for
compliance with those contractual
agreements through the use of
automated tools, internal auditing,
external auditing, or other mechanisms,
as appropriate to the size and
sophistication of the firms and the
199 CCIA at 7–8; CTA at 9–10; SIIA at 3; Direct
Trust at 5.
200 CTA at 13.
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
sensitivity of the data. For example, a
large advertising platform that has
routinely received unsecured PHR
identifiable health information,
notwithstanding partners’ promises not
to send this information, may have
different obligations to monitor the data
it receives than small firms that do not
engage in high-risk activities where the
contract precludes sending such data
and there is no history of such
transmissions.
The Commission believes this
approach—notice to service providers
pursuant to § 318.3(b) coupled with
contracts and oversight—is more
appropriate than creating a safe harbor
in the Rule that exempts firms that enter
into contracts, as there is evidence from
FTC cases that firms do not always
abide by contractual obligations to
safeguard data.201
The Commission declines to change
the definition of ‘‘third party service
provider’’ to distinguish it further from
a ‘‘PHR related entity,’’ for two reasons.
First, the Commission notes the current
definitions of ‘‘third party service
provider’’ and ‘‘PHR related entity’’
align closely with the language
prescribed by section 13407 and section
13424(b)(1)(A) of the Recovery Act.
Jettisoning the current language entirely,
as some commenters suggested, would
not be consistent with the Recovery
Act’s requirements. Second, the
Commission believes the current
language, in conjunction with the
examples provided below, will provide
sufficient guidance to the market as to
which types of firms fit within each
definition.
In response to comments that
requested examples of the types of firms
that fall into the category of ‘‘third party
service provider’’ or ‘‘PHR related
entity,’’ the Commission provides the
following examples. The Commission
believes these examples, in conjunction
with the language in § 318.3(b), will
provide sufficient clarity about the
obligations of third party service
providers and PHR related entities to
promote compliance, avoid overlapping
notice, and prevent loopholes.
201 Compl. at ¶ 21, In the Matter of Flo Health,
Inc., FTC File No. 1923133 (Jan. 13, 2021), https://
www.ftc.gov/legal-library/browse/casesproceedings/192-3133-flo-health-inc; Compl. at
¶ 14(d), In the Matter of UPromise, Inc., FTC File
No. 1023116 (Mar. 27, 2012), https://www.ftc.gov/
legal-library/browse/cases-proceedings/102-3116-c4351-upromise-inc; Cf. Compl. at ¶ 40, U.S. v. Easy
Healthcare Corporation, No. 1:23–cv–3107 (N.D. Ill.
2023), https://www.ftc.gov/legal-library/browse/
cases-proceedings/202-3186-easy-healthcarecorporation-us-v (alleging that the defendant’s
disclosures of consumers’ health information
violated the policies of platforms to which it had
agreed).
E:\FR\FM\30MYR2.SGM
30MYR2
ddrumheller on DSK120RN23PROD with RULES2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
• Example 1: Four separate firms
provide data security, cloud computing,
advertising and analytics services to a
health app (a personal health record), as
specified by their service provider
contracts, for the health app vendor’s
benefit. To perform the services
specified in their respective contracts,
the firms access unsecured PHR
identifiable health information. The
firms are ‘‘third party service providers’’
of the vendor of the personal health
record (the maker of the health app)
because they provide services to a
vendor of a personal health record (the
maker of the health app) in connection
with the offering or maintenance of the
app, and they access unsecured PHR
identifiable health information as a
result of these services. In the event of
a breach, they should abide by their
obligations as third party service
providers.
• Example 2: An analytics firm
provides analytics services to a health
app (a personal health record). The
analytics firm and health app vendor do
not have a customized service provider
contract, although the health app
vendor agrees to the analytics firm’s
standard terms of service. The analytics
firm accesses unsecured PHR
identifiable health information (device
identifier and whether the consumer has
paid for therapy). The analytics firm
uses that data both to provide analytics
services to the health app and for its
own benefit, for research and
development and product improvement.
The analytics firm is a third party
service provider to the extent that it
provides analytics services to the health
app for the health app’s benefit because
it is then providing services to a vendor
of a PHR in connection with the offering
of the PHR and accessing unsecured
PHR identifiable health information as a
result of such services. However, the
analytics firm is a PHR related entity,
rather than a third party service
provider, to the extent that it offers its
services through the health app for its
own purposes (i.e., for research and
development and product improvement)
rather than to provide the services. In
the event of a breach, the analytics firm
must fulfill its notification obligations
under the Rule according to which
function it was performing in
connection with the breach. If the
functions are indistinguishable, then,
pursuant to § 318.3(b), the Commission
will consider the firm a third party
service provider for policy reasons: a
firm that functions, at least in part, as
a service provider may not be consumerfacing, such that the consumer may be
surprised by a breach notification from
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
that entity. As a policy matter, it is
better for the consumer to receive notice
from the health app with whom the
consumer directly interacts.
• Example 3: A health tracking
website (a personal health record)
integrates a search bar branded with its
maker’s logo, which enables its maker (a
search engine firm) to offer its services
through the website. The search engine
firm is a PHR related entity because it
offers its services through the website,
which is a personal health record. The
search bar branded with its maker’s logo
is consumer-facing, so the consumer
would not be surprised to receive a
notice from that company if it
experiences a reportable breach. By
contrast, if the health tracking website
had contracted with the search engine
firm to provide back-end search services
to the website (rather than offering its
own branded product or service through
the website), and the search engine firm
had accessed unsecured PHR
identifiable health information as a
result of such services, it would be a
third party service provider. In the event
of a breach, it should abide by its
obligations as a third party service
provider.
• Example 4: Digital readings from a
fitness tracker offered by Company A
can be integrated into a sleep app
offered by Company B (in which the
consumer may input other health
information). Company A is a PHR
related entity to the extent that it offers
its fitness tracker product through an
online service (Company B’s sleep app),
and to the extent that it sends unsecured
PHR identifiable health information
(fitness tracker readings) to a personal
health record (the sleep app).
E. Facilitating Greater Opportunity for
Electronic Notice
1. The Commission’s Proposal
Regarding Electronic Notice
The Commission proposed to
authorize expanded use of email and
other electronic means of providing
clear and effective notice of a breach to
consumers. In furtherance of this
objective, the Commission proposed to
update § 318.5 to specify that vendors of
personal health records or PHR related
entities that discover a breach of
security must provide written notice at
the last known contact information of
the individual. Such written notice may
be sent by electronic mail, if an
individual has specified electronic mail
as the primary contact method, or by
first-class mail. The Commission
proposed defining ‘‘electronic mail’’ in
§ 318.2 to mean email in combination
with one or more of the following: text
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
47045
message, within-application messaging,
or electronic banner. The Commission
further specified that any notification
delivered via electronic mail should be
clear and conspicuous, and the
proposed Rule defined ‘‘clear and
conspicuous.’’ To assist entities that are
required to provide notice to
individuals under the Rule, the
Commission developed a model notice
for entities to use to notify
individuals.202
2. Public Comments Regarding
Electronic Notice
Nearly every comment submitted on
this proposed change supported the
Commission’s efforts to update the Rule
to allow for greater electronic notice.203
One commenter noted electronic notices
increase the likelihood that individuals
will receive the notice, may reduce the
time it takes for individuals to receive
notice, and reduce the burden on
entities providing notice.204 Many
commenters also supported the
Commission’s efforts to provide notice
via more than one channel through the
new definition of ‘‘electronic mail.’’ 205
However, not all commenters agreed
with the Commission’s proposal and
some commenters offered other
suggestions. Some objected to defining
‘‘electronic mail’’ to mean anything
more than ‘‘email,’’ stating that
electronic mail is commonly understood
to mean email and nothing else.206 A
few commenters noted that defining
multiple forms of electronic notice
could result in entities collecting more
information than necessary (and
consumers having to provide more
information than needed) in order to
comply with the Rule.207 Others
preferred a single notice, arguing that
multiple forms of notice is burdensome
202 This model notice was attached as appendix
A to the NPRM. 88 FR 37837.
203 AHIP at 5; AAFP at 3; AHIMA at 5; AHIOS
at 3; Anonymous 3 at 1; Anonymous 10 at 1; Beth
Barnett; CARIN Alliance at 7; CHI at 5–6; CHIME
at 4; Consumer Reports at 8–9; CTA at 21; EPIC at
10; HIMSS at 4; George Mathew at 1; MRO at 3; NAI
at 7; Dharini Padmanabhan at 1; Nancy Piwowar at
1. One commenter also stated while there are clear
advantages to allowing increased use of electronic
notification of data breaches, this notification
method could also increase the likelihood that
breaches escape public scrutiny. Identity Theft Res.
Ctr. (‘‘ITRC’’) at 2.
204 AdvaMed at 5.
205 AAFP at 3; AHIMA at 5; Anonymous 3 at 1;
CARIN Alliance at 7; CHIME at 4; CCIA at 7; EPIC
at 10; NAI at 7.
206 ACLA at 5; Mass. Health Data Forum
(‘‘MHDF’’) at 9.
207 Consumer Rep.’s at 7–8; CTA at 22. Consumer
Reports further suggested the Commission clarify
that substitute notice may be effectuated under the
Rule via text message, in-app messaging, or
electronic banners for consumers that do not wish
to share a mailing or email address. Consumer
Rep.’s at 8.
E:\FR\FM\30MYR2.SGM
30MYR2
47046
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
and could result in over-notification,
confusion, and notice fatigue among
consumers.208 One commenter stated
the Commission should revise the
definition of ‘‘electronic mail’’ to mean
‘‘one or more of the following that is
reasonable and appropriate based on the
relationship between the individual and
the relevant vendor of personal health
records or PHR related entity: email,
text message, within-application
messaging, or electronic banner.’’ 209
Another commenter encouraged the
FTC to clarify the in-app messaging
method must include push notifications
in the event of a breach so consumers
are made aware of a breach as soon as
possible.210 One commenter urged the
Commission to specify in § 318.5(i) that
a banner notice in the affected app or a
website home page notice must be
posted for a period of 90 days.211
Another commenter noted that the
different mechanisms listed in the
proposed rule are not equivalent—this
commenter noted that some are push
notifications that a consumer is likely to
see without directly interacting with the
application, website, or device and
some require consumer interaction with
the application, website, or device in
order to see the notification.212 This
commenter recommended that the
requirement be selection of one push
notification but that additional options
like in-app notifications and website
banners be supported as additional,
secondary notice options.213 One
commenter stated the FTC may want to
consider adding a provision allowing an
individual to request a copy of the
notice in other accessible formats, such
as for hearing- or vision-impaired
people, or in a non-English language.214
Another commenter argued the
Commission should take into
consideration TCPA and CAN–SPAM
compliance regarding the delivery of
electronic notification. Another
commenter stated the Commission’s
proposal to require two contact methods
imposes a higher requirement than
HIPAA and State breach notification
laws.215
Many commenters endorsed the
Commission’s proposal that any
notification delivered via electronic
mail should be ‘‘clear and
conspicuous,’’ a newly defined term in
208 AdvaMed at 6; ACLA at 5; AHIP at 5; CTA at
21–22;
209 AdvaMed at 6.
210 AHIMA at 5.
211 TechNet at 5.
212 MHDF at 10.
213 Id.
214 AHIP at 5.
215 CHI at 6.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
the Rule.216 One commenter stated that
consistent with FTC’s desire for entities
to provide a clear and conspicuous
notice, the Commission should consider
requiring an email subject line that
starts with ‘‘Breach of Your Health
Information’’ so that attention is
appropriately drawn to the importance
of the message content.217 One
commenter disagreed with the new
definition, arguing that the definition is
unnecessary and confusing, and urged
the Commission to insert the ‘‘clear and
conspicuous’’ definition directly into
§ 318.5 of the Rule.218
Regarding the model notice, nearly all
who commented on this topic urged the
Commission to make the model notice
voluntary.219 One commenter suggested
that using the model should be a safe
harbor that shields entities from
enforcement.220
3. The Commission Adopts the
Proposed Changes Regarding Electronic
Notice
The Commission adopts without
change the modifications regarding
§ 318.5 involving electronic notice and
adopts without change the definition of
‘‘electronic mail’’ in § 318.2. The
Commission declines to make the other
changes commenters requested. First,
the Commission believes it is critical,
especially given how consumers are
accessing information today, to
modernize the methods of notice to
facilitate greater opportunities for
electronic notice. The Commission
believes the changes to § 318.5 and the
new definition of ‘‘electronic mail’’ 221
in § 318.2 accomplish this objective.
216 AMA
at 5; CHIME at 5; EPIC at 9.
at 4.
218 NAI at 7.
219 AdvaMed at 6; AHIP at 6; AMA at 6; CCIA at
7; CHI at 6; Consumer Rep.’s at 8–9; NAI at 7–8.
One commenter stated that making the model
notice mandatory can lead to industry consistency
and it may be easier for consumers to understand
the message and the contents if they are familiar
with a uniform, standardized notice. AHIMA at 5.
While the Commission generally agrees that
uniform, consistent notices assist with consumer
comprehension, the Commission declines to make
the model notice compulsory because the facts and
circumstances of each breach will vary. Plus,
§ 318.6 sets forth certain required elements of the
content of the notice, so the presence of these
elements in all breach notices achieves some degree
of consistency across notices.
220 AHIP at 6.
221 The Commission disagrees with the
commenters who urged the Commission to avoid
defining ‘‘electronic mail’’ to mean anything more
than ‘‘email.’’ ACLA at 5; MHDF at 9. The
definition in § 318.2 is clear and unambiguous.
Plus, section 13402(e)(1) of the Recovery Act
requires that notification be provided via ‘‘written
notification by first-class mail’’ or ‘‘electronic
mail.’’ Accordingly, the Commission must use
‘‘electronic mail.’’
217 TMA
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
In response to concerns raised about
the two-part electronic notice, the
Commission agrees with commenters
who stated it increases the likelihood
that individuals will encounter such
notices.222 The Commission does not
agree that it is burdensome for entities
to comply with this requirement. For
example, an entity who complies with
the notice requirement by notifying
consumers via email plus posting a
website notice likely would not need to
expend significant additional time and
resources by issuing the second part of
the notice (i.e., the website notice), and
any ‘‘cost’’ of posting such a notice is
outweighed by the benefit to consumers
of learning of a breach involving their
health information. The Commission
also is not persuaded that consumers
who, for example, receive an email
about a breach coupled with an in-app
notice about the same breach will be
confused. The Commission believes
consumers will understand that such
notices relate to the same incident,
especially given the Rule’s requirement
that the notices be ‘‘clear and
conspicuous.’’ The Commission also
does not find it problematic that the
Rule requires notice effectuated via
‘‘electronic mail’’ to occur via two
methods while other breach notice laws
require one method. The Commission
also notes while these amendments are
intended to facilitate greater electronic
notice, the Rule still permits notice via
first-class mail. Accordingly, the
contention that this Rule requires two
methods of electronic notice is
incorrect.
The Commission also declines, in
response to public comments,223 to
mandate how notifications are
effectuated when sent via ‘‘electronic
mail,’’ as the Commission believes it is
important to not be overly prescriptive
given rapidly changing technologies.
222 AAFP at 3–4 (noting AAFP appreciates ‘‘the
proposed structure of providing notice in two
different electronic formats to increase the
likelihood individuals will see them’’); CHIME at 5
(‘‘CHIME is supportive of the FTC’s approach to
revise the ‘‘method of notice section’’ and to
structure the breach notification in two parts in
order to increase the likelihood that consumers
encounter the notice.’’); EPIC at 10 (‘‘By requiring
email and an in-app or website notice option, the
expanded definition enables entities to have the
best chance at notifying consumers regardless of
whether they reliably check their email or continue
to use the entity’s app or website.’’). The
Commission also disagrees with the commenter
who recommended that the Commission abandon
the two-part notice and create a new definition of
‘‘electronic mail’’ where, for example, only a
website notice alone would satisfy the notice
requirement if such a notice was ‘‘reasonable and
appropriate.’’ AdvaMed at 6. The Commission
disagrees with this approach and declines to adopt
it.
223 See supra notes 210–213.
E:\FR\FM\30MYR2.SGM
30MYR2
ddrumheller on DSK120RN23PROD with RULES2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
The Commission emphasizes though, as
described below, that the notice must
satisfy the Rule’s definition of ‘‘clear
and conspicuous.’’
Nor does the Commission believe, as
some commenters argued, the two-part
electronic notification will result in
additional collections of information by
notifying entities. The Commission
agrees with commenters who stated
entities are generally already collecting
the information needed for notice via
‘‘electronic mail’’ and a data
minimization issue does not exist.224
In response to the commenter who
suggested the FTC consider adding a
provision allowing an individual to
request a copy of the notice in other
accessible formats, such as for hearingor vision-impaired people, or in nonEnglish languages,225 the Commission
previously addressed a similar comment
in the 2009 Rule Commentary. There,
the Commission noted that section
13402(e)(l) of the Recovery Act requires
that notification be provided via
‘‘written notification by first-class mail’’
or ‘‘electronic mail.’’ The Commission
emphasized then, as we do today, that
the Rule does not preclude notifications
in accessible formats. The Commission
supports their use in appropriate
circumstances, in addition to the forms
of notice prescribed by the Rule.226
The Commission also adopts without
modification the definition of ‘‘clear and
conspicuous.’’ The Commission agrees
with the commenter who indicated it is
imperative that a breach notice be
reasonably understandable and call
attention to the significance of the
information that is included in the
notice.227 The Commission believes its
definition of ‘‘clear and conspicuous’’
will assist in achieving this objective.
The Commission declines, however, to
mandate specific language for the email
subject line to satisfy the Rule’s ‘‘clear
and conspicuous’’ requirement, as one
commenter had suggested.228 The
Commission emphasizes, however, that
the clear and conspicuous requirement
would require a notifying entity to use
an email subject line that draws the
reader’s attention to the email notice.
The Commission also declines to adopt
the suggestion that the definition of
‘‘clear and conspicuous’’ be
incorporated directly into § 318.5. The
Commission believes the entities
seeking information on what ‘‘clear and
224 CARIN
Alliance at 6; EPIC at 10.
supra note 214.
226 74 FR 42972.
227 AMA at 5.
228 See supra note 217.
225 See
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
conspicuous’’ means will find it clearer
to consult the definition in § 318.2.
Turning to the model notice,229 as the
Commission noted in the NPRM, the
model was intended for entities to use,
in their discretion, to notify individuals,
and the Commission adopts the same
position here.230 The model is voluntary
and while the Commission believes it
represents a best practice, using the
model is not required to achieve
compliance with the Rule.
The Commission declines to adopt the
position that use of the model notice
provides a safe harbor, although the
Commission would take into
consideration in an enforcement action
an entity who follows the model notice.
Further, the Commission notes an entity
who follows the model notice can
nevertheless violate the Rule in other
ways. For example, an entity could
follow the model notice but fail to
provide timely notice. In such instances,
providing a safe harbor because the
entity utilized the model notice would
be inappropriate.
F. Revisions to the Required Content of
Notice
1. The Commission’s Proposal
Regarding Content of Notice
The Commission proposed five
changes to the content of the notice.
First, in § 318.6(a), as part of relaying
what happened regarding the breach,
the Commission proposed the notice to
individuals also include a brief
description of the potential harm that
may result from the breach, such as
medical or other identity theft. Second,
the Commission proposed to amend the
requirements for the notice under
§ 318.6(a) to include the full name,
website, and contact information (such
as a public email address or phone
number) of any third parties that
acquired unsecured PHR identifiable
health information as a result of a
breach of security, if this information is
known to the vendor of personal health
records or PHR related entity (such as
where the breach resulted from
disclosures of users’ sensitive health
information without authorization).
Third, the Commission proposed
modifications to § 318.6(b), which
requires that the notice include a
description of the types of unsecured
PHR identifiable health information that
were involved in the breach. The
Commission proposed this exemplar list
be expanded to include additional types
of PHR identifiable health information,
such as health diagnosis or condition,
229 The
230 88
PO 00000
model notice is found in appendix A.
FR 37827.
Frm 00021
Fmt 4701
Sfmt 4700
47047
lab results, medications, other treatment
information, the individual’s use of a
health-related mobile application, and
device identifier. Fourth, the
Commission proposed revising
§ 318.6(d) of the Rule to require the
notice to individuals include additional
information providing a brief
description of what the entity that
experienced the breach is doing to
protect affected individuals, such as
offering credit monitoring or other
services. Fifth, the Commission
proposed modifying § 318.6(e) so the
contact procedures specified by the
notifying entity must include two or
more of the following: toll-free
telephone number; email address;
website; within-application; or postal
address.
2. Public Comments Regarding Content
of Notice
a. Proposal That Notice Include
Description of Potential Harm That May
Result From a Breach
The Commission’s proposal to modify
§ 318.6(a) to include in the notice to
individuals a brief description of the
potential harm that may result from a
breach drew a wide range of comments.
On the one hand, many commenters
supported the Commission’s
proposal.231 For example, one
commenter noted this proposal would
help individuals better understand the
connection between the information
breached and the potential harm that
could result from the breach of such
information.232 Other commenters
stated that providing the potential
harms from a breach better equips
consumers to address injuries and
mitigate harms from it.233 One
commenter stated including some
potential harms would be helpful, but
notifying entities should also include
language in the notice stating that other
harms may occur.234 This same
commenter suggested the Commission
consider selecting the most common
types of breaches and listing some but
not all of the potential consequences
from each.235
On the other hand, many commenters
criticized this proposal.236 Some
231 AAFP at 4; AMA at 6; AOA at 5; Anonymous
3; AHIOS at 3; CARIN Alliance at 7–8; CHIME at
3, 6; Consumer Reports at 9–10; EFF at 2; EPIC at
10–11; HIMSS at 3–4; ITRC at 2; Members of the
House of Representatives at 1–2; Dharini
Padmanabhan at 1.
232 AMA at 6.
233 Consumer Rep.’s at 9–10; EPIC at 10–11.
234 MHDF at 10–11.
235 Id.
236 AdvaMed at 6–7; AHIP at 6; ACLA at 4–5;
Confidentiality Coal. at 7; CTA at 23–24; MHDF at
10; NAI at 9.
E:\FR\FM\30MYR2.SGM
30MYR2
47048
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
commenters argued this proposal will
result in notifying entities having to
speculate about potential harms that
may never occur or providing a list of
harms that may be incomplete.237
Others pointed out that notifying
individuals about potential harms could
cause consumer anxiety, consumer
confusion, and detract from actions the
individuals should take.238 One
commenter noted the Commission’s
proposal might lead consumers to
believe the harms listed in the notice are
the only possible harms from a breach,
when in fact consumers may suffer
other harms not disclosed in the
notice.239 This same commenter also
noted it is opposed to entities stating
there are no known harms that may
result from a breach solely because a
notifying entity is unaware of any
specific bad outcomes.240
b. Proposal That Notice Include Full
Name, Website and Contact Information
of Third Parties That Acquired
Unsecured PHR Identifiable Health
Information
Next, the Commission proposed to
amend the requirements for the notice
under § 318.6(a) to include the full
name, website, and contact information
(such as a public email address or
phone number) of any third parties that
acquired unsecured PHR identifiable
health information as a result of a
breach of security. Although several
commenters supported this proposal,241
many others pointed out it is
problematic in certain circumstances.242
A few commenters noted the proposal is
ill-suited for security breaches, such as
a hacking, where providing consumers
with the name and contact information
of an actor who committed a security
breach (e.g., a hacker) could result in
further malicious action against the
target entity.243 One commenter noted
for security breaches, the malicious
actor or hacker would not be responsive
to consumers.244 Further, one
commenter noted this requirement
could hamper law enforcement
efforts.245 One commenter also
indicated this requirement could
237 AdvaMed
at 6–7; AHIP at 6; MHDF at 10; NAI
at 9.
238 ACLA
at 4–5; AMIA at 5; NAI at 9.
at 10.
240 Id. at 10–11.
241 AAFP at 4; AHIMA at 5–6; AMA at 6; AMIA
at 5; AOA at 5; CARIN Alliance at 7; Consumer
Rep.’s at 9–10; EFF at 2; EPIC at 10–11; HIMSS at
3–4; ITRC at 2; Members of the House of
Representatives at 1–2.
242 ACLA at 4–5; AHIP at 6; CHI at 6;
Confidentiality Coalition at 7; CTA at 24.
243 ACLA at 4–5; Confidentiality Coal. at 7.
244 Confidentiality Coal. at 7.
245 CTA at 24.
ddrumheller on DSK120RN23PROD with RULES2
239 MHDF
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
frustrate investigative efforts or have a
chilling effect on an inadvertent
recipient from reporting a wrongful
disclosure.246
c. Proposal That Notice Include
Description of Types of Unsecured PHR
Identifiable Health Information Involved
in a Breach
Third, the Commission proposed
modifications to § 318.6(b), which
requires the notice to individuals
include a description of the types of
unsecured PHR identifiable health
information that were involved in the
breach. The Commission proposed this
exemplar list be expanded to include
additional types of PHR identifiable
health information, such as health
diagnosis or condition, lab results,
medications, other treatment
information, the individual’s use of a
health-related mobile application, and
device identifier. Several commenters
supported this proposal.247 One
commenter noted it is important for
consumers to receive notice of the
specific types of PHR identifiable health
information involved in a breach, given
that the exposure of health information
can lead to a wide spectrum of
harms.248 Another commenter stated
providing individuals with a more
expansive list of exposed data points
will also give them a more complete
picture of the risks they face.249
d. Proposal That Notice Include
Description of What Entity Is Doing To
Protect Affected Individuals
Fourth, the Commission proposed
revising § 318.6(d) of the Rule to require
that the notice to individuals include
additional information providing a brief
description of what the entity that
experienced the breach is doing to
protect affected individuals, such as
offering credit monitoring or other
services. This proposal attracted support
from multiple commenters.250 One
commenter stated that informing
individuals about these steps is
important so that they know what
additional actions they should take to
protect themselves from potential
harm.251 Another similarly stated that
knowing what the notifying entity is
doing to protect affected individuals can
help consumers who are considering
making purchase decisions for fraud
detection or credit monitoring.252 One
commenter stated that requiring
notifying entities to share this
information will incentivize them to
take proactive measures to mitigate
harms to consumers.253
Some commenters, however, raised
concerns about this proposal. For
instance, one commenter believed the
Rule already encompasses this
requirement and therefore the
Commission’s proposal could result in
duplicative information being provided
in the notice.254 Another commenter
stated the FTC needs to go further in
ensuring that notification requirements
help consumers understand what
remedies are available when their health
information is breached.255
e. Proposal That Notice Include Two or
More Contact Procedures
Fifth, the Commission proposed
amendments to § 318.6(e) so the contact
procedures specified by the notifying
entity in its breach notification must
include two or more of the following:
toll-free telephone number; email
address; website; within-application; or
postal address. Many commenters
expressed support for this proposal.256
One commenter noted multiple contact
options ensures that victims of all
backgrounds and technical capabilities
are able to contact the notifying entity
to learn more about how to protect
themselves after a breach.257 Another
commenter noted that providing
multiple contact options encourages and
facilitates communication between the
individual and the notifying entity.258
One commenter, however, expressed
concern the proposal is burdensome, the
HIPAA breach notice rule requires only
one method of contact, and HHS has not
identified any concerns with
individuals having difficulty obtaining
information from covered entities using
one contact method under HIPAA’s
breach notice rule.259
252 AHIMA
at 5–6.
Rep.’s at 9–10.
254 Confidentiality Coal. at 7.
255 Light Collective at 6–7.
256 AAFP at 4; AHIMA at 6; AHIP at 5;
Anonymous 3 at 1; AOA at 5; CARIN Alliance at
8; Consumer Rep.’s at 9–10; EPIC at 9–10; HIMSS
at 3–4; ITRC at 2; Dharini Padmanabhan at 1.
257 AHIMA at 6.
258 AMA at 6.
259 AdvaMed at 6–7.
253 Consumer
246 AHIP
at 6.
at 4; AHIMA at 6; AMA at 6; AOA at
5; CARIN Alliance at 7; Consumer Rep.’s at 9–10;
Ella Balasa at 2; HIMSS at 3–4; ITRC at 2; NAI at
9.
248 Light Collective at 2.
249 ITRC at 2.
250 AAFP at 4; AMA at 6; AOA at 4; CARIN
Alliance at 7–8; HIMSS at 3–4; ITRC at 2.
251 AMA at 6.
247 AAFP
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
3. The Commission Changes Regarding
Content of Notice
ddrumheller on DSK120RN23PROD with RULES2
a. The Commission Declines To Adopt
Proposal That Notice Include
Description of Potential Harm That May
Result From a Breach
The Commission believes, in light of
the public comments, that the
downsides of requiring in the notice a
description of the potential harms that
may result from a breach outweigh the
upsides. The Commission is concerned
about requiring a consumer notice to
include possible harms that may never
materialize. In such cases, consumers
may experience needless anxiety and
take actions that are not necessary,
leading to consumer frustration. The
Commission also is concerned this
proposal may result in entities
describing potential harms so
generically that the description provides
minimal value to consumers, or,
alternatively, that entities will provide a
laundry list of potential harms, making
such a list meaningless to consumers.
The Commission also agrees with one
commenter who noted this proposal
might lead consumers to believe the
harms listed in the notice are the only
possible harms from a breach, when in
fact consumers may suffer other harms
not disclosed in the notice.260
Accordingly, the Commission
declines to adopt this proposal.261 The
Commission believes the remaining
elements of the content of the notice
will supply individuals with sufficient
information about a breach, especially
given the other modifications to § 318.6.
The Commission also emphasizes in
certain cases where harms are concrete
and known, notifying entities should as
a best practice inform individuals about
those harms in the notice.
b. The Commission Modifies Proposal
That Notice Include Full Name,
Website, and Contact Information of
Third Parties That Acquired Unsecured
PHR Identifiable Health Information
In light of the public comments, the
Commission is modifying § 318.6(a) to
require notifying entities to provide the
full name or identity (or where
providing name or identity would pose
a risk to individuals or the entity
providing notice, a description) of the
third parties that acquired the PHR
identifiable health information as a
result of a breach of security.262 The
Commission believes it is important for
consumers to know who acquired their
260 MHDF
at 10.
Commission has updated the model
notice in appendix A to reflect this change.
262 The Commission has updated the model
notice in appendix A to reflect this change.
261 The
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
PHR identifiable health information as a
result of a breach. At the same time, the
Commission acknowledges in some
scenarios it could be problematic to
require notifying entities to provide the
contact information of those who
acquired PHR identifiable health
information.
Accordingly, this revised provision is
intended to still provide individuals
with information about who acquired
their health information. Under
§ 318.6(a), notifying entities are required
to provide the full name or identity of
the third parties that acquired the PHR
identifiable health information as a
result of a breach of security, except
where providing the full name or
identity of the third parties would pose
a risk to affected individuals or the
entity providing notice. In cases where
providing the name or identity of the
third parties that acquired the PHR
identifiable health information as a
result of a breach of security would pose
a risk to affected individuals or the
entity providing notice (e.g., providing
the name of hacker could subject
affected individuals or the entity
providing notice to further harm),
§ 318.6(a) permits notifying entities to
describe the type of third party (e.g.,
hacker) who acquired individuals’ PHR
identifiable health information.
c. The Commission Adopts Proposal
That Notice Include Description of
Types of Unsecured PHR Identifiable
Health Information Involved in a Breach
The Commission agrees with the
many public comments supporting this
proposal.263 The Commission concurs
with the commenter who noted it is
important for consumers to receive
notice of the specific types of PHR
identifiable health information involved
in a breach,264 and the commenter who
stated that providing affected
individuals with a more expansive list
of health data points implicated in a
breach will help them better understand
the risks they face.265 The Commission
adopts this proposal without
modification.
d. The Commission Adopts Proposal
That Notice Include Description of What
Entity Is Doing To Protect Affected
Individuals
Several commenters supported the
Commission proposal that the notice to
individuals include a description of
what the notifying entity is doing to
protect affected individuals.266 The
Commission concurs with the
commenter who stated that informing
affected individuals about the steps
notifying entities are taking to protect
them is important so that affected
individuals know what additional
actions they should take to protect
themselves from potential harm.267 The
Commission similarly agrees with the
commenter who stated that knowing
what the notifying entity is doing to
protect affected individuals can help
consumers who are considering making
purchase decisions like fraud detection
or credit monitoring.268 The
Commission also agrees with the
commenter who stated that requiring
notifying entities to share information
about what they are doing to protect
affected individuals will incentivize
notifying entities to take proactive
measures to mitigate harms to
consumers.269
In response to the one commenter
who noted the 2009 Rule already
includes this proposed requirement,270
the Commission notes § 318.6(d) from
the 2009 Rule requires notifying entities
to include in the notice to individuals
what the entity is doing to investigate
the breach, to mitigate any losses, and
to protect against any further breaches.
Accordingly, under the 2009 Rule, there
is no explicit requirement for the
notifying entity to state in the
individual notice what the entity is
doing to protect affected individuals.
Given this, the Commission does not
believe individuals will receive
duplicative information.
In response to the commenter who
argued the Commission needs to help
consumers understand post-breach
remedies,271 the Commission believes
this concern is addressed by the
combination of § 318.6(c), which
requires notifying entities to include in
the notice steps individuals should take
to protect themselves from potential
harm resulting from the breach, and
§ 318.6(d), which requires notifying
entities to include in the notice the
steps the notifying entity is taking to
protect affected individuals following
the breach.
The Commission adopts proposed
§ 318.6(d) without modification.
e. The Commission Adopts Proposal
That Notice Include Two or More
Contact Procedures
In response to the comment that
providing two or more contact
267 See
supra note 251.
supra note 252.
269 See supra note 253.
270 See supra note 254.
271 See supra note 255.
263 See
supra note 247.
264 See supra note 248.
265 See supra note 249.
266 See supra note 250.
PO 00000
Frm 00023
Fmt 4701
268 See
Sfmt 4700
47049
E:\FR\FM\30MYR2.SGM
30MYR2
47050
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
procedures in the notice is
burdensome,272 the Commission
believes if this proposal results in any
burden to notifying entities, such
burden will be minimal given the ease
with which compliance with this
provision can be achieved, and
outweighed by the benefits to
consumers who will have increased
options to communicate with notifying
entities. Second, in response to the
comment that the HIPAA Breach
Notification Rule requires only one
contact method,273 the Commission
notes while there are many similarities
between the FTC’s and HHS’s respective
breach notification rules and the
agencies have consulted to harmonize
the two rules, there are differences
between them, and the Commission
believes it is important to update this
provision to reflect new modes of
communication and facilitate greater
opportunities for communication
between affected individuals and
notifying entities.
The Commission notes multiple
commenters supported this proposal.274
Specifically, the Commission agrees
with the commenter who stated
multiple contact procedures enables
greater opportunities for affected
individuals to communicate with
notifying entities.275 The Commission
also agrees with the commenter who
noted multiple contact options ensures
that affected individuals from all
backgrounds and technical capabilities
are able to contact the notifying entity
following a breach.276 The Commission
therefore adopts proposed § 318.6(e)
without modification.
G. Timing of Notice to the FTC
ddrumheller on DSK120RN23PROD with RULES2
1. The Commission’s Proposal
Regarding Timing of Notice
Although the Commission did not
propose any timing changes in the
NPRM, the Commission requested
comments on several issues related to
timing, including the timing of the
notification to the FTC. Regarding the
notification timeline to the FTC, the
Commission sought comment on
whether it should extend the timeline to
give entities more time to investigate
breaches and better ascertain the
number of affected individuals or
whether an extension would simply
facilitate dilatory action and minimize
the opportunity for an important
dialogue with Commission staff during
272 See
supra note 259.
273 Id.
274 See
supra note 256.
supra note 258.
276 See supra note 257.
275 See
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
the fact-gathering stage immediately
following a breach.
2. Public Comments Regarding Timing
of Notice
Several commenters expressed
support for extending the notification
timeline to the FTC.277 Commenters
provided several reasons why the
existing requirement of notice to the
FTC ‘‘as soon as possible and in no case
later than ten business days following
the date of discovery of the breach’’ for
breaches involving 500 or more
individuals should be amended. For
example, commenters noted that ten
days does not provide entities with
sufficient time to adequately investigate
incidents and fully understand the facts,
possibly leading to notices that may be
incomplete and require amendment or
correction.278 Others commented that
the existing requirement diverts key
resources from investigating potential
breaches, indicating when a breach is
suspected or has been discovered, the
target entity’s focus should be
responding to the incident, conducting
a thorough investigation of what may
have occurred, and addressing and
mitigating vulnerabilities to ensure
additional information is not
compromised.279
Several commenters urged the FTC to
align the timeframe to notify the FTC
with the timing requirement under
HIPAA’s Health Breach Notification
Rule,280 which requires notification to
the Secretary of HHS without
unreasonable delay and in no case later
than 60 calendar days following a
breach.281 One commenter, irrespective
of HIPAA, suggested the Commission
give entities up to 60 days to investigate
a breach and provide notification to the
Commission.282 One commenter
recommended the FTC adopt a ‘‘riskbased’’ notification approach whereby
the agency could create a shorter
notification timeline for high-risk
incidents and a longer notification
timeline or even no notification for lowrisk incidents.283
3. The Commission Adopts Changes to
the Timing of Notice
Having considered the public
comments, the Commission agrees with
277 AdvaMed at 9; AHIP at 7; ACLA at 3–4; ATA
Action at 2; CCIA at 8; CHI at 6; CTA at 20–21;
TechNet at 5.
278 AdvaMed at 9; ACLA at 3–4; AHIP at 7;
TechNet at 5–6.
279 ACLA at 3–4; CTA at 19–21.
280 45 CFR 164.400 through 414.
281 AdvaMed at 9; AHIP at 7; ACLA at 3; ATA
Action at 2; TechNet at 5–6.
282 ACLA at 3–4.
283 CTA at 19–21.
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
commenters who recommended that the
notification timeline to the FTC for
breaches of security involving 500 or
more individuals should be adjusted.
The Commission agrees that in certain
incidents, especially large, complex
breaches, it can be challenging for
entities to fully understand the scope of
a breach in ten business days, leading to
the possibility of incomplete breach
notices.
Accordingly, the Commission is
revising § 318.4(b) to read: ‘‘All
notifications required under § 318.5(c)
involving the unsecured PHR
identifiable health information of 500 or
more individuals shall be provided
contemporaneously with the notice
required by paragraph (a) of this
section.’’ This change requires entities,
for breaches involving 500 or more
individuals, to notify the FTC consistent
with the notice required by § 318.4(a)—
i.e., without unreasonable delay and in
no case later than 60 calendar days after
the discovery of a breach of security.
This change also requires the notice to
the FTC be sent at the same time as the
notice to the individuals. This
requirement thus ensures the notice to
the FTC includes all of the information
provided in the notice to the individual.
It also avoids a scenario where
individuals receive notice before the
FTC receives notice and affected
individuals contact the FTC about a
breach for which the Commission has
not been notified.
As a result of this change, the
Commission anticipates entities will
have sufficient time to provide complete
and fulsome notifications to the
Commission. The Commission
emphasizes, however, that notice to the
FTC should occur ‘‘without
unreasonable delay,’’ with 60 days
serving as the outer limit.284 The
Commission believes, consistent with
public comments, this change
effectively harmonizes the notification
timeline to the FTC with the notification
timeline to the Secretary of HHS under
the HIPAA Breach Notification Rule.
284 As the Commission stated in the 2009 Rule
Commentary, in some cases, it may be an
‘‘unreasonable delay’’ to wait until the 60th day to
provide notification. For example, if a vendor of
personal health records or PHR related entity learns
of a breach, gathers all necessary information, and
has systems in place to provide notification within
30 days, it would be unreasonable to wait until the
60th day to send the notice. Similarly, the
Commission noted there may be circumstances
where a vendor of personal health records discovers
that its third party service provider has suffered a
breach before the service provider notifies the
vendor that the breach has occurred. In such
circumstances, the vendor should begin taking steps
to address the breach immediately, and should not
wait until receiving notice from the service
provider. 74 FR 42971 n.94 (2009).
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
The Commission also believes this
notification timeline satisfies the
Recovery Act requirement that notice be
provided ‘‘immediately.’’ 285 The
Commission also notes this change does
not affect in any way the timing of the
notice to the FTC for breaches involving
less than 500 individuals.
Finally, a small number of
commenters addressed other issues
related to timing, such as the timeline
for providing notice to consumers or the
media. The Commission believes, for
the reasons stated in the commentary
accompanying the 2009 NPRM and the
2009 Rule Commentary, the current
timelines are appropriate to give
consumers and the media timely notice
without overburdening notifying
firms.286
H. Proposed Changes To Improve Rule’s
Readability
1. The Commission Proposed Changes
To Promote Readability
The Commission proposed several
changes to improve the Rule’s
readability. Specifically, the
Commission proposed to include
explanatory parentheticals for internal
cross-references, add statutory citations
in relevant places, consolidate notice
and timing requirements in single
sections, and revise the Enforcement
section to state more plainly the
penalties for non-compliance.
ddrumheller on DSK120RN23PROD with RULES2
2. Public Comments Regarding
Readability
Commenters supported the
Commission’s proposed changes to
improve the Rule’s readability and
promote comprehension by including
explanatory parentheticals and statutory
citations.287 Commenters also expressed
support for the proposed changes to
improve the Rule’s readability and
promote compliance by consolidating
into single sections, respectively, the
Rule’s breach notification and timing
requirements.288 Commenters also
favored the proposal to modify § 318.7
to make plain that a violation of the
Rule constitutes a violation of a rule
promulgated under section 18 of the
FTC Act and is subject to civil penalties,
285 42 U.S.C. 17932(e)(3). Like the Department of
Health and Human Services previously concluded
with respect to notification to the Secretary under
the HIPAA Breach Notification Rule (74 FR 42753
(2009)), the Commission concludes this
interpretation satisfies the statutory requirement
that notifications of larger breaches be provided to
the FTC immediately as compared to the
notifications of smaller breaches (i.e., those
involving less than 500 individuals), which the
statute allows to be reported annually to the FTC.
286 74 FR 17918 (2009); 74 FR 42971 (2009).
287 AMA at 6; CARIN Alliance at 9.
288 AHIMA at 7; AMA at 6–7.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
stating this clarification will decrease
the burden on the FTC in enforcement
actions and prevent unintended barriers
to enforcement.289
3. The Commission Adopts Changes
Regarding Readability
In light of support from commenters
and the Commission’s belief that these
proposed changes improve readability,
the Commission adopts these changes
without modification.290
289 AHIMA at 7; AMA at 6–7; AHIOS at 5; MRO
at 4. As part of its comment, AMA recommended
the FTC, as Rule violations are filed, use actual
examples as case study models for future
educational resources. The Commission notes that
its existing enforcement actions under the Rule
already provide guidance for the marketplace and
the FTC also has issued business guidance
regarding the Rule. E.g., Fed. Trade Comm’n,
Collecting, Using, or Sharing Consumer Health
Information? Look to HIPAA, the FTC Act, and the
Health Breach Notification Rule (Sept. 2023),
https://www.ftc.gov/business-guidance/resources/
collecting-using-or-sharing-consumer-healthinformation-look-hipaa-ftc-act-health-breach (last
visited Jan. 11, 2023); Fed. Trade Comm’n, Health
Breach Notification Rule: The Basics for Business
(Jan. 2022), https://www.ftc.gov/business-guidance/
resources/health-breach-notification-rule-basicsbusiness (last visited Jan. 11, 2024); Fed. Trade
Comm’n, Complying with FTC’s Health Breach
Notification Rule (Jan. 2022), https://www.ftc.gov/
business-guidance/resources/complying-ftcs-healthbreach-notification-rule-0 (last visited Jan. 11, 2024)
One commenter also asserted the Commission was
seeking to apply the NPRM’s proposed changes
retrospectively to breaches of security that were
discovered on or after September 24, 2009. This
commenter urged the Commission to modify § 318.8
so that the Rule would only apply to breaches of
security discovered at least 30 days after the
effective date of this final rule. TechNet at 5–6. The
2023 NPRM set out the entire part for the
convenience of commenters but did not propose
any changes to § 318.8. The Commission notes this
effective date section was codified in 2009 when
part 318 was added to the CFR and has been in
effect since September 24, 2009. As explained in
the 2009 Rule Commentary, ‘‘the Commission does
not have discretion to change the effective date of
the rule because the Recovery Act establishes the
effective date.’’ See 74 FR 42976; see also 42 U.S.C.
17937(g)(1) (‘‘The provisions of this section shall
apply to breaches of security that are discovered on
or after the date that is 30 days after the date of
publication of such interim final regulations.’’). The
Commission emphasizes that this final rule does
not apply retroactively.
290 Relatedly, the Commission also is making a
non-substantive grammatical change to
§ 318.5(a)(2)(ii), which involves substitute notice.
This provision currently states: ‘‘Such a notice in
media or web posting shall include a toll-free phone
number, which shall remain active for at least 90
days, where an individual can learn whether or not
the individual’s unsecured PHR identifiable health
information may be included in the breach.’’ The
Commission is revising § 318.5(a)(2)(ii) so it reads:
‘‘Such a notice in media or web posting shall
include a toll-free phone number, which shall
remain active for at least 90 days, where an
individual can learn if the individual’s unsecured
PHR identifiable health information may have been
included in the breach.’’ The Commission made
this grammatical change to improve the rule’s
readability; the change does not alter the
provision’s substantive meaning.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
47051
III. Paperwork Reduction Act
The Paperwork Reduction Act
(‘‘PRA’’), 44 U.S.C. chapter 35, requires
Federal agencies to seek and obtain
Office of Management and Budget
(‘‘OMB’’) approval before undertaking a
collection of information directed to ten
or more persons.291 This final rule is
modifying an existing collection of
information,292 which OMB has
approved through July 31, 2025 (OMB
Control No. 3084–0150). As required by
the PRA, the Commission sought OMB
review of the modified information
collection requirement at the time of the
publication of the NPRM. OMB directed
the Commission to resubmit its request
at the time the final rule is published.
Accordingly, simultaneously with the
publication of this final rule, the
Commission is resubmitting its
clearance request to OMB. FTC staff has
estimated the burdens associated with
the amendments as set forth below.
FTC staff estimates the amendments
to 16 CFR part 318 will likely result in
more reportable breaches by covered
entities to the FTC. In the event of a
breach of security, the covered firms
will be required to investigate and, if
certain conditions are met, notify
consumers, the Commission, and, in
some cases, the media.293
Based on industry reports, FTC staff
estimates the amendments will cover
approximately 193,000 entities, which,
in the event they experience a breach,
may be required to notify consumers,
the Commission, and, in some cases, the
media. While there are approximately
1.8 million apps in the Apple App
Store 294 and 2.4 million apps in the
Google Play Store,295 as of March 2024,
it appears that roughly 193,000 of the
apps offered in either store are
categorized as ‘‘Health and Fitness.’’ 296
291 44
U.S.C. 3502(3)(A)(i).
44 U.S.C. 3502(3)(A)(i).
293 Third party service providers who experience
a breach are required to notify the vendor of
personal health records or PHR related entity,
which in turn is then required to notify consumers.
The Commission expects the cost of notification to
third party service providers would be small,
relative to the entities that have to notify
consumers. As part of the NPRM, the Commission
solicited public comment on this issue and data
that may be used to quantify the costs to third party
service providers. The Commission did not receive
any responsive submissions pertaining to this issue.
294 See App Store—Apple, https://
www.apple.com/app-store/.
295 See AppBrain: Number of Android Apps on
Google Play (Mar 2024), https://
www.appbrain.com/stats/number-of-android-apps.
296 See Business of Apps, ‘‘App Data Report: App
Store Stats, Downloads, Revenues and App
Rankings,’’ https://www.businessofapps.com/data/
report-app-data/ (reporting 90,913 apps in the
Apple iOS App Store and 102,402 apps in the
Google Play Store were categorized as ‘‘Health and
292 See
E:\FR\FM\30MYR2.SGM
Continued
30MYR2
47052
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
The Commission received three
comments in response to the NPRM
arguing the Rule’s scope is broader than
apps categorized as ‘‘Health and
Fitness’’ and the NPRM’s PRA analysis
therefore underestimated the number of
covered entities and the resulting
number of reportable breaches.297 As
discussed above,298 the Commission is
adopting these amendments to clarify
that the Rule applies to mobile health
applications and similar technologies.
The Commission also highlighted
several key limitations to the Rule’s
scope.299 Thus, the 193,000 covered
entities is a rough proxy for all covered
PHRs, because it encompasses mobile
health applications categorized as
‘‘Health and Fitness.’’ Similar health
technologies are included in the roughly
193,000 covered entities because most
websites and connected health devices
that will be covered by the amendments
act in conjunction with an app.300
FTC staff estimates these entities will,
cumulatively, experience 82 breaches
per year for which notification may be
required. With the proviso that there is
insufficient data at this time about the
number and incidence rate of breaches
at entities covered by the amendments
(due to underreporting prior to issuance
of the Policy Statement), FTC staff
determined the number of estimated
breaches by calculating the breach
incidence rate for HIPAA-covered
entities, and then applied this rate to the
estimated total number of entities that
will be subject to the amendments.301
Fitness’’). Together, this suggests there are
approximately 193,000 Health and Fitness apps.
This figure is likely both under- and over-inclusive
as a proxy for covered entities. For example, this
figure does not include apps categorized elsewhere
(i.e., outside ‘‘Health and Fitness’’) that may be
PHRs. However, at the same time, this figure also
overestimates the number of covered entities, since
many developers make more than one app and may
specialize in the Health and Fitness category.
297 See Chamber at 2; CHI at 6–7; CCIA at 8–9.
298 See section II.1.c.
299 Id.
300 Indeed, one of the commenters who argued the
Rule’s coverage is broader than projected in the
NPRM’s PRA analysis acknowledged that there has
been growth in the number of websites and apps
since the 2009 PRA analysis estimated 700 covered
entities to be covered by the Rule. Chamber at 2.
Further, the approximately 193,000 covered entities
may overestimate the number of covered entities, as
some apps or websites may not qualify as a covered
entity given the Rule’s boundaries. For example, a
website or app must have the technical capacity to
draw information from multiple sources and that
same website or app must still be ‘‘managed,
shared, and controlled by or primarily for the
individual’’ to be covered by the Rule.
301 FTC staff used information publicly available
from HHS on HIPAA related breaches because the
HIPAA Breach Notification Rule is similarly
constructed. However, while there are similarities
between HIPAA-covered entities and HBNRcovered entities, it is not necessarily the case that
rates of breaches would follow the same pattern.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
Additionally, as the number of breaches
per year has grown significantly in the
recent years,302 and FTC staff expects
this trend to continue, FTC staff relied
on the average number of breaches from
2021 through 2023 to estimate the
annual breach incidence rate for
HIPAA-covered entities.
Specifically, HHS’s OCR reported 715
breaches in 2021, 719 breaches in 2022,
and 733 breaches in 2023,303 which
results in an average of 722 breaches
between 2021 and 2023. Based on the
1.7 million entities that are covered by
the HIPAA Breach Notification Rule 304
and the average number of breaches for
2021–2023, FTC staff determined an
annual breach incidence rate of
0.000425 (722/1.7 million).
Accordingly, multiplying the breach
incidence rate (0.000425) by the
estimated number of entities covered by
the amendments (193,000) results in an
estimated 82 breaches per year.305
For instance, HIPAA-covered entities are generally
subject to stronger data security requirements under
HIPAA, but also may be more likely targets for
security incidents (e.g., ransomware attacks on
hospitals and other medical treatment centers
covered by HIPAA have increased dramatically in
recent years); thus, this number could be an underor overestimate of the number of potential breaches
per year.
302 According to HHS’s Office for Civil Rights
(‘‘OCR’’), the number of breaches per year grew
from 276 in 2013 to 739 breaches in 2023. See
Breach Portal, U.S. Dep’t of Health & Human Servs.,
Office for Civil Rights, https://ocrportal.hhs.gov/
ocr/breach/breach_report.jsf (last visited March 1,
2024). The data was downloaded on March 1, 2024,
resulting in limited data for 2024. Thus, breaches
from 2024 were excluded from the calculations.
However, breach investigations that remain open
(under investigation) from years prior to 2024 are
included in the count of yearly breaches.
303 See Breach Portal, U.S. Dep’t of Health &
Human Servs., Office for Civil Rights, https://
ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last
visited March 1, 2024).
304 In a Federal Register publication titled
‘‘Proposed Modifications to the HIPAA Privacy
Rule to Support, and Remove Barriers to,
Coordinated Care and Individual Engagement’’,
OCR proposes increasing the number of covered
entities from 700,000 to 774,331. 86 FR 6446, 6497
(Jan. 21, 2021). For purposes of calculating the
annual breach incidence rate, FTC staff utilized
700,000 covered entities because the proposed
estimate of 774,331 covered entities represents a
projected increase that has not been finalized by
OCR. The OCR publication also lists the number of
covered Business Associates as 1,000,000. 86 FR
6528. FTC staff arrived at 1.7 million entities
subject to the HIPAA Breach Notification Rule by
adding 700,000 covered entities and 1,000,000
Business Associates.
305 One commenter argued that basing the
NPRM’s projection of the annual number of
breaches on the breach incidence rate for HIPAAcovered entities is problematic because the NPRM’s
proposed definition of a breach of security ‘‘goes far
and beyond’’ the HIPAA definition of a breach.
CCIA at 8–9. To the extent the commenter is
referring to the fact that the Rule’s definition of
breach of security covers unauthorized disclosures,
the Commission notes the HIPAA Breach
Notification Rule similarly covers unauthorized
disclosures. See Breach Notification Rule, U.S.
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
Costs
To determine the costs for purposes of
this analysis, FTC staff has developed
estimates for two categories of potential
costs: (1) the estimated annual burden
hours and labor cost of determining
what information has been breached,
identifying the affected customers,
preparing the breach notice, and making
the required report to the Commission;
and (2) the estimated capital and other
non-labor costs associated with
notifying consumers.
Estimated Annual Burden Hours:
12,300.
Estimated Annual Labor Cost:
$883,140.
First, to determine what information
has been breached, identify the affected
customers, prepare the breach notice,
and make the required report to the
Commission, FTC staff estimates
covered firms will require per breach,
on average, 150 hours of employee labor
at a cost of $10,770.306 This estimate
does not include the cost of equipment
or other tangible assets of the breached
firms because they likely will use the
equipment and other assets they have
for ordinary business purposes. Based
on the estimate that there will be 82
breaches per year the annual hours of
burden for affected entities will be
12,300 hours (150 hours × 82 breaches)
with an associated labor cost of
$883,140 (82 breaches × $10,770).
Estimated Capital and Other NonLabor Costs: $91,984,370.
The capital and non-labor costs
associated with breach notifications
depend upon the number of consumers
contacted and whether covered firms
are likely to retain the services of a
forensic expert. For breaches affecting
large numbers of consumers, covered
firms are likely to retain the services of
a forensic expert. FTC staff estimates,
for each breach requiring the services of
forensic experts, forensic experts will
spend approximately 40 hours to assist
in the response to the cybersecurity
intrusion, at an estimated cost of
$20,000.307 FTC staff estimates the
Dep’t of Health & Human Servs., Office for Civil
Rights, https://www.hhs.gov/hipaa/forprofessionals/breach-notification/ (‘‘A
breach is, generally, an impermissible use or
disclosure under the Privacy Rule that compromises
the security or privacy of the protected health
information.’’).
306 This estimate is the sum of 40 hours of
marketing managerial time (at an average wage of
$76.10), 40 hours of computer programmer time
($49.42), 20 hours of legal staff ($78.74), and 50
hours of computer and information systems
managerial time ($83.49). See Occupational
Employment and Wage Statistics, U.S. Bureau of
Labor Statistics (May 2022), https://www.bls.gov/
oes/current/oes_nat.htm#00-0000.
307 This estimate is the sum of 40 hours of
forensic expert time at a cost of $500 per hour,
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
services of forensic experts will be
required in 60% of the 82 breaches.
Based on the estimate that there will be
49 breaches per year requiring forensic
experts (60% × 82 breaches), the annual
hours burden for affected entities will
be 1,960 hours (49 breaches requiring
forensic experts × 40 hours) with an
associated cost of $980,000 (49 breaches
requiring forensic experts × $20,000).
Using the data on HIPAA-covered
breach notices available from HHS for
the years 2018–2023, FTC staff estimates
the average number of individuals
affected per breach is 93,497.308 Given
an estimated 82 breaches per year, FTC
staff estimates an average of 7,666,754
consumers per year will receive a
breach notification (82 breaches ×
93,497 individuals per breach).
Based on a recent study of data breach
costs, FTC staff estimates the cost of
providing notice to consumers to be
$11.87 per breached record.309 This
estimate includes the costs of electronic
notice, letters, outbound calls or general
notice to data subjects; and engagement
of outside experts.310 Applied to the
above-stated estimate of 7,666,754
consumers per year receiving breach
notification yields an estimated total
annual cost for all forms of notice to
consumers of $91,004,370 (7,666,754
consumers × $11.87 per record).
Accordingly, the estimated capital and
non-labor costs total $91,984,370
($980,000 + $91,004,370).
FTC staff notes these estimates likely
overstate the costs imposed by the
amendments because FTC staff made
conservative assumptions in developing
many of the underlying estimates.
Moreover, many entities covered by the
amendments already have similar
notification obligations under State data
which yields a total cost of $20,000 (40 hours ×
$500/hour).
308 HHS Breach Data, supra note 303. This
analysis uses the last six years of HHS breach data
to generate the average, in order to account for the
variation in number of individuals affected by
breaches observed in the HHS data over time.
309 See IBM Security, Costs of a Data Breach
Report 2023 (2023), https://www.ibm.com/reports/
data-breach (‘‘2023 IBM Security Report’’). The
research for the 2023 IBM Security Report is
conducted independently by the Ponemon Institute,
and the results are reported and published by IBM
Security. Figure 2 of the 2023 IBM Security Report
shows that cost per record of a breach was $165 per
record in 2023, $164 in 2022, and $161 in 2021,
resulting in an average cost of $163.33. Figure 5 of
the 2023 IBM Security Report shows that 8.3%
($0.37m/$4.45m) of the average cost of a data
breach are due to ‘‘Notification’’ costs. The fraction
of average breach costs due to ‘‘Notification’’ were
7.1% in 2022 and 6.4% in 2021 (IBM Security,
Costs of a Data Breach Reports 2022 and 2021).
Using the average of these numbers (7.27%), FTC
staff estimates that notification costs per record
across the three years are 7.27% × $163.33 = $11.87
per record.
310 See 2023 IBM Security Report at 72.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
breach laws.311 In addition, the
Commission has taken several steps
designed to limit the potential burden
on covered entities that are required to
provide notice, including by providing
exemplar notices that entities may
choose to use if they are required to
provide notifications and expanding the
use of electronic notifications.
IV. Regulatory Flexibility Act
The Regulatory Flexibility Act
(RFA) 312 requires that the Commission
provide an Initial Regulatory Flexibility
Analysis (‘‘IRFA’’) with a proposed rule
and a Final Regulatory Flexibility
Analysis (‘‘FRFA’’) with a final rule,
unless the Commission certifies that the
rule will not have a significant
economic impact on a substantial
number of small entities. As discussed
in the IRFA, the Commission believes
the final rule will not have a significant
economic impact upon small entities.
In this document, the Commission
largely adopts the amendments
proposed in its NPRM. The Commission
believes the amendments will not have
a significant economic impact upon
small entities, although they may affect
a substantial number of small
businesses. Among other things, the
amendments clarify certain definitions,
revise the disclosures that must
accompany notice of a breach under the
Rule, and modernize the methods of
notice to allow additional use of
electronic notice such as email by
entities affected by a breach. In
addition, the amendments improve the
Rule’s readability by clarifying crossreferences and adding statutory
citations. The Commission does not
anticipate that these changes will add
significant additional costs for entities
covered by the Rule, and by authorizing
electronic notice in additional
circumstances, the amendments may
reduce costs for many entities covered
by the Rule. Therefore, the Commission
certifies that the amendments will not
311 Many State data breach notification statutes
require notification when a breach occurs involving
certain health or medical information of individuals
in that State. See, e.g., Ala. Code 8–38–1 et seq.;
Alaska Stat. 45.48.010 et seq.; Ariz. Rev. Stat. 18–
551 et seq.; Ark. Code 4–110–101 et seq.; Cal. Civ.
Code 1798.80 et seq.; Cal. Health & Safety Code
1280.15; Colo. Rev. Stat. 6–1–716; Del. Code Ann.
tit. 6 12B–101 et seq.; D.C. Code 28–3851 et seq.;
Fla. Stat. 501.171; 815 Ill. Comp. Stat. 530/5 et seq.;
Md. Code Com. Law 14–3501 et seq; Mo. Rev. Stat.
407.1500; Nev. Rev. Stat. 603A.010 et seq.; N.H.
Rev. Stat. 359–C:19–C:21; N.H. Rev. Stat. 332–I:5;
N.D. Cent. Code 51–30–01–07; Or. Rev. Stat.
646A.600–646A.628; R.I. Gen. Laws 11–49.3–1—
11–49.3–6; SDCL 22–40–19—22–40–26; Tex. Bus. &
Com. Code 521.002, 521.053, 521.151–152; 9 V.S.A.
2430, 2435; Va. Code 18.2–186.6; Va. Code 32.1–
127.1:05; Va. Code 58.1–341.2; Wash. Rev. Code
19.255.010 et seq.
312 5 U.S.C. 601–612.
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
47053
have a significant economic impact on
a substantial number of small entities.
Although the Commission certifies
under the RFA that the Rule will not
have a significant impact on a
substantial number of small entities,
and hereby provides notice of that
certification to the Small Business
Administration (‘‘SBA’’), the
Commission has determined,
nonetheless, that it is appropriate to
publish an FRFA to inquire into the
impact of the proposed amendments on
small entities.
A. Need for and Objectives of the
Amendments
The objective of the amendments is to
clarify existing notice obligations for
entities covered by the Rule. The legal
basis for the amendments is section
13407 of the Recovery Act.
B. Significant Issues Raised in Public
Comments
Although the Commission received
several comments that argued that the
amendments would be burdensome for
businesses, none argued specifically
that smaller businesses in particular
would be subject to special burdens.
The Commission did not receive any
comments filed by the Chief Counsel for
Advocacy of the SBA.
C. Small Entities to Which the
Amendments Will Apply
The amendments, like the current
Rule, will apply to vendors of personal
health records, PHR related entities, and
third party service providers, including
developers and purveyors of health
apps, connected health devices, and
similar technologies. As discussed in
the Commission’s PRA estimates above,
FTC staff estimates the amendments
will apply to approximately 193,000
covered entities. The Commission
estimates that a substantial number of
these entities likely qualify as small
businesses. According to the Statistics
on Small Businesses Census data,
approximately 94% of ‘‘Software
Publishers’’ (the category to which
health and fitness apps belong) are
small businesses.313
313 2017 SUSB Annual Data Tables by
Establishment Industry, U.S. Census Bureau (May
2021), https://www.census.gov/data/tables/2017/
econ/susb/2017-susb-annual.html, using ‘‘Data by
Enterprise Receipts Size.’’ The U.S. Small Business
Administration (‘‘SBA’’) categorizes Software
Publishers as a small business if the annual receipts
are less than $41.5 million; the 2017 data is the
most recent data available reporting receipts size.
E:\FR\FM\30MYR2.SGM
30MYR2
47054
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
D. Projected Reporting, Recordkeeping,
and Other Compliance Requirements,
Including Classes of Covered Small
Entities and Professional Skills Needed
To Comply
The Recovery Act and the
amendments contain certain reporting
requirements. The amendments will
clarify which entities are subject to
those reporting requirements.
Specifically, the Act and amendments
require vendors of personal health
records and PHR related entities to
provide notice to consumers, the
Commission, and in some cases the
media in the event of a breach of
unsecured PHR identifiable health
information. The Act and amendments
also require third party service
providers to provide notice to vendors
of personal health records and PHR
related entities in the event of such a
breach. If a breach occurs, each entity
covered by the Act and amendments
will expend costs to determine the
extent of the breach and the individuals
affected. If the entity is a vendor of
personal health records or a PHR related
entity, additional costs will include the
costs of preparing a breach notice,
notifying the Commission, compiling a
list of consumers to whom a breach
notice must be sent, and sending a
breach notice. Such entities may incur
additional costs in locating consumers
who cannot be reached, and in certain
cases, posting a breach notice on a
website, notifying consumers through
media advertisements, or sending
breach notices through press releases to
media outlets.
In-house costs may include technical
costs to determine the extent of
breaches; investigative costs of
conducting interviews and gathering
information; administrative costs of
compiling address lists; professional/
legal costs of drafting the notice; and
potentially, costs for postage, web
posting, and/or advertising. Costs may
also include the purchase of services of
a forensic expert. As discussed in the
context of the PRA, FTC staff estimates
that compliance with these
requirements will likely result in
$883,148 in labor costs and $91,984,370
in capital and other non-labor costs. The
estimated cost per covered entity is
$481 (the total labor, capital, and nonlabor costs of $92,867,518 divided by
193,000 covered entities). The SBA
categorizes Software Publishers with
annual receipts under $41.5 million as
a small business; the per entity cost of
$481 represents 0.0001% of this annual
receipts threshold.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
E. Significant Alternatives to the
Amendments
In drafting the Rule, the Commission
has made every effort to avoid unduly
burdensome requirements for entities.
In particular, the Commission believes
that the changes to facilitate electronic
notice will assist small entities by
significantly reducing the costs of
sending breach notices. In addition, the
Commission is making available
exemplar notices that entities covered
by the Rule may use, in their discretion,
to notify individuals. The Commission
anticipates these exemplar notices will
further reduce the burden on entities
that are required to provide notice
under the Rule. The Commission is not
aware of alternative methods of
compliance that will reduce the impact
of the amendments on small entities,
while also comporting with the
Recovery Act. The statutory
requirements are specific as to the
timing, method, and content of notice.
V. Other Matters
Pursuant to the Congressional Review
Act (5 U.S.C. 801 et seq.), the Office of
Information and Regulatory Affairs
designated this rule as not a ‘‘major
rule,’’ as defined by 5 U.S.C. 804(2).
List of Subjects in 16 CFR Part 318
Breach, Consumer protection, Health,
Privacy, Reporting and recordkeeping
requirements, Trade practices.
Accordingly, the Federal Trade
Commission revises and republishes 16
CFR part 318 to read as follows:
■
PART 318—HEALTH BREACH
NOTIFICATION RULE
Sec.
318.1
318.2
318.3
318.4
318.5
318.6
318.7
318.8
318.9
Purpose and scope.
Definitions.
Breach notification requirement.
Timeliness of notification.
Methods of notice.
Content of notice.
Enforcement.
Applicability date.
Sunset.
Authority: 42 U.S.C. 17937 and 17953.
§ 318.1
Purpose and scope.
(a) This part, which shall be called the
‘‘Health Breach Notification Rule,’’
implements section 13407 of the
American Recovery and Reinvestment
Act of 2009, 42 U.S.C. 17937. This part
applies to foreign and domestic vendors
of personal health records, PHR related
entities, and third party service
providers, irrespective of any
jurisdictional tests in the Federal Trade
Commission (FTC) Act, that maintain
information of U.S. citizens or residents.
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
This part does not apply to HIPAAcovered entities, or to any other entity
to the extent that it engages in activities
as a business associate of a HIPAAcovered entity.
(b) This part preempts State law as set
forth in section 13421 of the American
Recovery and Reinvestment Act of 2009,
42 U.S.C 17951.
§ 318.2
Definitions.
Breach of security means, with
respect to unsecured PHR identifiable
health information of an individual in a
personal health record, acquisition of
such information without the
authorization of the individual.
Unauthorized acquisition will be
presumed to include unauthorized
access to unsecured PHR identifiable
health information unless the vendor of
personal health records, PHR related
entity, or third party service provider
that experienced the breach has reliable
evidence showing that there has not
been, or could not reasonably have
been, unauthorized acquisition of such
information. A breach of security
includes an unauthorized acquisition of
unsecured PHR identifiable health
information in a personal health record
that occurs as a result of a data breach
or an unauthorized disclosure.
Business associate means a business
associate under the Health Insurance
Portability and Accountability Act,
Public Law 104–191, 110 Stat. 1936, as
defined in 45 CFR 160.103.
Clear and conspicuous means that a
notice is reasonably understandable and
designed to call attention to the nature
and significance of the information in
the notice.
(1) Reasonably understandable. You
make your notice reasonably
understandable if you:
(i) Present the information in the
notice in clear, concise sentences,
paragraphs, and sections;
(ii) Use short explanatory sentences or
bullet lists whenever possible;
(iii) Use definite, concrete, everyday
words and active voice whenever
possible;
(iv) Avoid multiple negatives;
(v) Avoid legal and highly technical
business terminology whenever
possible; and
(vi) Avoid explanations that are
imprecise and readily subject to
different interpretations.
(2) Designed to call attention. You
design your notice to call attention to
the nature and significance of the
information in it if you:
(i) Use a plain-language heading to
call attention to the notice;
(ii) Use a typeface and type size that
are easy to read;
E:\FR\FM\30MYR2.SGM
30MYR2
ddrumheller on DSK120RN23PROD with RULES2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
(iii) Provide wide margins and ample
line spacing;
(iv) Use boldface or italics for key
words; and
(v) In a form that combines your
notice with other information, use
distinctive type size, style, and graphic
devices, such as shading or sidebars,
when you combine your notice with
other information. The notice should
stand out from any accompanying text
or other visual elements so that it is
easily noticed, read, and understood.
(3) Notices on websites or withinapplication messaging. If you provide a
notice on a web page or using withinapplication messaging, you design your
notice to call attention to the nature and
significance of the information in it if
you use text or visual cues to encourage
scrolling down the page if necessary to
view the entire notice and ensure that
other elements on the website or
software application (such as text,
graphics, hyperlinks, or sound) do not
distract attention from the notice, and
you either:
(i) Place the notice on a screen that
consumers frequently access, such as a
page on which transactions are
conducted; or
(ii) Place a link on a screen that
consumers frequently access, such as a
page on which transactions are
conducted, that connects directly to the
notice and is labeled appropriately to
convey the importance, nature and
relevance of the notice.
Covered health care provider means a
provider of services (as defined in 42
U.S.C. 1395x(u)), a provider of medical
or other health services (as defined in 42
U.S.C. 1395x(s)), or any other entity
furnishing health care services or
supplies.
Electronic mail means email in
combination with one or more of the
following: text message, withinapplication messaging, or electronic
banner.
Health care services or supplies
means any online service such as a
website, mobile application, or internetconnected device that provides
mechanisms to track diseases, health
conditions, diagnoses or diagnostic
testing, treatment, medications, vital
signs, symptoms, bodily functions,
fitness, fertility, sexual health, sleep,
mental health, genetic information, diet,
or that provides other health-related
services or tools.
HIPAA-covered entity means a
covered entity under the Health
Insurance Portability and
Accountability Act (HIPAA), Public Law
104–191, 110 Stat. 1936, as defined in
45 CFR 160.103.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
Personal health record (PHR) means
an electronic record of PHR identifiable
health information on an individual that
has the technical capacity to draw
information from multiple sources and
that is managed, shared, and controlled
by or primarily for the individual.
PHR identifiable health information
means information that:
(1) Relates to the past, present, or
future physical or mental health or
condition of an individual, the
provision of health care to an
individual, or the past, present, or
future payment for the provision of
health care to an individual; and
(i) Identifies the individual; or
(ii) With respect to which there is a
reasonable basis to believe that the
information can be used to identify the
individual; and
(2) Is created or received by a:
(i) Covered health care provider;
(ii) Health plan (as defined in 42
U.S.C. 1320d(5));
(iii) Employer; or
(iv) Health care clearinghouse (as
defined in 42 U.S.C. 1320d(2)); and
(3) With respect to an individual,
includes information that is provided by
or on behalf of the individual.
PHR related entity means an entity,
other than a HIPAA-covered entity or an
entity to the extent that it engages in
activities as a business associate of a
HIPAA-covered entity, that:
(1) Offers products or services through
the website, including any online
service, of a vendor of personal health
records;
(2) Offers products or services through
the websites, including any online
service, of HIPAA-covered entities that
offer individuals personal health
records; or
(3) Accesses unsecured PHR
identifiable health information in a
personal health record or sends
unsecured PHR identifiable health
information to a personal health record.
State means any of the several States,
the District of Columbia, Puerto Rico,
the Virgin Islands, Guam, American
Samoa, and the Northern Mariana
Islands.
Third party service provider means an
entity that:
(1) Provides services to a vendor of
personal health records in connection
with the offering or maintenance of a
personal health record or to a PHR
related entity in connection with a
product or service offered by that entity;
and
(2) Accesses, maintains, retains,
modifies, records, stores, destroys, or
otherwise holds, uses, or discloses
unsecured PHR identifiable health
information as a result of such services.
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
47055
Unsecured means PHR identifiable
information that is not protected
through the use of a technology or
methodology specified by the Secretary
of Health and Human Services in the
guidance issued under section
13402(h)(2) of the American
Reinvestment and Recovery Act of 2009,
42 U.S.C. 17932(h)(2).
Vendor of personal health records
means an entity, other than a HIPAAcovered entity or an entity to the extent
that it engages in activities as a business
associate of a HIPAA-covered entity,
that offers or maintains a personal
health record.
§ 318.3
Breach notification requirement.
(a) In general. In accordance with
§§ 318.4 (regarding timeliness of
notification), 318.5 (regarding methods
of notice), and 318.6 (regarding content
of notice), each vendor of personal
health records, following the discovery
of a breach of security of unsecured PHR
identifiable health information that is in
a personal health record maintained or
offered by such vendor, and each PHR
related entity, following the discovery of
a breach of security of such information
that is obtained through a product or
service provided by such entity, shall:
(1) Notify each individual who is a
citizen or resident of the United States
whose unsecured PHR identifiable
health information was acquired by an
unauthorized person as a result of such
breach of security;
(2) Notify the Federal Trade
Commission; and
(3) Notify prominent media outlets
serving a State or jurisdiction, following
the discovery of a breach of security, if
the unsecured PHR identifiable health
information of 500 or more residents of
such State or jurisdiction is, or is
reasonably believed to have been,
acquired during such breach.
(b) Third party service providers. A
third party service provider shall,
following the discovery of a breach of
security, provide notice of the breach to
an official designated in a written
contract by the vendor of personal
health records or the PHR related entity
to receive such notices or, if such a
designation is not made, to a senior
official at the vendor of personal health
records or PHR related entity to which
it provides services, and obtain
acknowledgment from such official that
such notice was received. Such
notification shall include the
identification of each customer of the
vendor of personal health records or
PHR related entity whose unsecured
PHR identifiable health information has
been, or is reasonably believed to have
been, acquired during such breach. For
E:\FR\FM\30MYR2.SGM
30MYR2
47056
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
purposes of ensuring implementation of
this paragraph (b), vendors of personal
health records and PHR related entities
shall notify third party service providers
of their status as vendors of personal
health records or PHR related entities
subject to this part. While some third
party service providers may access
unsecured PHR identifiable health
information in the course of providing
services, this does not render the third
party service provider a PHR related
entity.
(c) Breaches treated as discovered. A
breach of security shall be treated as
discovered as of the first day on which
such breach is known or reasonably
should have been known to the vendor
of personal health records, PHR related
entity, or third party service provider,
respectively. Such vendor, entity, or
third party service provider shall be
deemed to have knowledge of a breach
if such breach is known, or reasonably
should have been known, to any person,
other than the person committing the
breach, who is an employee, officer, or
other agent of such vendor of personal
health records, PHR related entity, or
third party service provider.
ddrumheller on DSK120RN23PROD with RULES2
§ 318.4
Timeliness of notification.
(a) In general. Except as provided in
paragraph (d) of this section (exception
for law enforcement), all notifications
required under § 318.3(a)(1) (required
notice to individuals), (a)(3) (required
notice to media), and (b) (required
notice by third party service providers),
shall be sent without unreasonable
delay and in no case later than 60
calendar days after the discovery of a
breach of security.
(b) Timing of notice to FTC. All
notifications required under § 318.5(c)
(regarding notice to FTC) involving the
unsecured PHR identifiable health
information of 500 or more individuals
shall be provided contemporaneously
with the notice required by paragraph
(a) of this section. All logged
notifications required under § 318.5(c)
(regarding notice to FTC) involving the
unsecured PHR identifiable health
information of fewer than 500
individuals may be sent annually to the
Federal Trade Commission no later than
60 calendar days following the end of
the calendar year.
(c) Burden of proof. The vendor of
personal health records, PHR related
entity, and third party service provider
involved shall have the burden of
demonstrating that all notifications were
made as required under this part,
including evidence demonstrating the
necessity of any delay.
(d) Law enforcement exception. If a
law enforcement official determines that
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
a notification, notice, or posting
required under this part would impede
a criminal investigation or cause
damage to national security, such
notification, notice, or posting shall be
delayed. This paragraph (d) shall be
implemented in the same manner as
provided under 45 CFR 164.528(a)(2), in
the case of a disclosure covered under
§ 164.528(a)(2).
§ 318.5
Methods of notice.
(a) Individual notice. A vendor of
personal health records or PHR related
entity that discovers a breach of security
shall provide notice of such breach to an
individual promptly, as described in
§ 318.4 (regarding timeliness of
notification), and in the following form:
(1) Written notice at the last known
address of the individual. Written notice
may be sent by electronic mail if the
individual has specified electronic mail
as the primary method of
communication. Any written notice sent
by electronic mail must be Clear and
Conspicuous. Where notice via
electronic mail is not available or the
individual has not specified electronic
mail as the primary method of
communication, a vendor of personal
health records or PHR related entity
may provide notice by first-class mail at
the last known address of the
individual. If the individual is deceased,
the vendor of personal health records or
PHR related entity that discovered the
breach must provide such notice to the
next of kin of the individual if the
individual had provided contact
information for his or her next of kin,
along with authorization to contact
them. The notice may be provided in
one or more mailings as information is
available.
(2) If, after making reasonable efforts
to contact all individuals to whom
notice is required under § 318.3(a),
through the means provided in
paragraph (a)(1) of this section, the
vendor of personal health records or
PHR related entity finds that contact
information for ten or more individuals
is insufficient or out-of-date, the vendor
of personal health records or PHR
related entity shall provide substitute
notice, which shall be reasonably
calculated to reach the individuals
affected by the breach, in the following
form:
(i) Through a conspicuous posting for
a period of 90 days on the home page
of its website; or
(ii) In major print or broadcast media,
including major media in geographic
areas where the individuals affected by
the breach likely reside. Such a notice
in media or web posting shall include
a toll-free phone number, which shall
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
remain active for at least 90 days, where
an individual can learn if the
individual’s unsecured PHR identifiable
health information may have been
included in the breach.
(3) In any case deemed by the vendor
of personal health records or PHR
related entity to require urgency because
of possible imminent misuse of
unsecured PHR identifiable health
information, that entity may provide
information to individuals by telephone
or other means, as appropriate, in
addition to notice provided under
paragraph (a)(1) of this section.
(b) Notice to media. As described in
§ 318.3(a)(3), a vendor of personal
health records or PHR related entity
shall provide notice to prominent media
outlets serving a State or jurisdiction,
following the discovery of a breach of
security, if the unsecured PHR
identifiable health information of 500 or
more residents of such State or
jurisdiction is, or is reasonably believed
to have been, acquired during such
breach.
(c) Notice to FTC. Vendors of personal
health records and PHR related entities
shall provide notice to the Federal
Trade Commission following the
discovery of a breach of security, as
described in § 318.4(b) (regarding timing
of notice to FTC). If the breach involves
the unsecured PHR identifiable health
information of fewer than 500
individuals, the vendor of personal
health records or PHR related entity
may maintain a log of any such breach
and submit such a log annually to the
Federal Trade Commission as described
in § 318.4(b) (regarding timing of notice
to FTC), documenting breaches from the
preceding calendar year. All notices
pursuant to this paragraph (c) shall be
provided according to instructions at
the Federal Trade Commission’s
website.
§ 318.6
Content of notice.
Regardless of the method by which
notice is provided to individuals under
§ 318.5 (regarding methods of notice),
notice of a breach of security shall be in
plain language and include, to the
extent possible, the following:
(a) A brief description of what
happened, including: the date of the
breach and the date of the discovery of
the breach, if known; and the full name
or identity (or, where providing the full
name or identity would pose a risk to
individuals or the entity providing
notice, a description) of any third
parties that acquired unsecured PHR
identifiable health information as a
result of a breach of security, if this
information is known to the vendor of
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
§ 318.7
Enforcement.
ddrumheller on DSK120RN23PROD with RULES2
Any violation of this part shall be
treated as a violation of a rule
promulgated under section 18 of the
Federal Trade Commission Act, 15
U.S.C. 57a, regarding unfair or deceptive
acts or practices, and thus subject to
civil penalties (as adjusted for inflation
pursuant to § 1.98 of this chapter), and
the Commission will enforce this part in
the same manner, by the same means,
and with the same jurisdiction, powers,
and duties as are available to it pursuant
to the Federal Trade Commission Act,
15 U.S.C. 41 et seq.
Web Banner Notification Exemplar 2
You shared health information with us
when you used [product name]. We
discovered that we shared your health
information with third parties for [if known,
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
§ 318.8
Text Message Notification Exemplar 2
Applicability date.
This part shall apply to breaches of
security that are discovered on or after
September 24, 2009.
§ 318.9
Sunset.
If new legislation is enacted
establishing requirements for
notification in the case of a breach of
security that apply to entities covered
by this part, the provisions of this part
shall not apply to breaches of security
discovered on or after the effective date
of regulations implementing such
legislation.
By direction of the Commission,
Commissioners Holyoak and Ferguson
dissenting.
April J. Tabor,
Secretary.
Note: The following appendices will not
appear in the Code of Federal Regulations.
Appendix A—Health Breach
Notification Rule Exemplar Notices
The notices below are intended to be
examples of notifications that entities may
use, in their discretion, to notify individuals
of a breach of security pursuant to the Health
Breach Notification Rule. The examples
below are for illustrative purposes only. You
should tailor any notices to the particular
facts and circumstances of your breach.
While your notice must comply with the
Health Breach Notification Rule, you are not
required to use the notices below.
You shared health information with us
when you used [product name]. We
discovered that we shared your health
information with third parties for [describe
why the company shared the info] without
your permission. Visit [add non-clickable
URL] to learn what happened, how it affects
you, and what you can do to protect your
information. We also sent you an email with
more information.
In-App Message Notification Exemplar 1
Due to a security breach on our system, the
health information you shared with us
through [name of product] is now in the
hands of unknown attackers. This could
include your [Add specifics—for example,
your name, email, address, blood pressure
data]. Visit [URL] to learn what happened,
how it affects you, and what you can do to
protect your information. We also sent you
an email with additional information.
In-App Message Notification Exemplar 2
You shared health information with us
when you used [product name]. We
discovered that we shared your health
information with third parties for [if known,
describe why the company shared the info]
without your permission. This could include
your [Add specifics—for example, your
name, email, address, blood pressure data].
Visit [URL] to learn what happened, how it
affects you, and what you can do to protect
your information. We also sent you an email
with additional information.
Web Banner Exemplars
Text Message Notification Exemplar 1
Due to a security breach on our system, the
health information you shared with us
through [name of product] is now in the
hands of unknown attackers. Visit [add nonclickable URL] to learn what happened, how
it affects you, and what you can do to protect
your information. We also sent you an email
with additional information.
Web Banner Notification Exemplar 1
Due to a security breach on our system, the
health information you shared with us
through [name of product] is now in the
hands of unknown attackers. This could
include your [Add specifics—for example,
your name, email, address, blood pressure
data]. Visit [URL] to learn what happened,
how it affects you, and what you can do to
protect your information.
• Recommend: Include clear ‘‘Take action’’
call to action button, such as the example
below:
describe why the company shared the info]
without your permission. This could include
your [Add specifics—for example, your
name, email, address, blood pressure data].
Visit [URL] to learn what happened, how it
affects you, and what you can do to protect
your information.
• Recommend: Include clear ‘‘Take action’’
call to action button, such as the example
below:
Mobile Text Message and In-App Message
Exemplars
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
E:\FR\FM\30MYR2.SGM
30MYR2
ER30MY24.018</GPH>
personal health records or PHR related
entity;
(b) A description of the types of
unsecured PHR identifiable health
information that were involved in the
breach (such as but not limited to full
name, Social Security number, date of
birth, home address, account number,
health diagnosis or condition, lab
results, medications, other treatment
information, the individual’s use of a
health-related mobile application, or
device identifier (in combination with
another data element));
(c) Steps individuals should take to
protect themselves from potential harm
resulting from the breach;
(d) A brief description of what the
entity that experienced the breach is
doing to investigate the breach, to
mitigate harm, to protect against any
further breaches, and to protect affected
individuals, such as offering credit
monitoring or other services; and
(e) Contact procedures for individuals
to ask questions or learn additional
information, which must include two or
more of the following: toll-free
telephone number; email address;
website; within-application; or postal
address.
47057
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
Email Exemplars
Exemplar Email Notice 1
Email Sender: [Company] <company email>
Email Subject Line: [Company] Breach of
Your Health Information
Dear [Name],
We are contacting you because an attacker
recently gained unauthorized access to our
system and stole health information about
our customers, including you.
What happened and what it means for you
On [March 1, 2024], we learned that an
attacker had accessed a file containing our
customers’ health information on [February
28, 2024]. The file included your name, the
name of your health insurance company,
your date of birth, and your group or policy
number.
What you can do to protect yourself
You can take steps now to reduce the risk
of identity theft.
1. Review your medical records,
statements, and bills for signs that someone
is using your information. Under the health
privacy law known as HIPAA, you have the
right to access your medical records. Get your
records and review them for any treatments
or doctor visits you don’t recognize. If you
find any, report them to your healthcare
provider in writing. Then go to
www.IdentityTheft.gov/steps to see what
other steps you can take to limit the damage.
Also review the Explanation of Benefits
statement your insurer sends you when it
pays for medical care.
Some criminals wait before using stolen
information so keep monitoring your benefits
and bills.
2. Review your credit reports for errors.
You can get your free credit reports from the
three credit bureaus at
www.annualcreditreport.com or call 1–877–
322–8228. Look for medical billing errors,
like medical debt collection notices that you
don’t recognize. Report any medical billing
errors to all three credit bureaus by following
the ‘‘What To Do Next’’ steps on
www.IdentityTheft.gov.
3. Sign up for free credit monitoring to
detect suspicious activity. Credit monitoring
detects and alerts you about activity on your
credit reports. Activity you don’t recognize
could be a sign that someone stole your
identity. We’re offering free credit monitoring
for two years through [name of service].
Learn more and sign up at [URL].
4. Consider freezing your credit report or
placing a fraud alert on your credit report. A
credit report freeze means potential creditors
can’t get your credit report without your
permission. That makes it less likely that an
identity thief can open new accounts in your
name. A freeze remains in place until you ask
the credit bureau to temporarily lift it or
remove it.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
A fraud alert will make it harder for
someone to open a new credit account in
your name. It tells creditors to contact you
before they open any new accounts in your
name or change your accounts. A fraud alert
lasts for one year. After a year, you can renew
it.
To freeze your credit report, contact each
of the three credit bureaus, Equifax,
Experian, and TransUnion.
To place a fraud alert, contact any one of
the three credit bureaus, Equifax, Experian,
and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others
are notified to place fraud alerts on your
credit report.
Credit bureau contact information
Equifax, www.equifax.com/personal/creditreport-services, 1–800–685–1111
Experian, www.experian.com/help, 1–888–
397–3742
TransUnion, www.transunion.com/credithelp, 1–888–909–8872
Learn more about how credit report freezes
and fraud alerts can protect you from identity
theft or prevent further misuse of your
personal information at
www.consumer.ftc.gov/articles/what-knowabout-credit-freezes-and-fraud-alerts.
What we are doing in response
We hired security experts to secure our
system. We are working with law
enforcement to find the attacker. And we are
investigating whether we made mistakes that
made it possible for the attackers to get in.
Learn more about the breach.
Go to [URL] to learn more about what
happened and what you can do to protect
yourself. If we have any updates, we will
post them there.
If you have questions or concerns, call us
at [telephone number], email us at [address],
or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 2
Email Sender: [Company] <company email>
Email Subject Line: Unauthorized disclosure
of your health informationby [Company]
Dear [Name],
We are contacting you because you use our
company’s app [name of app]. When you
downloaded our app, we promised to keep
your personal health information private.
Instead, we disclosed health information
about you without your approval.
What happened?
We told [insert Company name, identity,
or, where providing full name or identity
would pose a risk to individuals or the entity
providing notice, a description of type of
company] that you use our app, and between
[January 10, 2024] and [March 1, 2024], we
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
gave them your name and your email
address.
We gave [insert Company name, identity,
or where providing full name or identity
would pose a risk to individuals or the entity
providing notice, a description of type of
company] this information so they could use
it for advertising and marketing purposes.
For example, to target you for ads for cancer
drugs.
What we are doing in response
We will stop selling or sharing your health
information with other companies. We will
stop using your health information for
advertising or marketing purposes. We have
asked Company XYZ to delete your health
information, but it’s possible they could
continue to use it for advertising and
marketing.
What you can do
We made important changes to our app to
fix this problem. Download the latest updates
to our app then review your privacy settings.
You can also contact Company XYZ to
request that it delete your data.
Learn more
Learn more about our privacy and security
practices at [URL]. If we have any updates,
we will post them there.
If you have any questions or concerns, call
us at [telephone number] or email us at
[address].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 3
Email Sender: [Company] <company email>
Email Subject Line: [Company] Breach of
Your Health Information
Dear [Name],
We are contacting you about a breach of
your health information collected through
the [product], a device sold by our company,
[Company].
What happened?
On [March 1, 2024], we discovered that our
employee had accidentally posted a database
online on [February 28, 2024]. That database
included your name, your credit or debit card
information, and your blood pressure
readings. We don’t know if anyone else
found the database and saw your
information. If someone found the database,
they could use personal information to steal
your identity or make unauthorized charges
in your name.
What you can do to protect yourself
You can take steps now to reduce the risk
of identity theft.
1. Get your free credit report and review it
for signs of identity theft. Order your free
credit report at www.annualcreditreport.com.
Review it for accounts and activity you don’t
recognize. Recheck your credit reports
periodically.
E:\FR\FM\30MYR2.SGM
30MYR2
ER30MY24.019</GPH>
47058
ddrumheller on DSK120RN23PROD with RULES2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
2. Consider freezing your credit report or
placing a fraud alert on your credit report. A
credit report freeze means potential creditors
can’t get your credit report without your
permission. That makes it less likely that an
identity thief can open new accounts in your
name. A freeze remains in place until you ask
the credit bureau to temporarily lift it or
remove it.
A fraud alert will make it harder for
someone to open a new credit account in
your name. It tells creditors to contact you
before they open any new accounts in your
name or change your accounts. A fraud alert
lasts for one year. After a year, you can renew
it.
To freeze your credit report, contact each
of the three credit bureaus, Equifax,
Experian, and TransUnion.
To place a fraud alert, contact any one of
the three credit bureaus, Equifax, Experian,
and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others
are notified to place fraud alerts on your
credit report.
Credit bureau contact information
Equifax, www.equifax.com/personal/creditreport-services, 1–800–685–1111
Experian, www.experian.com/help, 1–888–
397–3742
TransUnion, www.transunion.com/credithelp, 1–888–909–8872
Learn more about how credit report freezes
and fraud alerts can protect you from identity
theft or prevent further misuse of your
personal information at
www.consumer.ftc.gov/articles/what-knowabout-credit-freezes-and-fraud-alerts.
3. Sign up for free credit monitoring to
detect suspicious activity. Credit monitoring
detects and alerts you about activity on your
credit reports. Activity you don’t recognize
could be a sign that someone stole your
identity. We’re offering free credit monitoring
for two years through [name of service].
Learn more and sign up at [URL].
What we are doing in response
We are investigating our mistakes. We
know the database shouldn’t have been
online and it should have been encrypted.
We are making changes to prevent this from
happening again.
We are working with experts to secure our
system. We are reviewing our databases to
make sure we store health information
securely.
Learn more about the breach.
Go to [URL] to learn more about what
happened and what you can do to protect
yourself. If we have any updates, we will
post them there.
If you have questions or concerns, call us
at [telephone number], email us at [address],
or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
Appendix B—Joint Statement by FTC
Chair and Commissioners
Joint Statement of Chair Lina M. Khan,
Commissioner Rebecca Kelly Slaughter, and
Commissioner Alvaro M. Bedoya
Today, the FTC finalizes an update to the
Health Breach Notification Rule (‘‘the Final
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
Rule’’) that ensures its protections keep pace
with the rapid proliferation of digital health
records. We do so to fulfill a clear statutory
directive given to us by Congress.
In 2009, as part of the American Recovery
and Reinvestment Act (‘‘ARRA’’), Congress
passed the Health Information Technology
for Economic and Clinical Health Act
(‘‘HITECH Act’’).314 Among other things, the
HITECH Act sought to fill the gaps left by the
privacy and security protections created
under the Health Insurance Portability and
Accountability Act (‘‘HIPAA’’), which was
passed more than a decade earlier.315
Specifically, it expanded the kinds of entities
subject to the privacy and security provisions
of HIPAA,316 gave state attorneys general
enforcement powers,317 and—most relevant
here—directed the Commission to issue a
rule requiring entities not covered by HIPAA
to provide notification of any breach of
unsecured health records.318 The
Commission issued the original rule in
2009.319 In 2020, the Commission initiated
its regular decennial rule review and, in
2021, the Commission issued a policy
statement clarifying how the rule applies to
health apps and other connected devices.320
In the years since, the Commission has
brought enforcement actions against health
apps alleging violations of the Health Breach
Notification Rule.321 Today’s issuance of the
Final Rule codifies this approach, honoring
the statutory directive that people must be
notified when their health records are
breached.
The dissent argues that the Commission’s
action ‘‘exceeds the Commission’s statutory
authority.’’ 322 But its analysis contravenes a
plain reading of the statute.
In the HITECH Act, Congress directed the
FTC to issue rules requiring vendors of
314 Am. Recovery and Reinvestment Act of 2009,
Public Law 111–5, 123 Stat. 115 (2009) at Sec.
13400 et seq.
315 Health Insurance Portability and
Accountability Act, Public Law 104–191, 110 Stat.
1936, 2022 (1996) at Sec. 1171, codified at 42 U.S.C.
1320d.
316 Health Information Technology for Economic
and Clinical Health Act, Public Law 111–5, Div. A,
Title XIII, Subtitle D, sections 13401 and 13404
(codified at 42 U.S.C. 17937(a))
317 Id. 13410(e).
318 Id. 13407(g)(1).
319 74 FR 42962 (Aug. 25, 2009).
320 Statement of the Commission on Breaches by
Health Apps and Other Connected Devices (Sept.
15, 2021), https://www.ftc.gov/system/files/
documents/public_statements/1596364/statement_
of_the_commission_on_breaches_by_health_apps_
and_other_connected_devices.pdf.
321 See, e.g., Fed. Trade Comm’n, FTC
Enforcement Action to Bar GoodRx from Sharing
Consumers’ Sensitive Health Info for Advertising
(Feb. 1, 2023), https://www.ftc.gov/news-events/
news/press-releases/2023/02/ftc-enforcementaction-bar-goodrx-sharing-consumers-sensitivehealth-info-advertising; Fed. Trade Comm’n,
Ovulation Tracking App Premom Will be Barred
from Sharing Health Data for Advertising Under
Proposed FTC Order (May 17, 2023), https://
www.ftc.gov/news-events/news/press-releases/2023/
05/ovulation-tracking-app-premom-will-be-barredsharing-health-data-advertising-under-proposed-ftc.
322 Dissenting Statement of Comm’rs Melissa
Holyoak and Andrew Ferguson at 1 (Apr. 25, 2024)
(hereinafter ‘‘Dissent’’).
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
47059
personal health records (‘‘PHR’’) to notify
consumers and the FTC following ‘‘a breach
of security of unsecured PHR identifiable
health information.’’ 323 The statute defines
the term ‘‘PHR identifiable health
information’’ as ‘‘individually identifiable
health information, as defined in section
1320d(6) of this title.’’ 324 Section 1320d(6),
a portion of the Social Security Act created
by HIPAA, defines ‘‘individually identifiable
health information’’ as ‘‘any information . . .
that is created or received by a health care
provider, health plan, employer, or health
care clearinghouse.’’ 325 Section 1320d(3),
another section of the Social Security Act
created by HIPAA, defines ‘‘health care
provider’’ as, first, ‘‘a provider of services’’ as
defined in section 1395x(u); 326 second, ‘‘a
provider of medical or other health services’’
as defined in section 1395x(s); 327 and, third,
‘‘any other person furnishing health care
services or supplies.’’ 328
The term ‘‘health care services or
supplies,’’ undefined in the statute, is
defined in the Final Rule as follows:
Health care services or supplies means any
online service such as a website, mobile
application, or internet-connected device that
provides mechanisms to track diseases,
health conditions, diagnoses or diagnostic
testing, treatment, medications, vital signs,
symptoms, bodily functions, fitness, fertility,
sexual health, sleep, mental health, genetic
information, diet, or that provides other
health-related services or tools.329
The dissent argues that this definition
violates certain canons of statutory
construction.330 But its effort to cabin the
third category of HIPAA’s ‘‘health care
provider’’ reads it out of existence, violating
the canon that holds interpretations giving
effect to every clause of a statute are superior
to those that render distinct clauses
superfluous.331 Specifically, the second
323 Health Information Technology for Economic
and Clinical Health Act, Public Law 111–5, Div. A,
Title XIII, Subtitle D, section 13407 (codified at 42
U.S.C. 17937(a)).
324 42 U.S.C. 17937(f)(2).
325 42 U.S.C. 1320d(6).
326 See 42 U.S.C. 1395x(u) (‘‘The term ‘‘provider
of services’’ means a hospital, critical access
hospital, rural emergency hospital, skilled nursing
facility, comprehensive outpatient rehabilitation
facility, home health agency, hospice program, or,
for purposes of section 1395f(g) and section
1395n(e) of this title, a fund.’’).
327 42 U.S.C. 1395x(s) (listing a vast array of
services, tests, supplies, and measurements,
comprising over 2000 words and 15 categories, one
of which has over 30 subcategories).
328 42 U.S.C. 1320d(3) (emphasis added).
329 HBNR Final Rule § 318.2(e).
330 Dissent at 2 (‘‘When a statute contains a list,
‘‘each word in that list presumptively has a ‘similar’
meaning’’ under the canon of noscitur a sociis. And
when a general term follows a list of specific terms,
the ejusdem generis canon teaches that the general
term ‘‘should usually be read in light of those
specific words to mean something ‘similar.’ ’’
Together, these canons instruct that the final
category of health care provider that includes the
general term ‘‘other person’’ must be similar to the
more specific terms that precede it.’’ (citations
omitted)).
331 Marx v. Gen. Revenue Corp., 568 U.S. 371, 386
(2013) (Thomas, J.) (‘‘Finally, the canon against
E:\FR\FM\30MYR2.SGM
Continued
30MYR2
47060
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
category of ‘‘health care provider’’ already
comprises a vast array of ‘‘provider[s] of
medical and other services.’’ 332 If the
Commission were to interpret the third
category as comprising, as the dissent
recommends, only ‘‘traditional forms of
health care providers,’’ this distinct provision
would be entirely redundant.
The dissent’s approach also fails to give
meaning to other textual differences between
the second and third category. The second
category in the definition of ‘‘health care
provider’’ discusses a ‘‘provider’’ and
‘‘medical’’ services.333 The third category, by
contrast, drops the terms ‘‘provider’’ in favor
of ‘‘person furnishing’’ and drops ‘‘medical’’
in favor of ‘‘health care.’’ 334 Honoring the
materially different words of the statute
requires us to read these two categories as
covering distinct, not entirely overlapping,
entities.335 The Final Rule faithfully follows
these textual markers and identifies specific
services and tools that comprise ‘‘health care
services or supplies.’’ 336 Contrary to this
plain reading of the text, the dissent claims
that Congress must have meant for this
provision to apply only to ‘‘traditional forms
of health care providers.’’ 337 But we cannot
subordinate the text of the statute to
speculative accounts of what Congress
intended.
The dissent also notes that the Department
of Health and Human Services (‘‘HHS’’) ‘‘has
never interpreted the term ‘health care
provider’ to reach the expansive, creative
conclusion that the Commission does
today.’’ 338 HHS has, however, interpreted
‘‘health care provider,’’ and its interpretation
of this term is consistent with the
surplusage is strongest when an interpretation
would render superfluous another part of the same
statutory scheme.’’).
332 42 U.S.C. 1320(d)(3) (citing 42 U.S.C.
1395x(u)).
333 42 U.S.C. 1320(d)(3).
334 Id.
335 See Southwest Airlines Co. v. Saxon, 596 U.S.
450, 458 (2022) (Thomas, J.) (‘‘Where a document
has used one term in one place, and a materially
different term in another, the presumption is that
the different term denotes a different idea’’ (cleaned
up)).
336 In addition to defining this term by identifying
specific services, the Final Rule actually also
narrowed the definition originally proposed in the
NPRM, by eliminating ‘‘includes’’ from the
definition. SBP at 27 (‘‘[T]he Commission has
substituted the word ‘means’ for ‘includes’ to avoid
implying greater breadth than the Commission
intends.’’).
337 Dissent at 3. This rejection of the text of the
statute, in favor of vague speculation about what
Congress intended, mirrors the argument advanced
by the Chamber of Commerce (‘‘the Chamber’’). The
Chamber purports to rely on a ‘‘plain text reading’’
of the statute but immediately switches—in the very
same sentence—to vague notions of Congressional
intent: ‘‘It is clear from a plain text reading of both
the HITECH Act and HIPPA [sic] that Congress
intended for the HBNR to cover health records more
aligned with the provision of health services
provided by traditional health providers at a time
when it was attempting to digitize traditional health
records.’’ Comment submitted by U.S. Chamber of
Com., Health Breach Notification Rule,
Regulations.gov (Aug. 8, 2023) at 3, https://
www.regulations.gov/comment/FTC-2023-0037-010.
337 Dissent at 3.
338 Dissent at 3.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
Commission’s definition.339 In the HIPAA
Privacy Rule, HHS defines first two
categories of ‘‘health care provider’’ using the
same language as the statute, but the third
category is changed from ‘‘any other person
furnishing health care services or supplies’’
to ‘‘any other person or organization who
furnishes, bills, or is paid for health care in
the normal course of business.’’ 340 HHS also
defines ‘‘health care’’ broadly, as any ‘‘care,
services, or supplies related to the health of
an individual.’’ 341
Notably, in its 1999 Notice of Proposed
Rulemaking for the HIPAA Privacy Rule,
HHS originally had proposed to define the
term ‘‘health care’’ as constituting ‘‘the
provision of care, services, or
supplies. . . .’’ 342 But, in its final rule, HHS
eliminated the concept of ‘‘provision’’ in
order to distinguish the broader term of
‘‘health care’’ from the narrower term
‘‘treatment.’’ 343 HHS explained: ‘‘We delete
the term ‘providing’ from the definition [of
health care] to delineate more clearly the
relationship between ‘treatment,’ as the term
is defined in § 164.501, and ‘health care.’ ’’ 344
HHS defined ‘‘treatment,’’ in contrast to
‘‘health care,’’ as ‘‘the provision,
coordination, or management of health care
and related services.’’ 345 In short, HHS
defines ‘‘health care’’ broadly, covering all
aspects related to the health of an individual,
and defines ‘‘treatment’’ more narrowly,
referring to the provision of medical care to
an individual. The dissent’s proposal to
narrow the third category of ‘‘health care
provider’’ to ‘‘traditional forms of health care
providers’’ closely mirrors the approach that
HHS rejected when it defined this term.346
The dissent also claims that changing the
phrase ‘‘can be drawn’’ to ‘‘has the technical
capacity to draw’’ violates the surplusage
canon because it renders the limitation
meaningless as to health apps, because
‘‘virtually every app has the technical
capacity to draw some information from
more than one source.’’ 347 This argument
339 That the HIPAA Privacy rule has a narrower
overall scope does not change this fact.
340 45 CFR 160.103.
341 Id. (emphasis added). The dissent asserts that
we ‘‘mischaracterize[] the HIPAA Privacy Rule,
which only applies to HIPAA ‘covered entities’ and
their ‘business associates,’—i.e., to traditional
health care providers, that do not include the broad
swath of app developers the Final Rule will
encompass.’’ Dissent at 4 n.24 (internal citations
omitted). It is not clear how this qualifies as a
mischaracterization. Indeed, this is precisely the
stated purpose of the Health Breach Notification
Rule: To cover entities that HIPAA does not. The
dissent also notes that we fail to recognize that HHS
provides two examples of ‘‘health care.’’ But, HHS
expressly states that the definition ‘‘includes, but is
not limited to’’ these categories. 45 CFR 160.103. In
any case, the breadth of these categories further
underscores the expansive scope of HHS’s
definition of health care. Id.
341 Dissent at 2.
342 Proposed Rule, Standards for Privacy of
Individually Identifiable Health Information, 64 FR
59918, 60049 (Nov. 3, 1999) (emphasis added).
343 65 FR 82462, 82477.
344 Id.
345 45 CFR 164.501.
346 Dissent at 2.
347 Dissent at 4.
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
fails for two reasons. First, as the Statement
of Basis and Purpose (‘‘SBP’’) explains, there
are products and services that do not satisfy
this requirement.348 Second, even if the
definition did reach every health app, that
would not itself suggest that the Final Rule’s
definition was wrongly crafted. Rather, it
would reflect the rapid growth in digital
applications and services related to
consumers’ health.349
The practical ramifications of the dissent’s
legal shortcomings are significant.
Just last year, the Commission brought an
action against Easy Healthcare Corporation,
alleging privacy violations by its fertility
tracking application Premom.350 As laid out
in the complaint, Premom—which
encourages users to provide information
about their menstrual cycles, fertility, and
pregnancy, as well as to import their data
from other services, such as Apple Health—
shared information with advertisers and
China-based companies through software
development kits (‘‘SDKs’’) embedded in the
application. The Commission’s eight-count
complaint against Easy Healthcare reflected
the seriousness of this misconduct, charging
the business with deceptive and unfair
practices, as well as a violation of the Health
Breach Notification Rule, which triggered
civil penalties.
Under the dissent’s analysis of health care
services or supplies, the developer of the
Premom application—Easy Healthcare—
would not be covered by the Health Breach
Notification Rule. This reading would mean
that when companies like Easy Healthcare
suffer a breach that may divulge health
information to companies located in China,
the Health Breach Notification Rule would
not require them to disclose the breach to its
users. It would also mean that when Easy
Healthcare broadcasts women’s sensitive
health data across the vast commercial
surveillance network propped up by SDKs
and ad networks, the Health Breach
Notification Rule would not require Easy
Healthcare to alert women. Today’s Final
Rule rejects this atextual and cramped
reading of the law, ensuring that businesses
that hold themselves out as health care
services companies—like Easy Healthcare—
348 SBP
at 29–30.
dissent’s argument anachronistically
assumes that Congress intended for the Rule to
cover some health apps, but not other health apps.
But, in fact, the Apple and Google app stores were
in their infancy when Congress drafted this
legislation in 2009, and so there is no indication
that Congress was thinking about specific health
apps at all. To the extent the dissent’s argument is
that Congress simply did not anticipate the vast
number of products that would end up covered by
the broad category of ‘‘supplies and services,’’ it is
not within the Commission’s authority to re-write
the statute based on the Commission’s belief of
what Congress would have wanted. MCI
Telecomms. Corp. v. Am. Telephone & Telegraph
Co., 512 U.S. 218, 229 (1994) (holding that FCC’s
authority to ‘‘modify’’ does not extend to
eliminating altogether a statutory requirement).
350 Press Release, Fed. Trade Comm’n, Ovulation
Tracking App Premom Will be Barred from Sharing
Health Data for Advertising Under Proposed FTC
Order (May 17, 2023), https://www.ftc.gov/newsevents/news/press-releases/2023/05/ovulationtracking-app-premom-will-be-barred-sharinghealth-data-advertising-under-proposed-ftc.
349 The
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
ddrumheller on DSK120RN23PROD with RULES2
are considered ‘‘health care services’’
companies under the law.
Lastly, the dissent claims that the Final
Rule introduces ambiguity where previous
there was none. But GoodRx suggests
otherwise. In a unanimous action, the
Commission charged GoodRx with making
unauthorized disclosures of people’s health
data to Facebook and Google, among
others.351 GoodRx, meanwhile, disputed the
applicability of the HBNR to its practices,
calling it a ‘‘novel’’ application.352 By
codifying how HBNR applies to online
platforms and applications, today’s Final
Rule provides market participants with more
clarity about what entities are covered—
thereby providing greater certainty and
notice.353
GoodRx marked the first time the
Commission had ever enforced the Health
Breach Notification Rule. A top priority for
us at the Commission is ensuring we are
faithfully discharging our statutory duties,
rather than letting the authorities that
Congress has granted us sit dormant, and we
are proud of the work the Commission and
the staff are doing to take care that the full
set of laws assigned to the FTC are being
faithfully executed.354 We agree with the
351 Press Release, Fed. Trade Comm’n, FTC
Enforcement Action to Bar GoodRx from Sharing
Consumers’ Sensitive Health Info for Advertising
(Feb. 1, 2023), https://www.ftc.gov/news-events/
news/press-releases/2023/02/ftc-enforcementaction-bar-goodrx-sharing-consumers-sensitivehealth-info-advertising; See also, Concurring
Statement of Comm’r Christine S. Wilson, GoodRx
Holdings, Inc. (Feb. 1, 2023), https://www.ftc.gov/
system/files/ftc_gov/pdf/2023090_goodrx_final_
concurring_statement_wilson.pdf (‘‘Today’s
settlement marks the first enforcement matter in
which the FTC has invoked the HBNR. I
congratulate staff on this important step—the
agency rightly is focused on protecting the privacy
of sensitive health data and empowering consumers
to make informed choices about the goods and
services they use.’’); see also id. at 5 (describing the
GoodRx case as ‘‘an important milestone in the
Commission’s privacy work.’’). The dissent suggests
that Commissioners Holyoak and Ferguson would
have supported the application of HBNR to
GoodRx.
352 See GoodRx, GoodRx Response to FTC
Settlement (Feb. 1, 2023) (‘‘We believe this is a
novel application of the Health Breach Notification
Rule by the FTC. . . . We do not agree with the
assertion that this was a violation of the HBNR.’’).
353 The dissent concedes that it does support an
update to the rule that provides more clarity—and
specifically an update that provides clarity to show
that the rule covers GoodRx. Dissent at 7 (‘‘I would
support changes to the Rule that clarify the Rule’s
application to companies like GoodRx.’’). That is
precisely what today’s Final Rule does. Previously,
the rule did not define ‘‘health care services or
supplies,’’ and today’s Final Rule does. Previously,
health apps like GoodRx stated that it was unclear
whether the rule applies to them, and today’s Final
Rule makes clear that it does. This concession from
the dissent suggests a more modest disagreement
with the contours of how the Rule defines ‘‘health
care services or supplies,’’ though—notably—the
dissent does not provide an alternative definition.
354 See, e.g., Press Release, Fed. Trade Comm’n,
FTC Hits R360 and its Owner With $3.8 Million
Civil Penalty Judgment for Preying on People
Seeking Treatment for Addiction (May 17, 2022),
https://www.ftc.gov/news-events/news/pressreleases/2022/05/ftc-hits-r360-its-owner-38-millioncivil-penalty-judgment-preying-people-seeking-
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
dissent that we must look out for the
institutional integrity of the Commission.
Failing to use the full scope of our statutory
tools to protect Americans—and failing to
update our application of these tools even as
technologies change—would undermine the
agency’s integrity and credibility alike.
We are deeply grateful to the Division of
Privacy and Identity Protection for leading
the Commission’s work to activate the Health
Breach Notification Rule and for finalizing
this Rule update. In an environment rife with
new and evolving threats to Americans’
health data, ensuring we are faithfully
harnessing all of our statutory tools to protect
people from data breaches is paramount.
Dissenting Statement of Commissioner
Melissa Holyoak, Joined by Commissioner
Andrew Ferguson
The Health Breach Notification Rule
(‘‘Final Rule’’) that the Commission adopts
today exceeds the Commission’s statutory
authority, puts companies at risk of perpetual
non-compliance, and opens the Commission
to legal challenge that could undermine its
institutional integrity. I share the majority’s
goal of protecting the privacy and security of
consumers’ identifiable health information,1
treatment-addiction (the Commission’s first action
brought under the Opioid Addiction Recovery
Fraud Prevention Act); Harris Jewelry, Press
Release, Fed. Trade Comm’n, FTC and 18 States Sue
to Stop Harris Jewelry from Cheating Military
Families with Illegal Financing and Sales Tactics
(Jul. 20, 2022), https://www.ftc.gov/news-events/
news/press-releases/2022/07/ftc-18-states-sue-stopharris-jewelry-cheating-military-families-illegalfinancing-sales-tactics (the Commission’s first
action brought under the Military Lending Act);
Press Release, Fed. Trade Comm’n, Smart Home
Monitoring Company Vivint Will Pay $20 Million
to Settle FTC Charges That It Misused Consumer
Credit Reports (Apr. 29, 2021), https://www.ftc.gov/
news-events/news/press-releases/2021/04/smarthome-monitoring-company-vivint-will-pay-20million-settle-ftc-charges-it-misused-consumer (the
Commission’s first action brought under the Red
Flags Rule, brought under Acting Chair Slaughter);
Press Release, Fed. Trade Comm’n, FTC Sues
Burger Franchise Company That Targets Veterans
and Others With False Promises and Misleading
Documents (Feb. 8, 2022), https://www.ftc.gov/
news-events/news/press-releases/2022/02/ftc-suesburger-franchise-company-targets-veterans-othersfalse-promises-misleading-documents (the
Commission’s first action under the Franchise Rule
since 2007); Press Release, Fed. Trade Comm’n,
FTC Issues Rule to Deter Rampant Made in USA
Fraud (Jul. 1, 2021), https://www.ftc.gov/newsevents/news/press-releases/2021/07/ftc-issues-ruledeter-rampant-made-usa-fraud (issuance of the
Made in the USA Rule, more than 25 years after
Congress authorized the Commission to promulgate
a rule).
1 Like the majority, and other Commissioners
before me, I support federal privacy legislation,
particularly where such legislation could address
gaps in sector-specific laws and level the playing
field for companies navigating a patchwork of laws.
And like the majority, and other Commissioners
before me, I care deeply about protecting the
privacy and security of consumers’ health
information, particularly where it falls outside the
bounds of the Health Insurance Portability and
Accountability Act (‘‘HIPAA’’). For more than two
decades, the FTC has been in a leader in protecting
consumers’ health information. See, e.g., Eli Lilly,
FTC File No. 0123214 (May 10, 2002), https://
www.ftc.gov/legal-library/browse/casesproceedings/012-3214-eli-lilly-company-matter. I
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
47061
and I support vigorous enforcement of laws
protecting sensitive personal information
with which Congress has entrusted the FTC.2
I would support finalizing a rule that extends
and clarifies the scope of the Commission’s
enforcement in this important area of
consumer protection if that rule were
consistent with our grant of authority from
Congress. But, no matter how the majority
attempts to shoehorn its desired policy goal
into a ‘‘plain reading’’ of the statute,3 I
cannot support a rule that exceeds the
bounds Congress clearly established. Indeed,
a core principle guiding my tenure at the
Commission will be that our rules must
effectuate the law as it is—not as the
Commission may wish it to be. For these
reasons, I respectfully dissent.
The American Recovery and Reinvestment
Act of 2009 (‘‘Recovery Act’’) 4 authorized the
Commission to issue a rule requiring vendors
of ‘‘personal health records’’ (‘‘PHRs’’) and
related entities that are not covered by
HIPAA to notify individuals and the FTC of
a ‘‘breach of security’’ of ‘‘unsecured PHR
identifiable health information.’’ 5 The
Commission issued the Health Breach
Notification Rule in 2009,6 initiated a routine
review of the Rule in 2020,7 issued a policy
statement re-interpreting the then-current
Rule in 2021 (‘‘2021 Policy Statement’’),8
issued a Notice of Proposed Rulemaking on
June 9, 2023 (‘‘NPRM’’),9 and today issues
the Final Rule.10
I am encouraged that today the
Commission is acting by rulemaking, as
authorized by statute and following a period
of notice and comment that elicited a range
of views, rather than acting by fiat in a policy
statement, as the Commission did in 2021.11
I cannot endorse any policy statement that
either displaces Congress’s authority to make
law or subverts the rulemaking process. The
2021 Policy Statement did both. The majority
clearly recognizes this overreach. After all, if
the 2021 Policy Statement had any force,
today’s rulemaking would be unnecessary.
Setting aside this troubling history, I turn
to the Final Rule itself, which, unfortunately,
I find equally troubling in its extension
beyond the parameters established by
Congress.
look forward to continuing the Commission’s
important work in this area.
2 See, e.g., Children’s Online Privacy Protection
Rule, 16 CFR part 312, as authorized by the
Children’s Online Privacy Protection Act of 1998,
15 U.S.C. 6501 et seq.
3 Joint Statement of Chair Lina M. Khan, Comm’r
Rebecca Kelly Slaughter, and Comm’r Alvaro M.
Bedoya at 2 (Apr. 24, 2024) (‘‘Majority Statement’’).
4 Am. Recovery and Reinvestment Act of 2009,
Public Law 111–5, 123 Stat. 115 (2009).
5 42 U.S.C. 17937(a), (g).
6 74 FR 42962 (Aug. 25, 2009).
7 85 FR 31085 (May 22, 2020).
8 See Statement of the Comm’n on Breaches by
Health Apps and Other Connected Devices (Sept.
15, 2021), https://www.ftc.gov/system/files/
documents/public_statements/1596364/statement_
of_the_commission_on_breaches_by_health_apps_
and_other_connected_devices.pdf (‘‘2021 Policy
Statement’’).
9 88 FR 37819 (June 9, 2023).
10 See Statement of Basis and Purpose (‘‘SBP’’)
accompanying the Final Rule, Section I
(summarizing procedural history).
11 See 2021 Policy Statement, supra note 8.
E:\FR\FM\30MYR2.SGM
30MYR2
47062
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
Some background first. Under the Recovery
Act, PHR identifiable health information
means ‘‘individually identifiable health
information,’’ as defined by the Social
Security Act, 42 U.S.C. 1320d(6).12 The
Social Security Act defines ‘‘individually
identifiable health information’’ as
information that is ‘‘created or received by a
health care provider, health plan, employer,
or health care clearinghouse.’’ 13 The Social
Security Act then defines ‘‘health care
provider’’ to include three categories: ‘‘[1] a
provider of services (as defined in section
1395x(u) of this title), [2] a provider of
medical or other health services (as defined
in section 1395x(s) of this title), and [3] any
other person furnishing health care services
or supplies.’’ 14
The Commission takes liberties with the
final category in that definition (‘‘any other
person furnishing health care services or
supplies’’) to adopt a new, capacious
definition of ‘‘covered health care provider’’
and a new, similarly capacious definition of
‘‘health care services and supplies,’’ whose
joint effect is to sweep a large swath of apps
and app developers under the purview of the
Final Rule. These expansive definitions are
not consistent with the statute. Under
longstanding principles of statutory
interpretation, the final category of provider
(‘‘any other person . . .’’) must be
understood in relation to the first two
categories (‘‘provider of services’’ and
‘‘provider of medical or other health
services’’).15 When a statute contains a list,
‘‘each word in that list presumptively has a
‘similar’ meaning’’ under the canon of
noscitur a sociis.16 And when a general term
follows a list of specific terms, the ejusdem
generis canon teaches that the general term
‘‘should usually be read in light of those
specific words to mean something
‘similar.’ ’’ 17 Together, these canons instruct
that the final category of health care provider
that includes the general term ‘‘other person’’
must be similar to the more specific terms
that precede it.
The first two categories of health care
provider incorporate the definitions of
sections 1395x(u) and 1395x(s) of the Social
Security Act, respectively.18 The first
category of provider includes ‘‘a hospital,
critical access hospital, rural emergency
hospital, skilled nursing facility,
comprehensive outpatient rehabilitation
facility, home health agency, hospice
program, or . . . a fund.’’ 19 The second
category of provider includes an extensive
list (section 1395x(s) includes 17 paragraphs
and over 35 subparagraphs) of medical
professionals including physicians,
physician assistants, nurse practitioners,
clinical psychologists, clinical social
workers, and others, and the specific services
administered by medical professionals.20
These two categories comprise traditional
forms of health care providers.
The final category, addressing ‘‘any other
person furnishing health care services or
supplies,’’ must therefore only include
persons that are ‘‘similar in nature’’ to these
first two categories.21 The majority argues
that my ‘‘effort to cabin the third category
. . . reads it out of existence, violating the
canon that holds interpretations giving effect
to every clause of a statute are superior to
those that render distinct clauses
superfluous.’’ 22 This application of the
canon is incorrect. Requiring similarity
among categories does not result in
superfluity; it merely prevents interpretations
that extend beyond what the text permits. A
catch-all’s limited application due to its
context is not a reason to expand that phrase
to encompass dissimilar applications.
The Final Rule’s definition of ‘‘covered
health care provider’’ is not remotely similar,
because it incorporates a new, astonishingly
broad definition of ‘‘health care services or
supplies,’’ which means ‘‘any online service
such as a website, mobile application, or
internet-connected device that provides
mechanisms to track diseases, health
conditions, diagnoses or diagnostic testing,
treatment, medications, vital signs,
symptoms, bodily functions, fitness, fertility,
sexual health, sleep, mental health, genetic
information, diet, or that provides other
health-related services or tools.’’ 23 Thus, the
Commission transforms ‘‘health care
provider,’’ which both under common usage
and in context of the statutory provision
means entities such as physicians and
hospitals, to now include any company
‘‘furnishing’’ a health-related app.24 As a
result, the Final Rule creates a tautology:
Health app developers may be ‘‘vendors of
personal health records’’ by offering an app
containing health information that has been
created or received by a health care provider,
19 42
U.S.C. 17937(f)(2).
13 42 U.S.C. 1320d(6).
14 Id. 1320d(3).
15 See Yates v. United States, 574 U.S. 528, 549–
51 (2015) (Alito, J., concurring); Antonin Scalia &
Bryan A. Garner, Reading Law: The Interpretation
of Legal Texts 195–196,199–200 (2012).
16 Yates, 574 U.S. at 549.
17 Id. at 550.
18 42 U.S.C. 1320d(3).
ddrumheller on DSK120RN23PROD with RULES2
12 42
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
U.S.C. 1395x(u).
1395x(s).
21 Yates, 574 U.S. at 545 (internal quotation marks
omitted).
22 Majority Statement at 2.
23 Final Rule at 98.
24 The SBP explains that an app developer (or any
company ‘‘furnishing’’ a health app) would be
covered as a health care provider because its health
app is a health care service or supply. SBP at 7, 22–
28.
20 Id.
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
where the health app developer is itself the
health care provider that creates or receives
that health information by virtue of offering
the app.
Notably, even though the Department of
Health and Human Services (‘‘HHS’’)
interprets this same provision of the Social
Security Act, HHS has—notwithstanding the
majority’s assertion to the contrary 25—never
interpreted the term ‘‘health care provider’’
to reach the expansive, creative conclusion
that the Commission does today.26 The
majority’s argument misstates the scope and
language of the HIPAA Privacy Rule, which
only applies to HIPAA ‘‘covered entities’’
and their ‘‘business associates,’’ 27—i.e., to
traditional health care providers that do not
include the broad swath of app developers
the Final Rule will encompass. Significantly,
the majority omits from its characterization
of the term ‘‘health care’’ HHS’s own
illustrations of that term, which highlight the
proximity to traditional forms of health care
by different kinds of medical professionals:
(1) Preventive, diagnostic, therapeutic,
rehabilitative, maintenance, or palliative
care, and counseling, service, assessment, or
procedure with respect to the physical or
mental condition, or functional status, of an
individual or that affects the structure or
function of the body; and
(2) Sale or dispensing of a drug, device,
equipment, or other item in accordance with
a prescription.28
The Majority Statement repeatedly says
that HHS defines ‘‘health care’’ broadly,29 but
the language it cites provides no such
support.
Aware of this incongruency, the
Commission seeks to differentiate its use of
‘‘health care provider’’ from that of ‘‘other
government agencies.’’ 30 Yet the
Commission provides no explanation why its
definition should differ, particularly where it
is unclear whether the Commission has
interpretative authority over the Social
Security Act’s definition of health care
provider and where other agencies are
delegated such interpretative authority.31
25 Majority
Statement at 3.
NPRM at 37823.
27 45 CFR 160.102 through 103.
28 Id. § 160.103.
29 Majority Statement at 3–4.
30 SBP at 26.
31 Id. at 13 (noting that HHS interprets these
provisions of the Social Security Act). Cf. City of
Arlington, Tex. v. F.C.C., 569 U.S. 290, 323 (2013)
(Roberts, C.J., dissenting) (‘‘When presented with an
agency’s interpretation of such a statute, a court
cannot simply ask whether the statute is one that
the agency administers; the question is whether
authority over the particular ambiguity at issue has
been delegated to the particular agency.’’).
26 See
E:\FR\FM\30MYR2.SGM
30MYR2
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
The Commission also takes troubling
liberties with the statute’s definition of
‘‘personal health record,’’ which are evident
from a side-by-side comparison of the statute
and the Final Rule:
Recovery act
Final rule
‘‘an electronic record of PHR identifiable health information . . . on an
individual that can be drawn from multiple sources and is managed,
shared, and controlled by or primarily for the individual.’’ 32.
‘‘an electronic record of PHR identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.’’ 33
Under the Final Rule, a PHR need not
actually draw health information from
multiple sources, as the statute contemplates
(because the statutory phrase ‘‘that can be
drawn’’ modifies its immediate antecedent,
‘‘health information’’). Rather, under the
Final Rule, a single source of health
information will render an app a PHR as long
as the ‘‘PHR’’ has the ‘‘technical capacity’’ to
draw some other information elsewhere.34
The implications of this change, in
conjunction with the expansion of ‘‘health
care provider,’’ are significant. Any retailer
that offers an app that tracks health-related
purchases (e.g., bandages, vitamins, dandruff
shampoo) may be a vendor of a PHR covered
by the Rule if the app draws health
information (e.g., purchasing information)
from the consumer and the app has the
‘‘technical capacity’’ to draw any information
from any other source. As the Statement of
Basis and Purpose notes, commenters warned
that virtually every app has the technical
capacity to draw some information from
more than one source.35 That expansive
scope could be appropriate if Congress’s
language permitted it. But the Commission’s
interpretation, which effectively renders the
Recovery Act’s ‘‘multiple sources’’
requirement meaningless, ignores
longstanding principles of statutory
interpretation that require each provision of
a statute to be given effect.36
The Commission’s expansive definitions of
‘‘covered health care provider,’’ ‘‘health care
services and supplies,’’ and ‘‘personal health
record’’ have a profound effect on the scope
of the Rule: Most companies that offer or
disseminate health-related apps or similar
products would be treated as ‘‘covered health
care providers’’ that therefore hold ‘‘PHR
identifiable health information’’ in their apps
(i.e., PHRs), such that they are vendors of
PHRs—even if their app is merely healthadjacent.
Remarkably, the Commission imposes no
limit on this extraordinary breadth in the
Rule itself. Rather, in a post-NPRM attempt
to check the scope, the Commission fashions
a limiting principle: Apps are covered only
if they are ‘‘more than tangentially relating to
health.’’ 37 This extra-statutory, extra32 42
U.S.C. 17921(11).
Rule at 99.
34 See SBP at 32 (‘‘Next, adding the phrase
‘technical capacity to draw information’ clarifies
that a product is a personal health record if it can
draw any information from multiple sources, even
if it only draws health information from one
source.’’).
35 See id. at 34.
36 Scalia & Garner, supra note 15 at 174
(discussing surplusage canon).
37 SBP at 28.
33 Final
ddrumheller on DSK120RN23PROD with RULES2
47063
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
regulatory limit has several significant
problems.
First, if the majority were correct, from
where would it draw the authority to impose
this ‘‘more than tangentially relating to
health’’ limitation? If Congress in fact
commanded us to cover all the apps the
majority claims, this extra-textual limitation
would be beyond our power to impose.38
Why, then, does the majority blink in the face
of what it understands Congress to have
required? There may be good policy reasons
not to follow Congress’s language—as the
majority understands it—wherever it leads,
but we do not have power to shortchange
Congress’s commands. That even the
majority feels compelled to adopt this extratextual limitation—again, as the majority
understands the text—on the statute’s reach
suggests that the language probably does not
mean what the majority says.
The second problem is substantive: What
does this language mean? When does an app
cross the line between tangentially related to
health and more than tangentially related? If
a gas station with a loyalty app sells Advil,
is the app only tangentially related to health
and outside the Final Rule’s purview? If the
gas station adds Robitussin and pregnancy
tests to its inventory, does it cross the line
to more than tangentially related to health?
If a clothing store with an e-commerce app
sells a handful of maternity shirts, is the app
only tangentially related to health? If the
store adds more maternity clothes, nursing
bras, and some anti-nausea ginger tea to its
in-app offerings, is the app more than
tangentially related to health? If vitamins,
over-the-counter medicines, acne creams,
bandages, and similar items comprise 0.1%
or 1% or 10% of a superstore’s inventory,
when is the retailer’s e-commerce app more
than tangentially related to health? I see no
clear answers to any of these hypotheticals in
today’s Final Rule, which suggests that the
marketplace will see no clear answers
either.39
The third problem is procedural. The
Commission did not propose this ambiguous
38 See Nat’l Fed’n of Indep. Business v. Dep’t of
Labor, 595 U.S. 109, 117 (2022) (per curiam)
(‘‘Administrative agencies are creatures of statute.
They accordingly possess only the authority that
Congress has provided.’’).
39 The expansive coverage increases the
likelihood of creating unintended consequences.
Will the gas station decline to add over-the-counter
medicines to its inventory to avoid crossing the line
of ‘‘more than tangentially related to health’’? Will
the clothing retailer shy away from maternity
apparel? Will the e-commerce giant avoid selling
bandages and dandruff shampoo? These potentially
detrimental outcomes undermine a Rule intended
to benefit consumers.
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
but impactful limitation in a Notice of
Proposed Rulemaking—likely because there
is no statutory basis for this newly-created
language. Rather, it introduces this crucial
concept for the first time in a Statement of
Basis and Purpose (a purely interpretive
document) as a post hoc fix to the problem
the Commission itself created with its
expansive definitions. As a result, the
Commission did not provide notice or
receive public comment on the efficacy or
propriety of this limitation, depriving the
public of its opportunity to meaningfully
participate in the rulemaking process and
depriving itself of potentially valuable input
from commenters.
The final problem is that this post hoc,
extra-regulatory limitation renders the
Commission’s burden analysis inadequate.
The Paperwork Reduction Act (‘‘PRA’’)
requires the Commission to estimate the
reportable breaches by entities covered by the
Rule and compliance costs.40 The Regulatory
Flexibility Act (‘‘RFA’’) requires the
Commission to assess the economic impact
on small businesses.41 Apparently relying on
the SBP’s ‘‘more than tangentially related to
health’’ limitation, the PRA and RFA
analyses only address breaches by apps
categorized as ‘‘Health and Fitness.’’ 42
Because the Rule itself contains no such
limitation, general retailers with e-commerce
apps, gas stations with loyalty apps, and
other similar generalists that sell any healthrelated items do not factor into these
analyses. As a result, they likely dramatically
underestimate the numbers of regulated
entities, number of breaches, and costs to
businesses.
Perhaps the breath of the Final Rule would
be more of a theoretical than practical
concern to businesses, if they could adopt
practices sufficient to avoid any breach that
would trigger notice obligations under the
Final Rule, or, in the event of a breach, err
on the side of notification. But § 318.3(b) of
the Final Rule imposes affirmative
obligations on companies to notify their
service providers if they are covered by the
Final Rule, regardless of whether they
experience a breach.43 To comply with this
requirement, companies must know whether
they are covered by the Rule—that is, which
side of ‘‘more than tangentially relating to
health’’ they fall on. Without clarity on that
line, companies run the risk of being in
40 See
generally 44 U.S.C. 3501 et seq.; SBP at 86.
U.S.C. 601 through 612.
42 SBP at 86, 93.
43 This may have been a sensible requirement in
2009, when the scope of the Rule was much
narrower, but it has dramatic consequences in this
much-expanded Rule.
41 5
E:\FR\FM\30MYR2.SGM
30MYR2
47064
Federal Register / Vol. 89, No. 105 / Thursday, May 30, 2024 / Rules and Regulations
perpetual violation of the Final Rule and,
therefore, perpetually at the mercy of the
Commission’s enforcement discretion. The
Commission, at this moment, may not intend
to pursue such technical violations. But any
expression of intended restraint will be cold
comfort to companies that have seen the
Commission’s self-imposed restraint wax and
wane in other areas.44
I find the majority’s liberties with the
statute particularly troubling because they
are unnecessary to reach health apps. Indeed,
the Commission’s own recent enforcement
action against digital healthcare platform
GoodRx makes that clear. Only last year, a
bipartisan Commission applied the 2009 Rule
to GoodRx’s online platform and app because
the company received identifiable health
information on prescription medications
(among other things) from pharmacy benefit
ddrumheller on DSK120RN23PROD with RULES2
44 Significantly, the Majority Statement is silent
as to the propriety and consequences of its
‘‘tangentially related’’ limiting principle, likely
because this approach is indefensible.
VerDate Sep<11>2014
20:09 May 29, 2024
Jkt 262001
managers and pharmacies, among other
sources, so that consumers could manage
their information.45 The majority argues that
today’s changes are necessary to provide
clarity to the market about the Rule’s scope,46
but GoodRx has already done that—and I
would support changes to the Rule that are
consistent with the statute. In short, I agree
with the majority’s goals—safeguarding
consumers’ sensitive health information and
implementing a Congressional mandate to
put consumers on notice of the breach of that
data—but I believe that we must effectuate
those goals within the scope of the law as it
45 See Concurring Statement of Commissioner
Christine S. Wilson, GoodRx, Matter No. 2023090 1
n.2 (Feb. 1, 2023) (‘‘GoodRx has violated the HBNR
based on a plain reading of the text, setting aside
any gloss the Commission sought to add in its
September 2021 Statement on Breaches by Health
Apps and Other Connected Devices.’’), https://
www.ftc.gov/system/files/ftc_gov/pdf/2023090_
goodrx_final_concurring_statement_wilson.pdf.
46 Majority Statement at 5.
PO 00000
Frm 00038
Fmt 4701
Sfmt 9990
is, rather than legislating in the guise of
applying the law.
The FTC is a venerable institution that
does vital work to protect consumers and
promote competition, thanks to its
hardworking and devoted career staff. I
commend the staff attorneys, economists, and
technologists who worked on the rule for
their careful and thoughtful consideration of
difficult issues. Ultimately, while I am
sympathetic to the majority’s goal, I fear that
adopting a Final Rule that is irreconcilable
with the statute and that puts companies in
an untenable position puts the Commission
at risk. Legal challenges may undermine the
Commission’s institutional integrity, and
Congress may be reluctant to trust the
Commission with other authority—even the
much-needed authority to protect the privacy
of consumers’ sensitive personal information.
I therefore respectfully dissent.
[FR Doc. 2024–10855 Filed 5–29–24; 8:45 am]
BILLING CODE 6750–01–P
E:\FR\FM\30MYR2.SGM
30MYR2
]]>Agencies
[Federal Register Volume 89, Number 105 (Thursday, May 30, 2024)]
[Rules and Regulations]
[Pages 47028-47064]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-10855]
[[Page 47027]]
Vol. 89
Thursday,
No. 105
May 30, 2024
Part III
Federal Trade Commission
-----------------------------------------------------------------------
16 CFR Part 318
Health Breach Notification Rule; Final Rule
��Federal Register / Vol. 89 , No. 105 / Thursday, May 30, 2024 / Rules
and Regulations��
[[Page 47028]]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 318
RIN 3084-AB56
Health Breach Notification Rule
AGENCY: Federal Trade Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is
amending the Commission's Health Breach Notification Rule (the ``HBN
Rule'' or the ``Rule''). The HBN Rule requires vendors of personal
health records (``PHRs'') and related entities that are not covered by
the Health Insurance Portability and Accountability Act (``HIPAA'') to
notify individuals, the FTC, and, in some cases, the media of a breach
of unsecured personally identifiable health data.
DATES: The amendments are effective July 29, 2024.
ADDRESSES: Relevant portions of the record of this proceeding,
including this document, are available at https://www.ftc.gov and
https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Ryan Mehm, (202) 326-2918,
[email protected], and Ronnie Solomon, (202) 326-2098, [email protected],
Bureau of Consumer Protection, Federal Trade Commission.
SUPPLEMENTARY INFORMATION: The amendments: (1) clarify the Rule's
scope, including its coverage of developers of many health applications
(``apps''); (2) clarify what it means for a vendor of personal health
records to draw PHR identifiable health information from multiple
sources; (3) revise the definition of breach of security to clarify
that a breach of security includes data security breaches and
unauthorized disclosures; (4) revise the definition of PHR related
entity; (5) modernize the method of notice; (6) expand the content of
the notice; (7) alter the Rule's timing requirement for notifying the
FTC of a breach of security; and (8) improve the Rule's readability by
clarifying cross-references and adding statutory citations,
consolidating notice and timing requirements, articulating the
penalties for non-compliance, and incorporating a small number of non-
substantive changes.
I. Background
Congress enacted the American Recovery and Reinvestment Act of 2009
(``Recovery Act'' or ``the Act''),\1\ in part to advance the use of
health information technology and, at the same time, strengthen privacy
and security protections for health information. Recognizing that
certain entities that hold or interact with consumers' personal health
records were not subject to the privacy and security requirements of
HIPAA,\2\ Congress created requirements for such entities to notify
individuals, the Commission, and, in some cases, the media of the
breach of unsecured identifiable health information from those records.
---------------------------------------------------------------------------
\1\ Am. Recovery and Reinvestment Act of 2009, Public Law 111-5,
123 Stat. 115 (2009).
\2\ Health Ins. Portability and Accountability Act, Public Law
104-191, 110 Stat. 1936 (1996).
---------------------------------------------------------------------------
Specifically, section 13407 of the Recovery Act created certain
protections for ``personal health records'' or ``PHRs,'' \3\ electronic
records of PHR identifiable health information on an individual that
can be drawn from multiple sources and that are managed, shared, and
controlled by or primarily for the individual.\4\ Congress recognized
that vendors of personal health records and PHR related entities (i.e.,
companies that offer products and services through PHR websites or
access information in or send information to personal health records)
were collecting consumers' health information but were not subject to
the privacy and security requirements of HIPAA. Accordingly, the
Recovery Act directed the FTC to issue a rule requiring these non-HIPAA
covered entities, and their third party service providers, to provide
notification of any breach of unsecured PHR identifiable health
information. The Commission issued its Rule implementing these
provisions in 2009.\5\ FTC enforcement of the Rule began on February
22, 2010.
---------------------------------------------------------------------------
\3\ 42 U.S.C. 17937.
\4\ 42 U.S.C. 17921(11).
\5\ 74 FR 42962 (Aug. 25, 2009) (``2009 Final Rule'').
---------------------------------------------------------------------------
The Rule the Commission issued in 2009 (``2009 Rule'') requires
vendors of personal health records and PHR related entities to provide:
(1) notice to consumers whose unsecured PHR identifiable health
information has been breached; (2) notice to the Commission; and (3)
notice to prominent media outlets \6\ serving a State or jurisdiction,
in cases where 500 or more residents are confirmed or reasonably
believed to have been affected by a breach.\7\ The Rule also requires
third party service providers (i.e., those companies that provide
services such as billing, data storage, attribution, or analytics) to
vendors of personal health records and PHR related entities to provide
notification to such vendors and entities following the discovery of a
breach.\8\
---------------------------------------------------------------------------
\6\ The Recovery Act does not limit this notice to particular
types of media. Thus, an entity can satisfy the requirement to
notify ``prominent media outlets'' by, for example, disseminating
press releases to a number of media outlets, including internet
media in appropriate circumstances, where most of the residents of
the relevant State or jurisdiction get their news. This will be a
fact-specific inquiry that will depend on what media outlets are
``prominent'' in the relevant jurisdiction. 74 FR 42974.
\7\ 16 CFR 318.3, 318.5.
\8\ Id. Sec. 318.3(b).
---------------------------------------------------------------------------
The 2009 Rule requires notice to individuals ``without unreasonable
delay and in no case later than 60 calendar days'' after discovery of a
data breach.\9\ If the breach affects 500 or more individuals, notice
to the FTC must be provided ``as soon as possible and in no case later
than ten business days'' after discovery of the breach.\10\ The FTC
makes available a standard form for companies to use to notify the
Commission of a breach,\11\ and posts a list of breaches involving 500
or more individuals on its website.\12\
---------------------------------------------------------------------------
\9\ Id. Sec. 318.4(a).
\10\ Id. Sec. 318.5(c).
\11\ Fed. Trade Comm'n, Notice of Breach of Health Information,
https://www.ftc.gov/system/files/documents/rules/health-breach-notification-rule/health_breach_form.pdf.
\12\ Fed. Trade Comm'n, Notices Received by the FTC Pursuant to
the Health Breach Notification Rule, https://www.ftc.gov/system/files/ftc_gov/pdf/Health%20Breach%20Notices%20Received%20by%20the%20FTC.pdf (last
visited Dec. 2, 2022).
---------------------------------------------------------------------------
The 2009 Rule applies only to breaches of ``unsecured'' health
information, which the Rule defines as health information that is not
secured through technologies or methodologies specified by the
Department of Health and Human Services (``HHS''). The Rule does not
apply to businesses or organizations covered by HIPAA.\13\ HIPAA-
covered entities and their ``business associates'' must instead comply
with HHS's breach notification rule.\14\
---------------------------------------------------------------------------
\13\ Per HHS guidance, electronic health information is
``secured'' if it has been encrypted according to certain
specifications set forth by HHS, or if the media on which electronic
health information has been stored or recorded is destroyed
according to HHS specifications. See 74 FR 19006; see also U.S.
Dep't of Health & Human Servs., Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable
to Unauthorized Individuals (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/. PHR
identifiable health information would be considered ``secured'' if
such information is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third party service
provider, in an encrypted format meeting HHS specifications, and the
PHR related entity or third party service provider stores the data
in an encrypted format that meets HHS specifications and also stores
the encryption and/or decryption tools on a device or at a location
separate from the data.
\14\ 45 CFR 164.400 through 164.414.
---------------------------------------------------------------------------
[[Page 47029]]
Since the Rule's issuance, apps and other direct-to-consumer health
technologies, such as fitness trackers and wearable blood pressure
monitors, have become commonplace.\15\ Further, as an outgrowth of the
COVID-19 pandemic, consumer use of such health-related technologies has
increased significantly.\16\
---------------------------------------------------------------------------
\15\ See, e.g., Kokou Adzo, App Development in Healthcare: 12
Exciting Facts, TechnoChops (Jan. 3, 2023), https://www.technochops.com/programming/4329/app-development-in-healthcare/;
Emily Olsen, Digital health apps balloon to more than 350,000
available on the market, according to IQVIA report, MobiHealthNews
(Aug. 4, 2021), https://www.mobihealthnews.com/news/digital-health-apps-balloon-more-350000-available-market-according-iqvia-report;
Elad Natanson, Healthcare Apps: A Boon, Today and Tomorrow, Forbes
(July 21, 2020), https://www.forbes.com/sites/eladnatanson/2020/07/21/healthcare-apps-a-boon-today-and-tomorrow/?sh=21df01ac1bb9.
\16\ See id. See also Lis Evenstad, Covid-19 has led to a 25%
increase in health app downloads, research shows, ComputerWeekly.com
(Jan. 12, 2021), https://www.computerweekly.com/news/252494669/Covid-19-has-led-to-a-25-increase-in-health-app-downloads-research-shows (finding that COVID-19 has led to a 25% increase in health app
downloads); Jasmine Pennic, U.S. Telemedicine App Downloads Spikes
During COVID-19 Pandemic, HIT Consultant (Sept. 8, 2020), https://hitconsultant.net/2020/09/08/u-s-telemedicine-app-downloads-spikes-during-covid-19-pandemic/ (``US telemedicine app downloads see
dramatic increases during the COVID-19 pandemic, with some seeing an
8,270% rise YoY.'').
---------------------------------------------------------------------------
In May 2020, the Commission announced its regular, ten-year review
of the Rule and requested public comment about potential Rule
changes.\17\ The Commission requested comment on, among other things,
whether changes should be made to the Rule in light of technological
changes, such as the proliferation of apps and similar technologies.
The Commission received 26 public comments.\18\
---------------------------------------------------------------------------
\17\ 85 FR 31085 (May 22, 2020).
\18\ Comments are available at https://www.regulations.gov/docket/FTC-2020-0045/comments.
---------------------------------------------------------------------------
Many of the commenters in 2020 encouraged the Commission to clarify
that the Rule applies to apps and similar technologies.\19\ In fact, no
commenter opposed this type of clarification regarding the Rule's
coverage of health apps. Several commenters pointed out examples of
health apps that have abused users' privacy, such as by disclosing
sensitive health information without consent.\20\ Several commenters
noted the urgency of this issue, as consumers have further embraced
digital health technologies during the COVID-19 pandemic.\21\
Commenters argued the Commission should take additional steps to
protect unsecured PHR identifiable health information that is not
covered by HIPAA, both to prevent harm to consumers \22\ and to level
the competitive playing field among companies dealing with the same
health information.\23\ To that end, commenters not only urged the
Commission to revise the Rule, but also to increase its enforcement
efforts.\24\
---------------------------------------------------------------------------
\19\ E.g., Am. Health Info. Mgmt. Ass'n (``AHIMA'') at 2; Kaiser
Permanente at 3; Allscripts at 3; Am. Acad. of Ophthalmology at 2;
All. for Nursing Informatics (``ANI'') at 2; Am. Med. Ass'n
(``AMA'') at 4; Am. Coll. of Surgeons at 6; Physicians' Elec. Health
Rec. Coal. (``PEHRC'') at 4 (``Apps that collect health information,
regardless of whether or not they connect to an EHR, must be
regulated by the FTC Health Breach Notification Rule to ensure the
safety and security of personal health information.''); Am.'s Health
Ins. Plans (``AHIP'') and Blue Cross Blue Shield Ass'n (``BCBS'') at
2; The App Ass'n's Connected Health Initiative (``CHI'') at 3.
\20\ Kaiser Permanente at 7; The Light Collective at 2; Am.
Acad. of Ophthalmology at 2; PEHRC at 2-3.
\21\ Lisa McKeen at 2-3; Kaiser Permanente at 7-8; AMA at 3;
Off. of the Att'y Gen. for the State of Cal. (``OAG-CA'') at 3-4;
Healthcare Info. and Mgmt. Sys. Soc'y (``HIMSS'') and Personal
Connected Health All. (``PCH Alliance'') at 4-5.
\22\ Georgia Morgan; Am. Acad. of Ophthalmology at 2-3 (arguing
that consumers do not know all the ways their data is being used by
third parties, and the downstream consequences of data being used in
this way may ultimately erode a patient's privacy and willingness to
disclose information to his or her physician); Coll. of Healthcare
Info. Mgmt. Exec.'s (``CHIME'') at 3 (arguing that apps' privacy
practices impact the patient-provider relationship because providers
do not know what technologies are sufficiently trustworthy for their
patients); AMA at 2-3 (expressing concern that patients share less
health data with health care providers, perhaps because of
``spillover from privacy and security breaches'').
\23\ Kaiser Permanente at 2, 4; Workgroup for Elec. Data
Interchange (``WEDI'') at 2; AHIP and BCBS at 3 (``[HIPAA] covered
entities, such as health plans, that use or disclose protected
health information should not be subject to stricter notification
requirements than those imposed on vendors of personal health
records or other such entities. Otherwise, the Federal government
will be providing market advantages to particular industry segments
with the effect of dampening competition and harming consumers.'').
\24\ Kaiser Permanente at 4; Fred Trotter at 1; Casey Quinlan at
1; CARIN Alliance at 2. At the time of this document's publication,
the Commission has brought two enforcement actions under the Rule;
the first against digital health company GoodRx Holdings, Inc., and
the second against an ovulation-tracking mobile app marketed under
the name ``Premom'' and developed by Easy Healthcare, Inc. United
States v. GoodRx Holdings, Inc., No. 23-cv-460 (N.D. Cal. Feb. 17,
2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc; United States v. Easy Healthcare Corp.,
No. 1:23-cv-3107 (N.D. Ill. June 22, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.
---------------------------------------------------------------------------
A. The Commission's 2021 Policy Statement
On September 15, 2021, the Commission issued a Policy Statement
providing guidance on the scope of the Rule. The Policy Statement
clarified that the Rule covers most health apps and similar
technologies that are not covered by HIPAA.\25\ The Rule defines a
``personal health record'' as ``an electronic record of PHR
identifiable health information on an individual that can be drawn from
multiple sources and that is managed, shared, and controlled by or
primarily for the individual.'' \26\ As the Commission explained in the
Policy Statement, many makers and purveyors of health apps and other
connected devices are vendors of personal health records covered by the
Rule because their products are electronic records of PHR identifiable
health information.
---------------------------------------------------------------------------
\25\ Statement of the Commission on Breaches by Health Apps and
Other Connected Devices, Fed. Trade Comm'n (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf (``Policy Statement'').
\26\ 16 CFR 318.2.
---------------------------------------------------------------------------
The Commission explained that PHR identifiable health information
includes individually identifiable health information created or
received by a health care provider,\27\ and that ``health care
providers'' include any entities that ``furnish[ ] health care services
or supplies.'' \28\ Because these health app purveyors furnish health
care services to their users through the mobile applications they
provide, the information held in the app is PHR identifiable health
information, and therefore many health app purveyors likely qualify as
vendors of personal health records.\29\
---------------------------------------------------------------------------
\27\ Id. Sec. 318.2, incorporating in part the definition from
section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).
\28\ Id. Sec. 318.2; 42 U.S.C. 1320d(6), d(3).
\29\ See Policy Statement at 1.
---------------------------------------------------------------------------
The Policy Statement further explained that the statute directing
the FTC to promulgate the Rule requires that a ``personal health
record'' be an electronic record that can be drawn from multiple
sources.\30\ Accordingly, health apps and similar technologies likely
qualify as personal health records covered by the Rule if they are
capable of drawing information from multiple sources. The Commission
further clarified that health apps and other products experience a
``breach of security'' under the Rule when they disclose users'
sensitive health information without authorization; \31\ a breach is
``not limited to cybersecurity intrusions or nefarious behavior.'' \32\
---------------------------------------------------------------------------
\30\ The Policy Statement provided this example: ``[I]f a blood
sugar monitoring app draws health information only from one source
(e.g., a consumer's inputted blood sugar levels), but also takes
non-health information from another source (e.g., dates from your
phone's calendar), it is covered under the Rule.'' Id. at 2.
\31\ 16 CFR 318.2.
\32\ Policy Statement at 2. In the Statement of Basis and
Purpose to the 2009 Final Rule published in the Federal Register
(``2009 Rule Commentary''), the Commission, in addressing questions
about how the extent of individual authorization should be
determined, stated data sharing to enhance consumers' experience
with a PHR is authorized only if such use is consistent with the
entity's disclosures and individuals' reasonable expectations. For
anything beyond such uses, the Commission expects vendors of
personal health records and PHR related entities to limit the
sharing of consumers' information, unless the consumers exercise
``meaningful choice'' in allowing sharing. The Commission believes
burying disclosures in lengthy privacy policies does not satisfy the
standard of ``meaningful choice.'' 74 FR 42967.
---------------------------------------------------------------------------
[[Page 47030]]
B. Enforcement History
In 2023, the Commission brought its first enforcement actions under
the Rule against vendors of personal health records. In February 2023,
the Commission brought an enforcement action alleging a violation of
the Rule against GoodRx Holdings, Inc. (``GoodRx''), a digital health
company that sells health-related products and services directly to
consumers, including prescription medication discount products and
telehealth services through its website and mobile applications.\33\
---------------------------------------------------------------------------
\33\ United States v. GoodRx Holdings, Inc., No. 23-cv-460 (N.D.
Cal. Feb. 17, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc.
---------------------------------------------------------------------------
In its complaint, the Commission alleged that between 2017 and
2020, GoodRx, as a vendor of personal health records, disclosed more
than 500 consumers' unsecured PHR identifiable health information to
third party advertising platforms like Facebook and Google, without the
authorization of those consumers. As charged in the complaint, these
disclosures violated explicit privacy promises the company made to its
users about its data sharing practices (including about its sharing of
PHR identifiable health information). The Commission alleged GoodRx
broke these promises and disclosed its users' prescription medications
and personal health conditions, personal contact information, and
unique advertising and persistent identifiers. The Commission charged
GoodRx with violating the Rule by failing to provide the required
notifications, as prescribed by the Rule, to (1) individuals whose
unsecured PHR identifiable health information was acquired by an
unauthorized person, (2) the Federal Trade Commission, and (3) media
outlets. 16 CFR 318.3 through 318.6. The Commission entered into a
settlement that imposed injunctive relief and required GoodRx to pay a
$1.5 million civil penalty for its alleged violation of the Rule.\34\
---------------------------------------------------------------------------
\34\ In addition, the Commission alleged GoodRx's data sharing
practices were deceptive and unfair, in violation of section 5 of
the FTC Act.
---------------------------------------------------------------------------
Similarly, on May 17, 2023, the Commission brought its second
enforcement action under the Rule against Easy Healthcare Corporation
(``Easy Healthcare''), a company that publishes an ovulation and period
tracking mobile application called Premom, which allows its users to
input and track various types of health and other sensitive data.
Similar to the conduct alleged against GoodRx, Easy Healthcare
disclosed PHR identifiable health information to third party companies
such as Google and AppsFlyer, contrary to its privacy promises, and did
not comply with the Rule's notification requirements. The Commission
entered into a settlement that imposed injunctive relief and required
Easy Healthcare to pay a $100,000 civil penalty for its alleged
violation of the Rule.\35\
---------------------------------------------------------------------------
\35\ United States v. Easy Healthcare Corporation, No. 1:23-cv-
3107 (N.D. Ill. June 22, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.
---------------------------------------------------------------------------
C. Notice of Proposed Rulemaking
Having considered the public comments on the regulatory review
notification and its Policy Statement, on June 9, 2023, the Commission
issued a notice of proposed rulemaking (``NPRM'') \36\ proposing to
revise the Rule, 16 CFR part 318, in seven ways:
---------------------------------------------------------------------------
\36\ 88 FR 37819 (``2023 NPRM'').
---------------------------------------------------------------------------
First, the Commission proposed to revise several
definitions in order to clarify the Rule and better explain its
application to health apps and similar technologies not covered by
HIPAA. Consistent with this objective, the NPRM modified the definition
of ``PHR identifiable health information'' and added two new
definitions (``health care provider'' and ``health care services or
supplies''). These proposed changes were consistent with a number of
public comments supporting the Rule's coverage of these technologies.
Second, the Commission proposed to revise the definition
of ``breach of security'' to clarify that a breach of security includes
an unauthorized acquisition of PHR identifiable health information in a
personal health record that occurs as a result of a data security
breach or an unauthorized disclosure.
Third, the Commission proposed to revise the definition of
``PHR related entity'' in two ways. Consistent with its proposal to
clarify that the Rule applies to health apps, the Commission first
proposed clarifying the definition of ``PHR related entity'' to make
clear that the Rule covers entities that offer products and services
through the online services, including mobile applications, of vendors
of personal health records. In addition, the Commission proposed
revising the definition of ``PHR related entity'' to provide that
entities that access or send unsecured PHR identifiable health
information to a personal health record--rather than entities that
access or send any information to a personal health record--are PHR
related entities.
Fourth, the Commission proposed to clarify what it means
for a personal health record to draw PHR identifiable health
information from multiple sources.
Fifth, in response to public comments expressing concern
that mailed notice is costly and not consistent with how consumers
interact with online technologies like health apps, the Commission
proposed to revise the Rule to authorize electronic notice in
additional circumstances. Specifically, the proposed Rule adjusted the
language in the ``method of notice section'' and added a new definition
of the term ``electronic mail.'' The proposed Rule also required that
any notice delivered by electronic mail be ``clear and conspicuous,'' a
newly defined term, which aligns closely with the definition of ``clear
and conspicuous'' codified in the FTC's Financial Privacy Rule.\37\
---------------------------------------------------------------------------
\37\ 16 CFR 313.3(b). The FTC's Financial Privacy Rule requires
financial institutions to provide particular notices and to comply
with certain limitations on disclosure of nonpublic personal
information. Using a comprehensive definition of ``clear and
conspicuous'' based on the Financial Privacy Rule definition aims to
ensure consistency across the Commission's privacy-related rules.
---------------------------------------------------------------------------
Sixth, the Commission proposed to expand the required
content of the notice to individuals, to require that consumers whose
unsecured PHR identifiable health information has been breached receive
additional important information, including information regarding the
potential for harm from the breach and protections that the notifying
entity is making available to affected consumers. In addition, the
proposed Rule included exemplar notices, which entities subject to the
Rule could use to notify consumers in terms that are easy to
understand.
Seventh, in response to public comments, the Commission
proposed to make a number of changes to improve the Rule's readability.
Specifically, the Commission proposed to include explanatory
parentheticals for internal cross-references, add statutory citations
in relevant places, consolidate notice and timing requirements in
single sections, respectively, of the Rule, and add a new section that
plainly states the penalties for non-compliance.
The NPRM also included a section discussing several alternatives
the
[[Page 47031]]
Commission considered but did not propose. Although the Commission did
not put forth any proposed modifications on those issues, the
Commission nonetheless sought public comment on them.
The Commission received approximately 120 comments in response to
the NPRM from a wide spectrum of stakeholders, including consumers,
consumer groups, trade associations, think tanks, policy organizations,
private sector entities, and members of Congress.\38\ As discussed in
detail below, commenters addressed the seven topics on which the
Commission proposed changes, responded to particular points on which
the Commission requested comment, offered additional comment on
alternatives that the Commission considered but did not propose, and
provided comment on other topics. The majority of commenters expressed
support for the Commission's proposed changes.
---------------------------------------------------------------------------
\38\ Comments are available at https://www.regulations.gov/document/FTC-2023-0037-0001/comment.
---------------------------------------------------------------------------
The Commission believes the amendments are consistent with the
language and intent of the Recovery Act, address the concerns raised by
the public comments in response to the NPRM, and will ensure the Rule
remains current in the face of changing business practices and
technological developments.
II. Analysis of the Final Rule
The following discussion analyzes the amendments to the Rule.
A. Clarification of Entities Covered
1. The Commission's Proposal To Clarify the Entities Covered
The Commission proposed changes to several definitions in Sec.
318.2 to clarify the Rule's application to health apps and similar
technologies not covered by HIPAA. First, the proposed Rule revised the
definition of ``PHR identifiable health information'' to remove a
cross-reference and instead import language from section 1171(6) of the
Social Security Act, 42 U.S.C. 1320d(6), which is also referenced
directly in section 13407 of the Recovery Act. The proposed Rule
defined ``PHR identifiable health information'' as information (1) that
is provided by or on behalf of the individual; (2) that identifies the
individual or with respect to which there is a reasonable basis to
believe that the information can be used to identify the individual;
(3) relates to the past, present, or future physical or mental health
or condition of an individual, the provision of health care to an
individual, or the past, present, or future payment for the provision
of health care to an individual; and (4) is created or received by a
health care provider, health plan (as defined in 42 U.S.C. 1320d(5)),
employer, or health care clearinghouse (as defined in 42 U.S.C.
1320d(2)).
The Commission explained that this proposed definition covers
traditional health information (such as diagnoses or medications),
health information derived from consumers' interactions with apps and
other online services (such as health information generated from
tracking technologies employed on websites or mobile applications or
from customized records of website or mobile application interactions),
as well as emergent health data (such as health information inferred
from non-health-related data points, such as location and recent
purchases). The Commission sought comment as to whether any further
amendment of the definition was needed to clarify the scope of data
covered.
Second, the NPRM proposed to define the term ``health care
provider'' that appears in the proposed definition of ``PHR
identifiable health information'' (``is created or received by a health
care provider''). The Commission proposed to define this term in a
manner similar to the definition of ``health care provider'' found in
42 U.S.C. 1320d(3) (and referenced in 42 U.S.C. 1320d(6), which is
directly referenced in section 13407 of the Recovery Act), to mean a
provider of services (as defined in 42 U.S.C. 1395x(u)), a provider of
medical or other health services (as defined in 42 U.S.C. 1395x(s)), or
any other entity furnishing health care services or supplies. The
Commission observed that this proposed definition, which is consistent
with the statutory scheme, differs from, but does not contradict, the
definitions or interpretations adopted by HHS. The Commission sought
comment on defining this term more broadly than the term is used in
other contexts.
Third, the NPRM proposed to define ``health care services or
supplies'' (the final term in the definition of ``health care
provider'') to include any online service, such as a website, mobile
application, or internet-connected device that provides mechanisms to
track diseases, health conditions, diagnoses or diagnostic testing,
treatment, medications, vital signs, symptoms, bodily functions,
fitness, fertility, sexual health, sleep, mental health, genetic
information, diet, or that provides other health-related services or
tools. The Commission explained that this change clarified that the
Rule applies generally to online services, including websites, apps,
and internet-connected devices that provide health care services or
supplies, and clarified that the Rule covers online services related
not only to medical issues (by including in the definition terms such
as ``diseases, diagnoses, treatment, medications'') but also wellness
issues (by including in the definition terms such as ``fitness, sleep,
and diet'').
The Commission explained that these proposed changes to the
definitions clarified that developers of health apps and similar
technologies providing ``health care services or supplies'' qualify as
``health care providers,'' such that any individually identifiable
health information these products collect or use would constitute ``PHR
identifiable health information'' covered by the Rule. The Commission
explained that these proposed changes further clarified that a mobile
health application can be a ``personal health record'' covered by the
Rule and the developers of such applications can be ``vendors of
personal health records.''
2. Public Comments Regarding the Commission's Proposal To Clarify the
Entities Covered
The Commission received numerous comments on the application of the
Rule to health apps and similar technologies. A substantial number of
commenters supported the Rule's application to health apps and similar
technologies not covered by HIPAA as necessary in light of the
explosion of health apps and the associated dangers to the privacy and
security of consumers' health information.\39\ Notably, support for the
[[Page 47032]]
Commission's proposals came from a variety of commenters--industry
associations,\40\ businesses,\41\ members of Congress,\42\ consumer or
patient advocacy groups,\43\ individual consumers,\44\ and anonymous
sources.\45\ Many commenters argued that safeguards for non-HIPAA
covered health data are essential,\46\ particularly because consumers
generally are not aware of varying legal protections for health
data.\47\ Indeed, according to some commenters, requiring notification
to consumers of the breach of health information not protected by HIPAA
is precisely what Congress intended by authorizing the FTC to issue
this Rule; the Commission's proposed changes are, therefore, consistent
with the goals of the Recovery Act.\48\ Some commenters argued that
Federal privacy legislation is needed to protect non-HIPAA covered
health data, but, in the interim, the Commission should strengthen its
Rule to protect consumer health data to the extent possible.\49\ Other
commenters urged the Commission to take even broader measures in this
Rule, such as imposing breach prevention measures,\50\ banning health-
based surveillance technologies or targeted advertising,\51\ banning
selling or sharing of health data not necessary to provide patient care
or mandating data retention limits and deletion,\52\ or requiring
adherence to standardized terms of service with strong privacy
protections.\53\
---------------------------------------------------------------------------
\39\ See generally, Am. Acad. of Fam. Physicians (``AAFP'');
AHIP; AHIMA; Ass'n of Health Info. Outsourcing Serv.'s (``AHIOS'');
AMA; Am. Med. Informatics Ass'n (``AMIA''); ANI; Anonymous 1;
Anonymous 2; Anonymous 3; Anonymous 4; Anonymous 9; Anonymous 10;
Anonymous 11 ; Anonymous 14; Am. Osteopathic Ass'n (``AOA''); Ella
Balasa; Beth Barnett; Lauren Batchelor; Bipartisan Pol'y Ctr.
(``BPC''); Alan Brewington; Ctr. for Democracy & Tech. (``CDT'');
Ctr. for Digit. Democracy (``CDD''); Confidentiality Coal.; Consumer
Rep.'s; Elec. Frontier Found. (``EFF''); Elec. Priv. Info. Ctr.
(``EPIC''); Dave K.; Members of the House of Representatives; MRO
Corp. (``MRO''); Omada Health; Pharmed Out; Planned Parenthood
Federation of Amer. (``Planned Parenthood''); CB Sanders; Robb
Streicher; SYNGAP1 Foundation and SYNGAP1 Foundation 2; Devin
Thompson; Janice Tufte; Michael Turner; U.S. Public Interest
Research Group (``U.S. PIRG''); UL Sol.'s; Grace Vinton; WEDI; Anli
Zhou. Some commenters elaborated on the nature of the risks to
consumers' health data and on the importance to consumers. Two
commenters, for example, described research they had performed
regarding mental health and/or reproductive health apps' disclosure
of consumers' health data to third parties. Mozilla at 3-4; Consumer
Reports at 2. Another commenter, a public interest group and
advocacy organization, attached a petition containing 9,659
signatures asking for strong rules to protect digital health
privacy. US PIRG at 5-230.
\40\ E.g., AAFP, AHIMA, AHIOS, AMA, AMIA, AOA; Network Advert.
Initiative (``NAI'').
\41\ E.g., Mozilla; MRO; Omada Health; UL Sol.'s.
\42\ See Members of the House of Representatives (six members of
Congress expressing support for the proposed changes).
\43\ E.g., CDD; CDT; EFF; U.S. PIRG.
\44\ Ella Balasa; Beth Barnett; Lauren Batchelor; Alan
Brewington; Sean Castillo; Dave K.; CB Sanders; Robb Streicher;
Devin Thompson; Janice Tufte; Michael Turner; Grace Vinton; Anli
Zhou.
\45\ Anonymous 1; Anonymous 2; Anonymous 3; Anonymous 4;
Anonymous 5; Anonymous 6; Anonymous 9; Anonymous 10; Anonymous 11;
Anonymous 14.
\46\ See, e.g., AAFP at 1-2; AHIMA at 2; AHIOS at 2; Anonymous 5
at 1; AOA at 1; Am. Speech-Language-Hearing Ass'n (``ASHA'') at 1;
Am. Psychiatric Ass'n (``APA'') at 1; CDT at 3-4; CHIME at 2; EFF at
1; Generation Patient at 1; HIMSS at 2; HIMSS Elec. Health Rec.
Ass'n (``HIMSS EHR Ass'n'') at 1; MRO at 1-2; Omada Health at 2;
PharmedOut at 1; Planned Parenthood at 2-3; Michael Turner at 1;
WEDI at 1-4.
\47\ AHIMA at 2; Anonymous 5 at 1; ASHA at 1; EFF at 1; WEDI at
2. One commenter, a software company that assists digital health
companies with legal compliance, argued that three factors, in
particular, support greater protection for digital health data: (1)
consumers mistakenly believe HIPAA covers all health data; (2) there
is a culture within some digital health companies that favors rapid
adoption of products to secure venture capital even when compliance
infrastructure is lacking; and (3) digital health products deal with
sensitive data and inherently present a greater privacy risk given
their heavy reliance on data and data exchange compared to
traditional medicine. Tranquil Data at 1.
\48\ Confidentiality Coal. at 2; Consumer Rep.'s at 4.
\49\ See, e.g., AAFP at 2. One commenter, an industry coalition
focused on health IT and health care information exchange,
emphasized a significant privacy problem adjacent to the Rule:
whether HIPAA covered entities should warn patients about the
privacy risks associated with health apps and what the Federal
government can do to apply equal privacy protections to health data,
notwithstanding HIPAA's limitations. See WEDI at 3. One commenter
supported the proposed changes but argued the Commission should work
with Congress to update antiquated terms like ``personal health
record.'' HIMSS at 3.
\50\ Ella Balasa at 2; PharmedOut at 1.
\51\ Light Collective at 5.
\52\ EFF at 2.
\53\ Texas Med. Ass'n (``TMA'') at 1-2.
---------------------------------------------------------------------------
Although many commenters expressed support for the proposed
changes, several business coalitions, industry associations and
individual firms opposed the changes, which, they argued, are
inconsistent with Congress's intent in the Recovery Act to address a
narrow subset of ``personal health records'' and therefore exceed the
FTC's statutory authority.\54\ According to some comments, Congress
should address any privacy issues that exceed the narrow scope of the
Recovery Act. These commenters also contend that if the Commission
believes there has been a violation of section 5, then the Commission
needs to engage in an FTC Act section 18 rulemaking.\55\ One commenter
argued further that consumers have different privacy expectations for
an electronic health record offered by their physician versus a fitness
app (for example) that they download themselves, and the Commission's
Rule should respect those differing expectations.\56\
---------------------------------------------------------------------------
\54\ See, e.g., Ass'n of Nat'l Advertisers, Inc. (``ANA'') at 4-
5; Comput. & Commc'n's Indus. Ass'n (``CCIA'') at 2-3; Chamber of
Com. (``Chamber'') at 1-3; CHI at 2; Consumer Tech. Ass'n (``CTA'')
at 2; Lab'y Access and Benefits Coal. (``LAB'') at 1; Priv. for Am.
at 1-2; TechNet at 2.
\55\ Priv. for Am. at 2-3; Chamber at 6-7; Health Innovation
All. (``HIA'') at 1. See also Advanced Med. Tech. Ass'n
(``AdvaMed'') at 1 (recommending the Commission adopt a privacy
framework pursuant to the advanced notice of proposed rulemaking
(R111004) regarding commercial surveillance and data security (87 FR
51273, Aug. 22, 2022)).
\56\ CCIA at 4.
---------------------------------------------------------------------------
Some commenters opposed to the changes also argued that the revised
definitions would reduce choice and access in the marketplace,\57\
stifle innovation,\58\ or create disincentives for advertising \59\
because (1) firms would risk initiating breaches by sharing user data
with their partners and (2) in accepting data from health apps,
partners such as advertising and analytics firms would risk being
covered by the Rule.\60\ According to some commenters, placing such
strictures on the advertising and service provider ecosystem would
raise prices (by, for example, undermining ad-supported services) and
thereby harm competition.\61\ One commenter argued that while robust
protections for consumer health data are needed, the Rule should not be
a vehicle for such protections, because it will result in over-
notification of consumers (who have largely learned to disregard breach
notices) and be a barrier to legislative change on privacy and data
security issues more generally.\62\ Another commenter argued against a
breach notification rule altogether, asserting that the Commission
should instead focus on requiring robust data security practices to
prevent breaches in the first instance.\63\
---------------------------------------------------------------------------
\57\ Am. Telemedicine Ass'n (``ATA Action'') at 1.
\58\ TechNet at 1-2; CTA at 5.
\59\ ANA at 3.
\60\ Priv. for Am. at 3.
\61\ E.g., ANA at 3; Priv. for Am. at 1, 3-4.
\62\ World Priv F. (``WPF'') at 4.
\63\ HIA at 2.
---------------------------------------------------------------------------
Some commenters specifically addressed the proposed changes to the
definitions of ``PHR identifiable health information'' and the new
definitions of ``health care provider'' and ``health care services or
supplies.'' First, a number of comments addressed the scope of ``PHR
identifiable health information.'' Some commenters urged greater
breadth, arguing, for example, that the definition of ``PHR
identifiable health information'' should be expanded to include other
types of data, such as data about an individual--not just data provided
by or on behalf of an individual.\64\ Other commenters urged the
Commission to state expressly that its definition encompasses
particular types of information, such as unique persistent identifiers
\65\ or information about sexual health \66\ or substance use or
treatment.\67\ By contrast, some commenters urged the Commission to
narrow the definition or otherwise clarify its limits, by, for example,
exempting data relating to clinical research or trials \68\ or data
that has been de-identified.\69\
---------------------------------------------------------------------------
\64\ Consumer Rep.'s at 3.
\65\ Id.
\66\ BPC at 1-2; Planned Parenthood at 5.
\67\ Legal Action Ctr. & Opioid Pol'y Inst. at 1-2.
\68\ Soc'y for Clinical Rsch. Sites (``SCRS'') at 1.
\69\ Future of Priv. F. (``FPF'') at 3.
---------------------------------------------------------------------------
Relatedly, some commenters urged the Commission to create a
definition of or standard for ``identifiable data,'' ``de-
identification'' or ``de-identified
[[Page 47033]]
data,'' \70\ such as by adopting HHS's de-identification standard,\71\
or by stating that information is identifiable if it is ``reasonably
linkable to an identified or identifiable individual.'' \72\ Commenters
argued that clarifying what constitutes ``identifiable'' data is
necessary both because of the increasing ability for de-identified data
to be re-identified \73\ and because the market needs clarity to enable
uninhibited flow of de-identified health data for research, public
health, and commercial activities.\74\ Indeed, according to one
commenter, failure to clarify the standard could complicate or chill
public health research and other innovation.\75\ One commenter argued
that an objective standard of ``reasonable linkability'' is better than
what the commenter described as the Rule's knowledge-based standard
(i.e., whether the company has a reasonable basis to believe it can be
used to identify an individual).\76\ One commenter urged the Commission
to issue a new notice of proposed rulemaking on the issue of de-
identification alone.\77\
---------------------------------------------------------------------------
\70\ SCRS at 2; Chamber at 7; EPIC at 7-9; FPF at 3-4, LAB at 2;
MRO at 4; Network for Pub. Health L. and Texas A&M Univ.
(``Network'') at 3.
\71\ LAB at 2; Network at 3; SCRS at 2.
\72\ FPF at 3.
\73\ SCRS at 2.
\74\ FPF at 3; Network at 3-4.
\75\ Network at 3.
\76\ FPF at 3.
\77\ Chamber at 7.
---------------------------------------------------------------------------
Second, many commenters specifically addressed the Commission's
proposed new definition of ``health care provider.'' One commenter
applauded the Commission's revised definition of ``health care
provider,'' arguing that taking a crabbed view of that or related terms
would lead to further fragmentation of health data, which is already
fragmented by HIPAA's limited purview.\78\ Another commenter noted the
Commission's definition of ``health care provider'' is simply a logical
outgrowth of how consumers interact with health apps: consumers look to
health apps to provide health-related services--the quintessential
function of a health care provider.\79\
---------------------------------------------------------------------------
\78\ CDT at 11.
\79\ Confidentiality Coal. at 3-4.
---------------------------------------------------------------------------
Other commenters, however, raised concerns that the proposed
definition of ``health care provider'' is confusing in its departure
from HIPAA's terminology or is otherwise overbroad.\80\ Some commenters
argued this departure from the traditional meaning of the term is not
what Congress intended.\81\ A few commenters suggested reducing the
confusion with the traditional term by re-naming the definition. These
commenters suggested the Commission instead use one of the following
terms: ``non-HIPAA-regulated health care provider,'' \82\ ``PHR
provider,'' \83\ ``Health-related vendor,'' \84\ ``HIPAA covered
entity,'' \85\ or ``health-related service provider.'' \86\ Another
commenter recommended eliminating the confusion by stating within the
definition that it excludes HIPAA-covered entities and their business
associates.\87\ Another commenter urged the Commission to affirm that
its definition would have no impact on the term ``health care
provider'' as used in other regulations.\88\
---------------------------------------------------------------------------
\80\ AAFP at 2-3; AdvaMed at 3-4; AHIP at 2; AMA at 2-3; ATA
Action at 1; CARIN Alliance at 2-3; CCIA at 3; CTA at 4, 6-9;
Datavant at 2; Invitae Corp. (``Invitae'') at 4; NAI at 3-4;
Software & Info. Indus. Ass'n (``SIIA'') at 1-2; TechNet at 2; TMA
at 2-3; WPF at 7.
\81\ ANA at 5; ATA Action at 1; Invitae at 4-5; Priv. for Am. at
4.
\82\ Planned Parenthood at 6.
\83\ WPF at 7.
\84\ AHIP at 2.
\85\ AMA at 3.
\86\ AHIP at 2.
\87\ Datavant at 2.
\88\ AAFP at 2-3.
---------------------------------------------------------------------------
Several comments also expressed concern with the final phrase of
the definition of ``health care provider'' (``any other entity
furnishing health care services or supplies''), as overly broad and
confusing. Commenters argued its breadth (and the breadth of the
accompanying definition of ``health care services or supplies'') would
have perverse results, turning retailers of tennis shoes, shampoo, or
vitamins into entities covered by the Rule, which is not what Congress
intended.\89\ Moreover, it would result not only in compliance burdens
for companies (with the downstream effect of raising prices for
consumers) but also in massive over-notification of consumers, who will
become desensitized to the onslaught of notices.\90\
---------------------------------------------------------------------------
\89\ ANA at 7-8; CCIA at 4; CHI at 3-4; CTA at 7-8; SIIA at 2.
\90\ ANA at 3; SIIA at 1.
---------------------------------------------------------------------------
Several commenters urged the Commission to address this problem by
dropping the phrase ``any other entity furnishing health care services
or supplies'' entirely--or at least excising the word ``supplies''--
from the definition of ``health care provider.'' \91\ One commenter
recommended replacing the phrase with a different phrase: ``any other
person or organization who furnishes, bills, or is paid for health care
in the normal course of business.'' \92\ Another commenter recommended
expressly excluding retailers.\93\ Commenters requested further
clarification of certain terms within the definition of ``health care
provider,'' including the terms ``furnishing'' \94\ and ``health
care.'' \95\ And another commenter argued a better approach would be to
jettison the definitions of ``health care provider'' and ``health care
services and supplies'' entirely and instead apply the Rule to any
entity that ``promotes its offering as addressing, improving, tracking
or informing matters about a consumer's health.'' \96\
---------------------------------------------------------------------------
\91\ AdvaMed at 4; CHI at 4; CTA at 9; TechNet at 2.
\92\ AdvaMed at 4.
\93\ CTA at 8-9.
\94\ EPIC at 2.
\95\ AdvaMed at 3 (urging the Commission to define ``health
care'' and ``health care provider'' as in 45 CFR 160.103).
\96\ WPF at 10.
---------------------------------------------------------------------------
Third, some commenters addressed the proposed definition of
``health care services or supplies.'' \97\ Several commenters requested
more clarity as to what constitutes an ``online service,'' \98\ as
nearly all commercial activities have some online presence.\99\ Several
commenters recommended deleting the final phrase of the definition
(``or that provides other health-related services or tools'') to limit
the definition's breadth.\100\ Conversely, some commenters urged the
Commission to reinforce its breadth, by expressly stating that ``health
care services or supplies'' include services related to ``wellness''
\101\ or to specific health conditions, such as substance abuse
disorder diagnosis, treatment, medication, recurrence of use
(``relapse'') and recovery.\102\
---------------------------------------------------------------------------
\97\ AdvaMed at 3; AAFP at 3; AHIP at 3; Priv. for Am. at 6-7.
\98\ MRO at 2; WPF at 7-8.
\99\ WPF at 8.
\100\ NAI at 4.
\101\ EPIC at 4.
\102\ Legal Action Ctr. & Opioid Pol'y Inst. at 3.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes To Clarify the Entities
Covered
After considering the comments received, the Commission adopts the
proposed changes to the Rule (with only non-substantive, organizational
improvements noted below) to clarify that the Rule applies to mobile
health applications and similar technologies. The Commission agrees
with the substantial number of comments, from many different types of
entities and individuals, who argued that such clarification is
necessary in light of changing technology (i.e., the mass adoption of
health apps) and the privacy and data security risks to consumer health
data collected by that technology. The Commission also agrees with
[[Page 47034]]
commenters who argued that the proposed changes to the Rule are
consistent with the Recovery Act, which was intended to bolster breach
notifications for consumer health data that falls outside HIPAA.
Although the Commission agrees with commenters who argue that consumer
health data should enjoy substantial and unfragmented privacy
protections, this Rule addresses breach notification, not omnibus
privacy protections. While this rulemaking does not address omnibus
privacy protections, the Commission observes that companies collecting
or holding consumers' sensitive health data should engage in many of
the practices commenters described, such as imposing data retention
limits, enabling deletion options, and preventing breaches through
robust privacy and data security practices.\103\
---------------------------------------------------------------------------
\103\ In the 2009 Final Rule, the Commission similarly
underscored the importance of maintaining protections for health
information, stating: ``In addition, as noted in the NPRM, the
Commission expects entities that collect and store unsecured PHR
identifiable health information to maintain reasonable security
measures, including breach detection measures, which should assist
them in discovering breaches in a timely manner.'' 74 FR 42971 n.93
(2009).
---------------------------------------------------------------------------
The Commission is not persuaded that applying the Rule to health
apps and similar technologies will have deleterious consequences for
individual firms or competition or result in over-notification of
consumers. Importantly, the only obligation the Rule imposes is to
notify the Commission, consumers, and, in some cases, the media of a
breach of unsecured PHR identifiable health information. As noted in
the NPRM, many State laws already impose similar, or significantly
broader, data breach obligations.\104\ Moreover, firms can avoid
notification costs entirely by avoiding breaches--by reducing the
amount of unsecured PHR identifiable health information they access and
maintain (which can be achieved by securing PHR identifiable health
information), by de-identifying health information, and by implementing
other privacy and data security measures appropriate to the sensitivity
of the data. Congress intended for consumers to learn of breaches of
their unsecured PHR identifiable health information that fall outside
HIPAA; the changes to the Rule help ensure consumers will receive the
notification Congress intended.
---------------------------------------------------------------------------
\104\ 88 FR 37832 n.103.
---------------------------------------------------------------------------
The Commission carefully considered the arguments commenters raised
that the definitional changes depart from the language or spirit of the
Recovery Act. The Commission does not agree. The definitions hew
closely to the language of the Recovery Act and to the definitions
directly referenced by the Recovery Act in section 1171(6) of the
Social Security Act, 42 U.S.C. 1320d(6). As many commenters noted,
while health apps did not exist when Congress passed the Recovery Act,
they function in a similar manner to the personal health records that
existed at the time.
For these reasons, the Commission is adopting the proposed
definitions, with minor clarifications. First, the Commission has
retained the definition of ``PHR identifiable health information'' as
set out in the NPRM, with non-substantive organizational changes noted
below. In response to comments that the definition of ``PHR
identifiable health information'' should be broader, the Commission
notes the definition, which closely follows the statutory language,
already encompasses most of the categories of data that commenters
identified. For example, unique, persistent identifiers (such as unique
device and mobile advertising identifiers), when combined with health
information, constitute ``PHR identifiable health information,'' if
these identifiers can be used to identify or re-identify an individual.
Moreover, ``PHR identifiable health information'' encompasses
information about sexual health and substance abuse disorders, because
the information ``relates to the past, present, or future physical or
mental health or condition of an individual, the provision of health
care to an individual, or the past, present, or future payment for the
provision of health care to an individual.'' The Recovery Act states
PHR identifiable health information is information provided ``by or on
behalf of the individual,'' so the Commission declines to change this
phrase to ``about,'' as one commenter suggested.\105\ The Commission
notes, however, that information provided ``by or on behalf of the
individual'' will encompass much information ``about'' an individual,
as the consumer is the original source of most data; many inferences
``about'' the individual originate from information provided ``by or on
behalf of the individual.''
---------------------------------------------------------------------------
\105\ Consumer Rep.'s at 4.
---------------------------------------------------------------------------
The Commission does not agree with commenters who sought to narrow
the definition of PHR identifiable health information out of concern
for the Rule's overall breadth. The Commission notes that liability
under the Rule does not arise from a single definition. While data used
for public health research, for example, may, in some instances, meet
the definition of ``PHR identifiable health information,'' the firm
using that data is subject to the Rule only if other conditions are met
(i.e., the firm is an entity covered by the Rule).
The Commission declines to create a new definition of ``de-
identified data'' or another similar term, because the definition of
de-identification is already embedded in the second part of the
definition of PHR identifiable health information (``that identifies
the individual or with respect to which there is a reasonable basis to
believe that the information can be used to identify the individual'').
Where there is no ``reasonable basis to believe that the information
can be used to identify the individual,'' the information is not
identifiable; rather, it is de-identified. If data has been de-
identified according to standards set forth by HHS, then there is not a
``reasonable basis to believe that the information can be used to
identify the individual,'' as the definition of PHR identifiable health
information requires. Because the Commission's standard is consistent
with HHS's, the Commission's Rule poses no impediment to health-related
research or other flows of de-identified data. The Commission does not
view the existing language as a subjective standard that turns on a
company's knowledge, as one commenter suggested; by requiring a
``reasonable basis to believe'' that the information is not
identifiable, the Rule creates an objective standard. Whether such
reasonable basis exists will depend on whether the data can reasonably
be linked to an individual consumer. There is no need for a
supplemental notice of proposed rulemaking on this issue, as the
Commission is not changing this aspect of the Rule, which closely
follows the statute.\106\
---------------------------------------------------------------------------
\106\ 42 U.S.C. 17937(f)(2).
---------------------------------------------------------------------------
Second, the Commission is modifying the proposed definition of
``health care provider'' to ``covered health care provider'' to
distinguish that term from interpretations of the term ``health care
provider'' in other contexts, which may be more limited in scope. As
commenters requested, the Commission affirms its definition of
``covered health care provider'' is unique to the Rule; it does not
bear on the meaning of ``health care provider'' as used in other
regulations enforced by other government agencies. The Commission
adopts this change merely to dispel confusion in terminology; the
Commission is not making any substantive change from the definition as
proposed. The Commission does not need to state expressly, either in
this definition or elsewhere, that the Rule's notification requirements
do not apply to HIPAA-covered entities and their business associates,
as Sec. 318.1 of the
[[Page 47035]]
Rule already includes this proviso. The Commission declines to remove
the phrase ``any other entity furnishing health care services or
supplies'' from the definition of ``health care provider,'' because
this phrase is nearly identical to the language that appears in 42
U.S.C. 1320d(3), which is referenced in the definition of individually
identifiable health information in 42 U.S.C. 1320d(6), which is in turn
referenced in the definition of PHR identifiable health information in
section 13407(f)(2) of the Recovery Act, 42 U.S.C. 17937.\107\ The
Commission declines to define the terms ``furnish'' and ``health care''
as the Commission believes the plain meaning of the term ``furnish''
(to supply someone with something) is already clear and adding a
definition of ``health care'' is unnecessary in light of the definition
of ``covered health care provider'' and ``health care services and
supplies.'' Differences from HHS's regulations pursuant to HIPAA are
appropriate, as the Recovery Act differs from HIPAA, and the Recovery
Act's mandate is specifically to cover entities not covered by HIPAA.
---------------------------------------------------------------------------
\107\ The definition of ``covered health care provider'' in
Sec. 318.2 substitutes ``entity'' for ``person''--i.e., ``any other
entity furnishing health care services or supplies''--because the
rest of the Rule speaks in terms of ``entities,'' but the definition
in Sec. 318.2 is otherwise identical to the statutory definition in
42 U.S.C. 1320d(3).
---------------------------------------------------------------------------
Third, the Commission is adopting the proposed definition of
``health care services or supplies,'' with one minor modification: the
Commission has substituted the word ``means'' for ``includes'' to avoid
implying greater breadth than the Commission intends. The Commission
adopts this change merely to dispel confusion about undue breadth; the
Commission does not intend any substantive change from the definition
proposed. The Commission otherwise affirms the proposed definition
without change. The Commission believes the term ``online service'' in
the definition of ``health care services or supplies'' is sufficiently
clear because of the examples of ``online services'' given within the
definition itself: website, mobile application, or internet-connected
device. Providing an exhaustive list of what constitutes an online
service would prevent the definition from being sufficiently flexible
to account for future innovation in types of online services. The
Commission also retains the catch-all ``or that provides other health-
related services or tools'' for the same reason: to ensure the Rule's
language can accommodate future changes in technology. There is no
undue breadth, because that phrase's meaning is in the context of the
preceding phrase (``provides mechanisms to track diseases, health
conditions, diagnoses or diagnostic testing, treatment, medications,
vital signs, symptoms, bodily functions, fitness, fertility, sexual
health, sleep, mental health, genetic information, diet'').
In response to some commenters' concerns that the proposed Rule's
definition of ``health care provider'' and ``health care services or
supplies'' would impermissibly cause the Rule to cover retailers of
general-purpose items like tennis shoes, shampoo, or vitamins, the
Commission disagrees this would necessarily be the case. A threshold
inquiry under the Rule is whether an entity is a ``vendor of personal
health records,'' which the Recovery Act defines as ``an entity . . .
that offers or maintains a personal health record.'' \108\ The Recovery
Act usage of the term ``vendor of'' in connection with ``personal
health records'' underscores that entities that are not in the business
of offering or maintaining (e.g., selling, marketing, providing, or
promoting) a health-related product or service are not covered--in
other words, they are not ``vendors'' of personal health records. Thus,
to be a vendor of personal health records under the Rule, an app,
website, or online service must provide an offering that relates more
than tangentially to health.\109\
---------------------------------------------------------------------------
\108\ 42 U.S.C. 17921(18); see also 42 U.S.C. 17937.
\109\ At least one commenter urged a somewhat similar
interpretation, contending that a relevant inquiry in determining
whether a service offers a personal health record is ``the terms
under which a product or service is offered to consumers. If an
entity promotes its offering as addressing, improving, tracking, or
informing matters about a consumer's health, then that entity's
offering would be subject to the rule. Thus, any product or services
that tracks or addresses physical activity, blood pressure, heart
rate, digestion, strength, genetics, sleep, weight, allergies, pain,
and similar characteristics would be subject to a PHR rule.'' See
WPF at 10.
---------------------------------------------------------------------------
The Commission notes a general retailer (one that sells food
products, children's toys, garden supplies, healthcare products (such
as pregnancy tests), or apparel (such as maternity clothes)) offering
consumers an app to purchase and access purchases of these products--by
itself--would not make the retailer a vendor of personal health
records. In this scenario, purchase information relating to certain
items--such as a pregnancy test or maternity clothes from a retailer--
may reveal information about that person's health. While this purchase
information may be PHR identifiable health information, the retailer in
this scenario is not a vendor of personal health records because the
app is only tangentially related to health. The Commission notes,
however, there may be scenarios where a general-purpose retailer
described above may become a vendor of personal health records under
the Rule, such as where the retailer offers an app with features or
functionalities that are sold, marketed, or promoted as more than
tangentially relating to health.
In addition, the Commission reiterates a personal health record
must be an electronic record of PHR identifiable health information on
an individual, must have the technical capacity to draw information
from multiple sources, and must be managed, shared, and controlled by
or primarily for the individual. The Commission also notes that
purchases of items at a brick and mortar retailer where there is no
app, website, or online service to access or track that purchase
information electronically is not a personal health record, because
there is no electronic record at issue. Contrary to the assertions of
some commenters, these definitions do not result in undue breadth,
because they do not function in isolation. The Commission provides the
following examples to illustrate the interplay of these definitions
with the definition of ``personal health record'':
Example 1: Health advice app or website A, which is not
covered by HIPAA, provides information to consumers about various
medical conditions. Its function is purely informational; it does not
provide any mechanism through which the consumer may track or record
information. Health advice app or website A is not a personal health
record, because it is not an electronic record of PHR identifiable
health information on an individual.
Example 2: Health advice app or website B, which is not
covered by HIPAA, provides information to consumers about various
medical conditions and provides a symptom tracker, available to
consumers who log into the site with a username and password, in which
consumers may input symptoms and receive potential diagnoses. Health
advice app or website B is an electronic record of PHR identifiable
health information on an individual, because its information is
provided by the individual, it identifies the individual (via username
and password), it relates to the individual's health conditions (the
symptoms), and is received by a health care provider (i.e., the entity
providing the site itself, as that entity is furnishing the health care
service of an online service that provides mechanisms to track
symptoms). However, health advice app or website B is not a personal
health
[[Page 47036]]
record to the extent the site does not have the technical capacity to
draw information from multiple sources (i.e., if the consumer is its
only source of information).
Example 3: Health advice website C, which is not covered
by HIPAA, functions in the same way as health advice app or website B,
except that it collects geolocation data via an application programming
interface (``API''). For the reasons stated in Example 2, it is an
electronic record of PHR identifiable health information on an
individual. It also has the technical capacity to draw information from
multiple sources (consumer inputs and collection of geolocation data
through the API. It is managed primarily for the individual (i.e., to
provide the individual health advice). Therefore, health advice app or
website C is a personal health record.
Example 4: Health advice app or website D, which is not
covered by HIPAA, functions in the same way as health advice app or
website B, except that it also draws information from a data broker and
connects that information to some of its individual users to provide
them with more accurate diagnostic suggestions. For the reasons stated
in Example 2, it is an electronic record of PHR identifiable health
information on an individual. It also has the technical capacity to
draw information from multiple sources (the consumer and the data
broker) and is managed by or primarily for the individual. Therefore,
health advice app or website D is a personal health record.
Whether a health app or other electronic record constitutes a
personal health record (and is therefore subject to the Rule) is a
fact-intensive inquiry whose outcome depends not only on the nature of
the information contained in that record, but also on numerous other
factors, such as its ``technical capacity,'' its source(s) of
information, and its relationship to the individual.
Finally, the Commission notes a non-substantive, organizational
change relating to the definition of ``PHR identifiable health
information.'' In the 2023 NPRM, the Commission proposed revising ``PHR
identifiable health information'' by importing language from section
1171(6) of the Social Security Act, 42 U.S.C. 1320d(6), which is
referenced directly in section 13407 of the Recovery Act. To hew more
closely to the organization of the Recovery Act, and to preserve the
word ``includes'' in the phrase ``includes information that is provided
by or on behalf of the individual,'' the Commission revised slightly
the order of the elements in the definition of ``PHR identifiable
health information.''
B. Clarification of What It Means for a Personal Health Record To Draw
Information From Multiple Sources
1. The Commission's Proposal Regarding What It Means for a Personal
Health Record To Draw Information From Multiple Sources
The Commission proposed amending the definition of the term
``personal health record'' to clarify what it means for a personal
health record to draw information from multiple sources. Under the 2009
Rule, a personal health record is defined as an electronic record of
PHR identifiable health information that can be drawn from multiple
sources and that is managed, shared, and controlled by or primarily for
the individual. Under the Commission's proposed definition, a
``personal health record'' would be defined as an electronic record of
PHR identifiable health information on an individual that has the
technical capacity to draw information from multiple sources and that
is managed, shared, and controlled by or primarily for the individual.
Changing the phrase ``that can be drawn from multiple sources'' to
``has the technical capacity to draw information from multiple
sources'' serves several purposes. First, it clarifies a product is a
personal health record if it can draw information from multiple
sources, even if the consumer elects to limit information to a single
source only, in a particular instance. For example, a depression
management app that accepts consumer inputs of mental health states and
has the technical capacity to sync with a wearable sleep monitor is a
personal health record, even if some customers choose not to sync a
sleep monitor with the app. Thus, whether an app qualifies as a
personal health record would not depend on the prevalence of consumers'
use of a particular app feature, like sleep monitor-syncing. Instead,
the analysis of the Rule's application would be straightforward: either
the app has the technical means (e.g., the application programming
interface or API) to draw information from multiple sources, or it does
not. Next, adding the phrase ``technical capacity to draw information''
clarifies a product is a personal health record if it can draw any
information from multiple sources, even if it only draws health
information from one source. This change further clarifies the
Commission's interpretation of the Recovery Act, as explained in the
Policy Statement.\110\
---------------------------------------------------------------------------
\110\ Policy Statement at 2.
---------------------------------------------------------------------------
The Commission sought public comment as to whether this revised
language sufficiently clarifies the Rule's application to developers
and purveyors of products that have the technical capacity to draw
information from more than one source. The Commission invited comment
on its interpretation that an app is a personal health record because
it has the technical capacity to draw information from multiple
sources, even if particular users of the app choose not to enable the
syncing features. The Commission also requested comment about whether
an app (or other product) should be considered a personal health record
even if it only draws health information from one place (in addition to
non-health information drawn elsewhere); or only draws identifiable
health information from one place (in addition to non-identifiable
health information drawn elsewhere). The Commission further requested
comment about whether the Commission's bright-line rule (apps with the
``technical capacity to draw information'' are covered) should be
adjusted to take into account consumer use, such as where no consumers
(or only a de minimis number) use a feature, and about the likelihood
of such scenarios. For example, the Commission offered an example of an
app that might have the technical capacity to draw information from
multiple sources, but its API is entirely or mostly unused, either
because it remains a Beta feature, has not been publicized, or is not
popular.
2. Public Comments Regarding What It Means for a Personal Health Record
To Draw Information From Multiple Sources
Many commenters supported the Commission's proposal amending the
definition of a ``personal health record.'' \111\ Commenters noted, for
instance, this change would help to ensure that many services that
collect PHR identifiable health information are covered by the
Commission's Rule,\112\ and would help to promote greater privacy and
security for health information,\113\ while still ``hewing to
[[Page 47037]]
the limitations of the statute.'' \114\ Some commenters noted without
this change, developers of personal health records (such as app
developers) might have incentives to design their products in ways that
would intentionally skirt the Rule's requirements (such as by
restricting a consumer's ability to import data from other
sources).\115\ Others noted the importance of the Rule covering apps
with the technical capacity to draw information from multiple sources
even where such capacity is not used by the consumer.\116\
---------------------------------------------------------------------------
\111\ Ella Balasa at 1; TMA at 4 (arguing that ``PHRs include
applications with the technical capacity to draw information from
multiple sources, regardless of the patient's preference to activate
the technical capability.''); Consumer Rep.'s at 6; AAFP at 3; AHIMA
at 4-5; AMA at 4; CHIME at 4; CDT at 13; AOA at 3.
\112\ AHIMA at 4-5.
\113\ AAFP at 3.
\114\ Consumer Reports at 5-6.
\115\ AHIP at 2-3; CDT at 13 (arguing that changes remove
``incentives for companies to technically design products and
services to not trigger the HBNR to avoid any need to provide
consumer notice.'').
\116\ AHIOS at 4; CARIN Alliance at 4.
---------------------------------------------------------------------------
Other commenters opposed this proposal.\117\ Some argued the
proposed clarification regarding what drawing information from multiple
sources means runs counter to Congress's statutory intent,\118\ because
virtually every app has some sort of integration (e.g., for analytics)
through which it draws information other than from the consumer.\119\
One commenter asserted the change would broaden the scope of the Rule
to the point that it would sweep in online services that should not be
thought of as a personal health record (such as email apps),\120\ or
otherwise create confusing standards for app developers or reduce
innovation.\121\ In addition, commenters expressed concern this change
would sweep in apps or online services that have the technical capacity
to draw from multiple sources during the development or testing phase
of the product, or would sweep in products with unused, unavailable, or
unpublicized APIs or integrations that count as a source.\122\ One
commenter expressed concern about lack of clarity, such as in scenarios
where a user is required to pay for an upgrade to access a feature or
integration that draws information from another source.\123\ Some
commenters also expressed concern that apps and online services that
are subject to HIPAA (i.e., HIPAA-covered entities or business
associates) should be carved out of the definition of a personal health
record.\124\ Other commenters expressed broader concern with the
definition of ``personal health record,'' urging the Commission to, for
example, abandon the purportedly outdated term in favor of a more
modern one.\125\ For instance, some commenters urged that the
Commission abandon or tweak the requirement that the personal health
record be ``managed, shared, and controlled by or primarily for the
individual.'' \126\
---------------------------------------------------------------------------
\117\ NAI at 6 (urging that the Commission make clear that a
personal health record is one that ``not only has the technical
capacity to draw PHR identifiable health information from multiple
sources, but that it also has the functionality and actually does
incorporate data from multiple sources.''); ANA at 7; ACLA at 1-2.
\118\ NAI at 6.
\119\ Chamber at 4-5; Priv. for Am. at 5-6; NAI at 6.
\120\ CCIA at 6.
\121\ CTA at 11; AdvaMed at 5; CHI at 5.
\122\ CHI at 5 (asking the Commission to clarify that an ``app
having the ability to draw from multiple sources with some changes
to the app's coding/APIs is not within this definition's
threshold.''); ACLA at 1 (arguing ``[i]f a feature is unused by
individuals `because it remains a Beta feature,' then in fact it
does not have the `technical capacity' to draw an individual's
information from other sources, unless and until its functionality
has been enabled by the vendor. The mere possibility that an
application vendor might sometime in the future enable that
functionality should not bring the electronic record within the
scope of the definition of `personal health record.' '') (emphasis
in original); CTA at 11 (arguing Rule should instead have bright-
line test that assesses whether the app actually draws health
information from multiple sources); AdvaMed at 5 (arguing the
Commission should decline to adopt multiple sources changes because
it could cause confusion and potentially sweep in apps or services
with features that have not been made available to consumers, such
as APIs connected to the PHR that have not been publicized).
\123\ WPF at 9.
\124\ Omada at 5; Datavant at 3.
\125\ HIMSS at 3 (urging the Commission to work with Congress to
craft a definition more consonant with technological realities).
\126\ AHIOS at 4; MRO at 4.
---------------------------------------------------------------------------
Another commenter expressed concern the proposed change could sweep
in services that draw any information from multiple sources, regardless
of whether that information is identifiable health information.\127\
---------------------------------------------------------------------------
\127\ NAI at 6.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes Clarifying What It Means
for a Personal Health Record To Draw Information From Multiple Sources
After considering the comments received, the Commission adopts the
proposed amendment without change. This amendment will help clarify the
types of entities covered by the Rule. The definition does not create
undue breadth or deviate from Congressional intent; rather, the changes
are consistent with the language of the Recovery Act, and only serve to
give meaning to the phrase ``can be drawn'' in the Recovery Act in a
way that is consistent with the current state of technology. They are
also necessary to keep pace with technological change, which has
enabled firms to offer consumers mobile electronic records of their
health information that contain numerous integrations. To illustrate
the intended meaning of the proposed revisions to the term ``personal
health record,'' the Commission reiterates examples from the 2023 NPRM
of two non-HIPAA covered diet and fitness apps available for consumer
download in an app store. Under the amended Rule, each is a personal
health record.
Example 1: Diet and fitness app Y allows users to sync
their app with third-party wearable fitness trackers. Diet and fitness
app Y has the technical capacity to draw identifiable health
information both from the user (e.g., name, weight, height, age) and
the fitness tracker (e.g., user's name, miles run, heart rate), even if
some users elect not to connect the fitness tracker.
Example 2: Diet and fitness app Y has the ability to pull
information from the user's phone calendar via the calendar API to
suggest personalized healthy eating options. Diet and fitness app Y has
the technical capacity to draw identifiable health information from the
user (e.g., name, weight, height, age) and non-health information
(e.g., calendar entry info, location, and time zone) from the user's
calendar.
As these examples make clear, and in response to one commenter's
concern that the changes would sweep in services that do not draw any
health information,\128\ the Commission notes the Rule still requires
drawing PHR identifiable health information from at least one source to
count as a personal health record.
---------------------------------------------------------------------------
\128\ NAI at 6.
---------------------------------------------------------------------------
The Commission declines to make other requested changes to the
definition of personal health record. First, the Commission declines to
include an express exemption for HIPAA-covered entities within the
definition of personal health record because Sec. 318.1 of the Rule
already specifically exempts businesses or organizations covered by
HIPAA.\129\ Second, the Commission declines to exempt apps and services
where there are available but unused or unpublicized APIs or
integrations. Similarly, the Commission declines to exempt apps and
services from the definition just because they are drawing information
from multiple sources while undergoing product or beta testing and are
not yet in their final form.\130\ The Commission notes a product
feature or integration that exists
[[Page 47038]]
and that is able to draw PHR identifiable health information counts as
a source under the Rule. Exempting such instances would be contrary to
the purpose of the Rule and would impermissibly limit notification of
breaches just because a product feature is not widely disseminated,
used, or in its final form. The Commission notes under the Rule, a
covered entity that experienced a breach of security of unsecured PHR
identifiable health information triggering the Rule would not be exempt
because the breach occurred in the context of such scenarios.
---------------------------------------------------------------------------
\129\ See, e.g., 16 CFR 318.1(a) (Rule ``does not apply to
HIPAA-covered entities, or to any other entity to the extent that it
engages in activities as a business associate of a HIPAA-covered
entity.''); see also 16 CFR 318.2 (exempting business associates and
HIPAA-covered entities from the Rule's definitions of ``PHR related
entity'' and ``vendor of personal health records.'').
\130\ ACLA at 1-2; CTA at 11; AdvaMed at 5.
---------------------------------------------------------------------------
Further, and importantly, the Rule is triggered only by breaches of
unsecured PHR identifiable health information and does not apply to
information that is protected or ``secured'' through the use of a
technology or methodology specified by the Secretary of Health and
Human Services in the guidance issued under section 13402(h)(2) of the
American Reinvestment and Recovery Act of 2009, 42 U.S.C.
17932(h)(2).\131\ The Rule, therefore, creates appropriate incentives
for product testing with de-identified data or that secures information
through certain specifications, such as through specified encryption
methods.
---------------------------------------------------------------------------
\131\ Per HHS guidance, electronic health information is
``secured'' if it has been encrypted according to certain
specifications set forth by HHS, or if the media on which electronic
health information has been stored or recorded is destroyed
according to HHS specifications. See 74 FR 19006; see also U.S.
Dep't of Health & Human Servs., Guidance to Render Unsecured
Protected Health Information Unusable, Unreadable, or Indecipherable
to Unauthorized Individuals (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/. PHR
identifiable health information would be considered ``secured'' if
such information is disclosed by, for example, a vendor of personal
health records, to a PHR related entity or a third party service
provider, in an encrypted format meeting HHS specifications, and the
PHR related entity or third party service provider stores the data
in an encrypted format that meets HHS specifications and also stores
the encryption and/or decryption tools on a device or at a location
separate from the data.
---------------------------------------------------------------------------
Third, the Commission declines, as one commenter requested,\132\ to
expressly exempt scenarios where a change is required to an app's
coding to draw information from another source. The Commission notes,
however, it does not intend to cover instances where an app can draw
from multiple sources only through changes to the design or underlying
software code and where the app developer does not implement those
changes.
---------------------------------------------------------------------------
\132\ CHI at 5 (asking the Commission to clarify that an ``app
having the ability to draw from multiple sources with some changes
to the app's coding/APIs is not within this definition's
threshold.'').
---------------------------------------------------------------------------
In addition, the Commission declines to remove from the definition
of personal health record the requirement that it be ``managed, shared,
and controlled by or primarily for the individual.'' This language
mirrors the Recovery Act's statutory definition of personal health
record.\133\ Further, this language provides a boundary to the
definition. Even if a website or app has the technical capacity to draw
information from multiple sources (for example, because it has
integrations for advertising or analytics), it must still be ``managed,
shared, and controlled by or primarily for the individual'' to be
covered by the Rule.
---------------------------------------------------------------------------
\133\ 42 U.S.C. 17921(11).
---------------------------------------------------------------------------
Generally, a personal health record is an electronic record of an
individual's health information by which the individual maintains
access to the information and may have, for example, the ability to
manage, track, control, or participate in his or her own health care.
If these elements are not present, the website or app may not be
``managed, shared, and controlled by or primarily for the individual,''
and would not, therefore, constitute a personal health record.
C. Clarification Regarding Types of Breaches Subject to the Rule
1. The Commission's Proposals
a. The Commission's Proposal Regarding ``Breach of Security''
The Commission proposed a definitional change to clarify that a
breach of security under the Rule encompasses unauthorized acquisitions
that occur as a result of a data breach or an unauthorized disclosure.
The Commission's proposal underscores that a breach of security is not
limited to data exfiltration, and includes unauthorized disclosures
(such as, but not limited to, a company's unauthorized sharing or
selling of consumers' information to third parties that is inconsistent
with the company's representations to consumers). The Rule previously
defined ``breach of security'' as the acquisition of unsecured PHR
identifiable health information of an individual in a personal health
record without the authorization of the individual, which language
mirrored the definition of ``breach of security'' in section
13407(f)(1) of the Recovery Act.
Accordingly, consistent with the Recovery Act definition, the
Policy Statement, FTC enforcement actions under the Rule, and public
comments received, the Commission proposed amending the definition of
``breach of security'' in Sec. 318.2 by adding the following sentence
to the end of the existing definition: ``[a] breach of security
includes an unauthorized acquisition of unsecured PHR identifiable
health information in a personal health record that occurs as a result
of a data breach or an unauthorized disclosure.'' The change was
intended to make clear to the marketplace that a breach includes an
unauthorized acquisition of identifiable health information that occurs
as a result of a data breach or an unauthorized disclosure, such as a
voluntary disclosure made by the PHR vendor or PHR related entity where
such disclosure was not authorized by the consumer.
The NPRM, like the 2009 Rule, continued to include a rebuttable
presumption for unauthorized access to an individual's data; it stated
when there is unauthorized access to data, unauthorized acquisition
will be presumed unless the entity that experienced the breach ``has
reliable evidence showing that there has not been, or could not
reasonably have been, unauthorized acquisition of such information.''
b. The Commission's Related Proposal To Not Define the Term
``Authorization'' in the Rule
In the 2023 NPRM, the Commission stated it had considered defining
the term ``authorization,'' which appears in Sec. 318.2's definition
of ``breach of security,'' but did not propose any such change in the
NPRM.
The Commission considered defining ``authorization'' to mean the
affirmative express consent of the individual and then defining
``affirmative express consent'' consistent with State laws that define
consent, such as the California Consumer Privacy Rights Act, Cal. Civ.
Code 1798.140(h).\134\ Such changes would have ensured notification is
required anytime there is acquisition of
[[Page 47039]]
unsecured PHR identifiable health information without the individual's
affirmative express consent for that acquisition--such as when an app
discloses unsecured PHR identifiable health information to another
company, having obtained nominal ``consent'' from the individual by
using a small, greyed-out, pre-selected checkbox following a page of
dense legalese.
---------------------------------------------------------------------------
\134\ As noted in the 2023 NPRM, the Commission considered
defining ``affirmative express consent'' as any freely given,
specific, informed, and unambiguous indication of an individual's
wishes demonstrating agreement by the individual, such as by a clear
affirmative action, following a clear and conspicuous disclosure to
the individual, apart from any ``privacy policy,'' ``terms of
service,'' ``terms of use,'' or other similar document, of all
information material to the provision of consent. Acceptance of a
general or broad terms of use or similar document that contains
descriptions of agreement by the individual along with other,
unrelated information, does not constitute affirmative express
consent. Hovering over, muting, pausing, or closing a given piece of
content does not constitute affirmative consent. Likewise, agreement
obtained through use of user interface designed or manipulated with
the substantial effect of subverting or impairing user autonomy,
decision-making, or choice, does not constitute affirmative express
consent. See 88 FR 37830 n.78.
---------------------------------------------------------------------------
The Commission did not, however, propose to define
``authorization'' because (1) the 2009 Rule Commentary already provided
guidance on the types of disclosures the Commission considers to be
``unauthorized''; \135\ (2) recent Commission orders, such as the
Commission's enforcement actions against GoodRx and Easy
Healthcare,\136\ also make clear that the use of ``dark patterns,''
which have the effect of manipulating or deceiving consumers, including
through use of user interfaces designed with the substantial effect of
subverting or impairing user autonomy and decision-making, do not
satisfy the standard of ``meaningful choice''; and (3) Commission
settlements establish important guidelines involving authorization (the
Commission's recent settlement with GoodRx, alleging violations of the
Rule, highlights that disclosures of PHR identifiable health
information inconsistent with a company's privacy promises constitute
an unauthorized disclosure).
---------------------------------------------------------------------------
\135\ See, e.g., 74 FR 42967.
\136\ United States v. GoodRx Holdings, Inc., No. 23-cv-460
(N.D. Cal. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc; United States v. Easy
Healthcare Corp., No. 1:23-cv-3107 (N.D. Ill. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v.
---------------------------------------------------------------------------
The Commission sought public comment about:
Whether the commentary above and FTC enforcement actions
under the Rule provide sufficient guidance to put companies on notice
about their obligations for obtaining consumer authorization for
disclosures, or whether defining the term ``authorization'' would
better inform companies of their compliance obligations.
To the extent that including such definitions would be
appropriate, the definitions of ``authorization'' and ``affirmative
express consent,'' as described above, and the extent to which such
definitions are consistent with the language and purpose of the
Recovery Act.
What constitutes an acceptable method of authorization,
particularly when unauthorized sharing is occurring.\137\
---------------------------------------------------------------------------
\137\ For example, the Commission sought comment about when a
vendor of personal health records or a PHR-related entity is sharing
information covered by the Rule, is it acceptable for that entity to
obtain the individual's authorization to share that information when
an individual clicks ``agree'' or ``accept'' in connection with a
pre-checked box disclosing such sharing? Is it sufficient if an
individual agrees to terms and conditions disclosing such sharing
but that individual is not required to review the terms and
conditions? Or is it sufficient if an individual uses a health app
that discloses in its privacy policy that such sharing occurs, but
the app knows via technical means that the individual never
interacts with the privacy policy? See 88 FR 37832.
---------------------------------------------------------------------------
Whether there are certain types of sharing for which
authorization by consumers is implied because such sharing is expected
and/or necessary to provide a service to consumers.
2. Public Comments
a. Public Comments Regarding ``Breach of Security''
Many commenters supported the Commission's proposed amendment to
the definition of ``breach of security.'' \138\ One commenter noted the
change is consistent with the broad definition of ``breach of
security'' in the Recovery Act, which refers explicitly to the
acquisition of PHR identifiable health information without the
authorization of an individual (rather than the authorization of an
entity holding the data, as is the case where a breach involves data
theft or exfiltration).\139\ Commenters also noted the amendment would
ensure notice, accountability, and regulatory oversight, regardless of
the underlying cause of the unauthorized acquisition.\140\ Commenters
noted that breaches encompass more than just cybersecurity
intrusions.\141\ Commenters also argued that a company's voluntary
unauthorized disclosure can be just as damaging as data theft.\142\ For
instance, a commenter noted that unauthorized disclosures of health
information may cause embarrassment, perpetuate stigma about patients'
conditions, deter patients from seeking care, interfere in the patient-
physician relationship, or impact patients' employment.\143\ Moreover,
voluntary, unauthorized disclosures increase the risk of additional
unauthorized acquisition and sharing of this information among bad
actors.\144\
---------------------------------------------------------------------------
\138\ See, e.g., TMA at 3; U.S. PIRG at 2-3; AAFP at 3; AHIMA at
3; AMA at 3-4; AMIA at 3; AOA at 2-3; AHIOS at 3; CDT at 11-12;
CHIME at 4; EPIC at 5-6.
\139\ Consumer Rep.'s at 4.
\140\ CDT at 11-12; U.S. PIRG at 2-3.
\141\ AMA at 4; CDT at 11-12; EPIC at 5.
\142\ AAFP at 3; CDT at 11-12.
\143\ AOA at 2.
\144\ AHIMA at 3.
---------------------------------------------------------------------------
Some commenters supported expanding or changing the definition
further. Specifically, some commenters urged the Commission to amend
the definition to encompass (1) exceeding authorized access or use of
PHR identifiable health information, such as where a company collects
data for one purpose, but later uses or discloses that data for a
second, undisclosed purpose; \145\ or (2) the collection or retention
of PHR identifiable health information beyond what is necessary to
provide the associated service to an individual consumer.\146\ One
commenter asked the Commission to clarify that the Rule would be
triggered by unauthorized use of or access to information derived from
PHR identifiable health information, and to define the phrase
acquisition.\147\
---------------------------------------------------------------------------
\145\ FPF at 12-15.
\146\ EPIC at 5-7; U.S. PIRG at 2-3.
\147\ Mozilla at 6-7.
---------------------------------------------------------------------------
Some commenters, however, urged the Commission to not amend the
definition at all. These commenters expressed concern the amendment
would cause the Rule to exceed what Congress intended in the Recovery
Act and transform the Rule into an opt-in notice and consent privacy
regime.\148\ Commenters argued further the proposed changes would cause
consumer notice fatigue,\149\ consumer panic,\150\ or over-reporting by
companies.\151\ One commenter urged the Commission to limit the
definition of ``acquisition'' to actual acquisition, and exclude
instances of access or disclosure where the information was not
actually acquired by a third party.\152\ Commenters argued the proposed
definition would be burdensome and force companies to limit certain
beneficial disclosures to certain third parties, such as disclosures to
support internal operations, detect security vulnerabilities or fraud,
for law enforcement, and other purposes.\153\
---------------------------------------------------------------------------
\148\ Chamber at 6; Priv. for Am. at 2-5; ANA at 6-7.
\149\ SIIA at 3; CTA at 13-14.
\150\ CCIA at 4-5, 7 (arguing that requiring notification for
unauthorized disclosures could cause consumers to worry in the
absence of harm, such as where it is ``typical'' to disclose such
information.)
\151\ CTA at 13-14.
\152\ Id. at 14-16.
\153\ TechNet at 3; Chamber at 7; CCIA at 5-6.
---------------------------------------------------------------------------
Some commenters also urged that the Commission adopt carve-outs so
that certain conduct would not be deemed breaches of security under the
Rule. Commenters requested exemptions consistent with or found in HIPAA
or
[[Page 47040]]
under State breach notification laws, such as exemptions for
disclosures to certain types of entities or for certain purposes, or
where there is inadvertent or unintentional access, use, or
disclosure.\154\ Commenters also proposed safe harbors for companies
that implement recognized security or privacy safeguards; \155\ and one
commenter proposed safe harbors that would apply where data is shared
with ``affiliated businesses,'' where there is inadvertent but ``good-
faith'' access by a company employee, where a company makes good faith
efforts to inform consumers of disclosures to third parties, and where
companies take steps to contractually limit downstream uses of the
data.\156\ Other commenters expressed support for exempting disclosures
of PHR identifiable health information to public health authorities for
public health purposes, noting the amended definition could discourage
such disclosures.\157\
---------------------------------------------------------------------------
\154\ CHI at 4 (stating the FTC ``should explicitly except the
same situations from disclosure that are excepted from HIPAA
disclosures, and/or try to align exceptions with those found in
State privacy statutes.''); CTA at 16; HIA at 2; TechNet at 3
(arguing the Rule should adopt exemptions that encompass ``actions
taken to prevent and detect security incidents, to comply with a
civil, criminal, or regulatory inquiry or investigation, to
cooperate with law enforcement agencies concerning conduct or
activity that the data controller reasonably and in good faith
believes may be illegal, to perform internal operations consistent
with a consumer's expectations, and to provide a product or service
that a consumer requested.''); CCIA at 5-6 (arguing the Rule should
exempt disclosures relating to a host of purposes, including:
preventing and detecting security incidents and fraud, complying
with legal process, cooperating with law enforcement, performing
internal operations consistent with consumer expectations, providing
a service requested by the consumer, protecting ``the vital
interests of the consumer,'' or processing data relating to public
health); Chamber at 7 (arguing if the Commission does amend the
definition of breach of security, it ``should provide exceptions for
legitimate and societally beneficial uses of data that other privacy
laws have for failure to honor opt-in including but not limited to
network security, prevention and detection of fraud, protection of
health, network maintenance, and service/product improvement.'');
LAB at 2.
\155\ DirectTrust at 1-2.
\156\ ATA Action at 2.
\157\ Network for Pub. Health L. and Texas A&M Univ. at 1-2.
---------------------------------------------------------------------------
b. Public Comments Regarding Defining ``Authorization''
Commenters were divided as to whether the Commission should define
``authorization.'' Some commenters supported defining ``authorization''
to provide greater guidance to companies, to promote transparency, and
to discourage buried or inconspicuous disclosures relating to health
information, or approaches to consent that are not meaningful because
they are confusing or coercive.\158\ To further regulatory consistency,
some commenters supported adding a definition of ``authorization'' that
is consistent with how that term is defined in other health-related
laws, such as under HIPAA \159\ or State health privacy laws that
define consent or authorization (such as the California Consumer
Privacy Rights Act \160\ or the Washington My Health, My Data
Act).\161\
---------------------------------------------------------------------------
\158\ AHIP at 4; Light Collective at 4; MRO at 2-3; Mozilla at
4; CARIN Alliance at 10; Consumer Rep.'s at 9; see also PharmedOut
at 3 (arguing that defining ``authorization'' is crucial but urging
the Commission go further and place substantive restrictions on what
companies can do with consumer health data.).
\159\ AdvaMed at 7 (arguing that any definition of
``authorization'' or ``affirmative express consent'' should take
into account the necessity for medical technologies and medical
technology companies to be able to operate and communicate under
standards consistent with those governing HIPAA covered entities and
others in the health care ecosystem. These standards permit certain
uses and disclosures of individually identifiable health information
without express consent where necessary for the provision of timely
and effective health care); MRO at 3; AHIMA at 7-8.
\160\ AHIOS at 3.
\161\ Consumer Rep.'s at 9.
---------------------------------------------------------------------------
By contrast, some commenters opposed defining the term--or opposed
a requirement under the Rule that entities be required to get
authorization before disclosing PHR identifiable health
information.\162\ Commenters argued that Congress had not granted the
Commission the authority to define ``authorization'' in the Recovery
Act,\163\ or that doing so would import a substantive consent
requirement that is outside the scope of the Rule, converting a breach
notice Rule into an opt-in privacy regime.\164\ Other commenters noted
that requiring a specifically defined authorization would create an
inflexible standard that would not evolve with changes in
technology.\165\ Other commenters opposed a requirement that consumers
should be required to review terms before agreeing to use a service,
contending that this would not increase consumer understanding of
terms.\166\
---------------------------------------------------------------------------
\162\ HIA at 2 (arguing that ``[r]outine disclosures of data
should be allowed in certain contexts without additional need for
authorizations''); CTA at 16-17; AdvaMed at 7-8; ACLA at 6;
Confidentiality Coal. at 4-5.
\163\ Confidentiality Coal. at 4-5.
\164\ CTA at 16-17 (arguing that the Rule does not allow the
Commission to impose ``substantive consent requirements'' that would
be burdensome and ``likely not administrable for many companies.'').
\165\ SIIA at 4.
\166\ CHI at 7.
---------------------------------------------------------------------------
Some commenters endorsed other approaches that would exempt from
any requirement of affirmative express consent certain types of
disclosures of PHR identifiable health information, such as to service
providers, data processors, and entities that assist with combatting
fraud and promoting safety.\167\ Some commenters urged a disclosure be
deemed authorized if the disclosure is consistent with a company's
privacy notices or policies or where applicable State privacy laws
require affirmative consent or provide for the right to opt-out,
without the need to define affirmative express consent under the
Rule.\168\ One commenter argued that authorization should be met when a
consumer agrees to opt-in to certain data sharing, such as by clicking
a box proximate to a disclosure of material terms.\169\
---------------------------------------------------------------------------
\167\ FPF at 10 (arguing that ``an organization may share
information with a service provider operating on their behalf to
provide storage; may share information to protect the safety or
vital interests of an individual or react to a public health
emergency; or to protect themselves against security incidents and
fraud. In each of these situations, data protection laws typically
invoke a variety of non-consent measures, including data
minimization, transparency, notice to the end-user or the regulator,
and opportunities to object.''); Chamber at 7.
\168\ Confidentiality Coal. at 4-5; SIIA at 4; CHI at 7.
\169\ CTA at 17.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes to the Definition of
``Breach of Security''
After carefully considering the public comments, the Commission
adopts the proposed amendment without change. The final rule definition
is consistent with the statutory definition in the Recovery Act, the
Policy Statement,\170\ and recent Commission enforcement actions under
the Rule. The Commission notes the statutory definition in the Recovery
Act is sufficiently broad to cover both cybersecurity intrusions as
well as a company's intentional but unauthorized disclosures of
consumers' PHR identifiable health information to third party
companies. In addition, the Commission finds persuasive the comment
noting the Recovery Act's definition of ``breach of security'' refers
to the acquisition PHR identifiable health information without the
authorization of an individual, rather than the authorization of the
entity holding the data.\171\ The definition is
[[Page 47041]]
also consistent with public comments received by the Commission in 2020
(when the Commission announced its regular, ten-year review of the Rule
and requested public comments about potential Rule changes \172\),
which urged the Commission to clarify what constitutes an unauthorized
acquisition under the Rule.\173\ Importantly, the amendment to the
definition of ``breach of security'' in Sec. 318.2 does not depart
from the 2009 Rule Commentary or the Commission's enforcement policy
under the Rule. Instead, it further underscores the 2009 Rule
Commentary and subsequent Commission enforcement actions that
unauthorized disclosures (i.e., sharing inconsistent with consumer
expectations) can be a ``breach of security'' that triggers the
Rule.\174\
---------------------------------------------------------------------------
\170\ The Commission's Policy Statement makes clear that
``[i]ncidents of unauthorized access, including sharing of covered
information without an individual's authorization, triggers
notification obligations under the Rule,'' and that a breach ``is
not limited to cybersecurity intrusions or nefarious behavior.''
Policy Statement at 2.
\171\ Consumer Rep.'s at 5 (noting ``the Recovery Act frames
breaches of security in relation to individuals, rather than to
vendors of personal health records or PHR related entities,'' and
defines breach of security as ``acquisition of such information
without the authorization of the individual.'')
\172\ 85 FR 31085 (May 22, 2020).
\173\ See Public Comments in response to May 2020 Request for
Public Comments in connection with regular, ten-year review of Rule:
AMA at 5-6 (``The FTC should define `unauthorized access' as
presumed when entities fail to disclose to individuals how they
access, use, process, and disclose their data and for how long data
are retained. Specifically, an entity should disclose to individuals
exactly what data elements it is collecting and the purpose for
their collection''; ``[T]he FTC should define `unauthorized access'
as presumed when an entity fails to disclose to an individual the
specific secondary recipients of the individual's data.''); AMIA at
2 (recommending the FTC ``[e]xpand on the concept of `unauthorized
access' under the definition of `Breach of security,' to be presumed
when a PHR or PHR related entity fails to adequately disclose to
individuals how user data is accessed, processed, used, reused, and
disclosed.''); OAG-CA at 5-6 (urging the FTC to include
``impermissible acquisition, access, use, disclosure'' under the
definition of breach.). These comments can be found at https://www.regulations.gov/docket/FTC-2020-0045.
\174\ The 2009 Rule Commentary noted other examples illustrating
that unauthorized sharing or transferring of information constitutes
a breach of security, including that the unauthorized downloading or
transfer of information by an employee can constitute a breach of
security; that inadvertent access by an unauthorized employee
reading or sharing information triggers the Rule's notification
obligations; and notes that given the highly personal nature of
health information, ``the Commission believes that consumers would
want to know if such information was read or shared without
authorization.'' See 74 FR 42966-67.
---------------------------------------------------------------------------
The Commission declines to adopt any specific exemptions or safe
harbors to the definition of breach of security. Unlike the section of
the Recovery Act that governs breach notifications under HIPAA,\175\
Congress did not provide for any specific, enumerated exemptions for
breaches under the Commission's Rule. Moreover, the Commission's Rule
provides for a rebuttable presumption for certain types of access: when
there is unauthorized access to data, unauthorized acquisition will be
presumed unless the entity that experienced the breach ``has reliable
evidence showing that there has not been, or could not reasonably have
been, unauthorized acquisition of such information.'' That is,
companies can rebut the presumption of acquisition in instances of
unauthorized access by providing reliable evidence disproving
acquisition. The Commission has previously offered guidance on what
counts as unauthorized access and reiterates that guidance here.\176\
---------------------------------------------------------------------------
\175\ 42 U.S.C. 17921; see also U.S. Dep't of Health & Human
Servs., Breach Notification (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/. Under the
Recovery Act's definition of ``breach of security'' for the Rule
governing HIPAA-covered entities and business associates, the
statute explicitly provides for three exceptions: (1) unintentional
acquisition, access, or use of protected health information by a
workforce member or person acting under the authority of a covered
entity or business associate, if such acquisition, access, or use
was made in good faith and within the scope of authority; (2) the
inadvertent disclosure of protected health information by a person
authorized to access protected health information at a covered
entity or business associate to another person authorized to access
protected health information at the covered entity or business
associate, or organized health care arrangement in which the covered
entity participates; and (3) if the covered entity or business
associate has a good faith belief that the unauthorized person to
whom the impermissible disclosure was made, would not have been able
to retain the information. See 45 CFR 164.400 through 164.414. In
the first two cases, the information cannot be further used or
disclosed in a manner not permitted by the Privacy Rule. These
exceptions are not found in the provisions of the Recovery Act
authorizing the FTC's Health Breach Notification Rule; this makes
sense, given there is no analogous Privacy Rule, Security Rule, or
required Business Associate agreements outside the HIPAA sphere
governing entities covered by the FTC's Health Breach Notification
Rule.
\176\ The Rule continues to provide that, when there is
unauthorized access to data, unauthorized acquisition will be
presumed unless the entity that experienced the breach ``has
reliable evidence showing that there has not been, or could not
reasonably have been, unauthorized acquisition of such
information.'' As noted in the 2009 Rule Commentary, the presumption
was intended to address the difficulty of determining whether access
to data (i.e., the opportunity to view the data) did or did not lead
to acquisition (i.e., the actual viewing or reading of the data). In
these situations, the Commission stated that the entity that
experienced the breach is in the best position to determine whether
unauthorized acquisition has taken place. In describing the
rebuttable presumption, the Commission provided several examples. It
noted that no breach of security has occurred if an unauthorized
employee inadvertently accesses an individual's PHR and logs off
without reading, using, or disclosing anything. If the unauthorized
employee read the data and/or shared it, however, he or she
``acquired'' the information, thus triggering the notification
obligation in the Rule. Similarly, the Commission provided an
example of a lost laptop: If an entity's employee loses a laptop in
a public place, the information would be accessible to unauthorized
persons, giving rise to a presumption that unauthorized acquisition
has occurred. The entity can rebut this presumption by showing, for
example, that the laptop was recovered, and that forensic analysis
revealed that files were never opened, altered, transferred, or
otherwise compromised. See 74 FR 42966.
---------------------------------------------------------------------------
4. The Commission Affirms Its Proposal Not To Define ``Authorization''
After carefully considering the public comments, the Commission
declines to define ``authorization,'' as that term appears in Sec.
318.2's definition of ``breach of security.'' The Commission finds
persuasive the public comments suggesting that imposing an affirmative
express consent requirement would not be appropriate or warranted in
all cases.
The Commission believes whether a disclosure is authorized under
the Rule is a fact-specific inquiry that will depend on the context of
the interactions between the consumer and the company; the nature,
recipients, and purposes of those disclosures; the company's
representations to consumers; and other applicable laws. The Commission
reiterates the 2009 Rule Commentary, which states a use of data is
``authorized'' only where it is consistent with a company's disclosures
and consumers' reasonable expectations and where there is meaningful
choice in consenting to sharing--buried disclosures do not
suffice.\177\
---------------------------------------------------------------------------
\177\ The 2009 Rule Commentary states: ``[g]iven the highly
personal nature of health information, the Commission believes that
consumers would want to know if such information was read or shared
without authorization.'' It further states that data sharing to
enhance consumers' experience with a PHR is authorized only ``as
long as such use is consistent with the entity's disclosures and
individuals' reasonable expectations'' and that ``[b]eyond such
uses, the Commission expects that vendors of personal health records
and PHR related entities would limit the sharing of consumers'
information, unless the consumers exercise meaningful choice in
consenting to such sharing. Buried disclosures in lengthy privacy
policies do not satisfy the standard of `meaningful choice.' '' 74
FR 42967.
---------------------------------------------------------------------------
The Commission's recent enforcement actions alleging violations of
the Rule against GoodRx and Easy Healthcare further highlight that
disclosures of PHR identifiable health information inconsistent with a
company's privacy promises constitute an unauthorized disclosure. These
recent Commission orders also make clear that the use of ``dark
patterns,'' which have the effect of manipulating or deceiving
consumers, including through use of user interfaces designed with the
substantial effect of subverting or impairing user autonomy and
decision-making, undercut an entity's assertion that consumers
exercised ``meaningful choice.''
In response to public comments seeking more guidance on what
constitutes an unauthorized disclosure under the Rule,\178\ the
Commission
[[Page 47042]]
offers the following, non-exhaustive examples relating to
authorization:
---------------------------------------------------------------------------
\178\ TechNet at 4; Tranquil Data at 4.
---------------------------------------------------------------------------
Example 1--Unauthorized Disclosure (Affirmative
Misrepresentation): A medication app offers a personal health record
(not covered by HIPAA) which allows users to track information about
their prescription medication history, such as prescription names,
dosages, pharmacy and refill information, and the user's health
conditions. The app voluntarily discloses PHR identifiable health
information to third party companies for advertising and advertising-
related analytics, in violation of the app's privacy representations to
its users. The third parties that receive the PHR identifiable health
information are able to use the information for their own business
purposes, such as to improve the third party's own products and
services, to infer information about consumers, or to compile profiles
about consumers to use for targeted advertising. These disclosures are
not authorized under the Rule because they are inconsistent with
consumer expectations--the disclosures violate the app's privacy
representations, and consumers would also not expect their PHR
identifiable health information (which they input into the app to track
their medications and health conditions) would be disclosed to, and
used by, third party companies that use the data for their own economic
benefit.
By contrast, disclosures of PHR identifiable health
information by the app in Example 1 would be authorized if made to
service providers in the following circumstances: (1) the service
providers assist with functions that are necessary to the operation and
functioning of the medication app, or with services the consumer
requested; (2) the service providers are contractually prohibited from
using, sharing, or disclosing the PHR identifiable health information
for any purpose beyond providing services to the medication app; and
(3) the medication app's privacy notice clearly and conspicuously
discloses the specific purposes for which it shares users' PHR
identifiable health information with these service providers. Such
authorized disclosures could include those to cloud storage providers
that host user data in the health record in a secure fashion; payment
processors who process user payments to the app; vendors that
facilitate refill reminders or other communications from the app
developer that directly relate to the provision of the personal health
record or services the consumer requested; analytics providers that
assist with tracking analytics relating to the app's functionality;
\179\ or companies that help to detect, prevent, or mitigate fraud or
security vulnerabilities. Such disclosures are authorized because they
are consistent with consumer expectations. Importantly, this sharing is
disclosed to consumers in a clear and conspicuous manner, and is
essential, and limited to, sharing the PHR identifiable health
information with service providers solely to provide users with a safe
and reliable personal health record experience.
---------------------------------------------------------------------------
\179\ This would include an analytics provider whose services
are essential to the proper functioning of the app and not tied to
marketing or advertising--this includes analytics tools to assist
with crash reporting or to assess usage patterns (such as the
frequency of use of certain features).
---------------------------------------------------------------------------
Example 2--Unauthorized Disclosure (Deceptive Omission).
The medication app from Example 1 shares PHR identifiable health
information with a third party for purposes of targeting consumers with
ads. The app does not disclose the sharing and also fails to obtain
affirmative express consent from users whose information it shares. The
third party company can use the PHR identifiable health information to
market and advertise--on behalf of the medication app, on behalf of
other companies, or on behalf of itself. It can also use the
information to improve its own products and services. Such disclosures
are not authorized because they are not consistent with consumer
expectations (i.e., without disclosure and without affirmative express
consent, consumers would not expect that their PHR identifiable health
information would be shared, sold, or otherwise exploited for a purpose
other than providing the user with a personal health record, and are
neither essential nor limited to sharing the PHR identifiable health
information solely to provide users with a safe and reliable personal
health record experience). This conclusion is also consistent with
Commission enforcement actions relating to the sharing of health
information (e.g., GoodRx and Easy Healthcare), and those relating to
the sharing of other types of sensitive information.\180\
---------------------------------------------------------------------------
\180\ Fed. Trade Comm'n et al. v. Vizio, Inc. et al., No. 17-cv-
00758 (D.N.J. 2017), https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc.
---------------------------------------------------------------------------
Example 3--Authorized Disclosure (Public Health
Reporting): A COVID-19 contact tracing app not covered by HIPAA allows
users to self-report their COVID-19 diagnosis, and to notify the user's
contacts of their diagnosis, or others with whom the individual may
have come into physical contact. PHR identifiable health information
about the individual's COVID-19 diagnosis is transmitted to public
health authorities for public health-related purposes, such as public
health reporting and analysis or to track areas where the virus is
spreading the most rapidly. The contact tracing app discloses to users
clearly and conspicuously the specific purposes for which it shares
their PHR identifiable health information with public health
authorities. These disclosures are authorized, and consistent with
consumer expectations, because they are consistent with the company's
relationship with the consumer (a PHR that allows a user to report
their COVID-19 diagnosis in order to notify others) and are also
appropriately disclosed.
Examples 1 and 3 provide guidance about scenarios in which limited
disclosures of PHR identifiable health information are permitted
without opt-in consent because it is necessary to provide a personal
health record to a consumer, is consistent with consumer expectations,
the sharing is disclosed to consumers, and (in the case of Example 1)
the sharing is subject to protections like service provider agreements
that limit the use of the data only for the purpose of providing that
service to the consumer. Examples 1 and 3 are also consistent with
HIPAA and State health privacy laws.\181\ For instance, HIPAA permits
disclosures for treatment, payment, and operations without patient
authorization.
---------------------------------------------------------------------------
\181\ For example, Washington State's My Health, My Data Act
permits sharing consumer health data to the ``extent necessary to
provide a product or service that the consumer to whom such consumer
health data relates has requested from such regulated entity or
small business.'' See Revised Code of Washington (RCW) 19.373.030
(1)(b)(ii).
---------------------------------------------------------------------------
The Commission notes ``breach of security'' could cover more than
just an unauthorized disclosure to a third party. For example,
depending on the facts and scope of the authorizations, such as in the
company's promises and disclosures to consumers, a ``breach of
security'' could include unauthorized uses. There may be a ``breach of
security'' where an entity exceeds authorized access to use PHR
identifiable health information, such as where it obtains the data for
one legitimate purpose, but later uses that data for a secondary
purpose that was not originally authorized by the individual.
Finally, the Commission notes unauthorized access or use of derived
PHR identifiable health information may also constitute a breach of
security. The Commission noted in its 2023 NPRM that PHR identifiable
health information includes ``health
[[Page 47043]]
information derived from consumers' interactions with apps and other
online services (such as health information generated from tracking
technologies employed on websites or mobile applications or from
customized records of website or mobile application interactions), as
well as emergent health data (such as health information inferred from
non-health-related data points, such as location and recent
purchases).'' \182\
---------------------------------------------------------------------------
\182\ 88 FR 37823.
---------------------------------------------------------------------------
D. Clarification of What Constitutes a ``PHR Related Entity''
1. The Commission's Proposal Regarding ``PHR Related Entity''
The NPRM proposed to revise the definition of ``PHR related
entity'' in two ways. Consistent with its clarification that the Rule
applies to health apps, the Commission proposed amending the definition
of ``PHR related entity'' to make clear the Rule covers entities that
offer products and services through the online services, including
mobile applications, of vendors of personal health records. In
addition, the Commission proposed revising the definition of ``PHR
related entity'' to provide that entities that access or send unsecured
PHR identifiable health information to a personal health record--rather
than entities that access or send any information to a personal health
record--are PHR related entities.
The Commission explained the first change (to cover online
services) was necessary as websites are no longer the only means
through which consumers access health information online. The
Commission explained the second change--narrowing the scope of ``PHR
related entities'' to entities that access or send unsecured PHR
identifiable health information--was intended to eliminate potential
confusion about the Rule's breadth and promote compliance by narrowing
the scope of entities that qualify as PHR related entities.\183\ The
Commission identified remote blood pressure cuffs, connected blood
glucose monitors, and fitness trackers as examples of internet-
connected devices that could qualify as a PHR related entity when
individuals sync them with a personal health record (e.g., a health
app).\184\ The Commission explained, however, that a grocery delivery
service that sends information about food purchases to a diet and
fitness app would not be a PHR related entity if it does not access
unsecured PHR identifiable health information in a personal health
record or send unsecured PHR identifiable health information to a
personal health record.
---------------------------------------------------------------------------
\183\ The proposed definition stated that a PHR related entity
is an entity, other than a HIPAA-covered entity or an entity to the
extent that it engages in activities as a business associate of a
HIPAA-covered entity, that (1) offers products or services through
the website, including any online service, of a vendor of personal
health records; (2) offers products or services through the
websites, including any online services, of HIPAA-covered entities
that offer individuals personal health records; or (3) accesses
unsecured PHR identifiable health information in a personal health
record or sends unsecured PHR identifiable health information to a
personal health record. Although the Rule is only triggered when
there is a breach of security involving unsecured PHR identifiable
health information, the Commission explained it believed there is a
benefit to revising the third prong of PHR related entity to make
clear that only entities that access or send unsecured PHR
identifiable health information to a personal health record--rather
than entities that access or send any information to a personal
health record--are PHR related entities. Otherwise, many entities
could be a PHR related entity under the definition's third prong and
such entities would then, in the event of a breach, need to analyze
whether they experienced a reportable breach under the Rule. If an
entity, per the proposed revision, does not qualify as a PHR related
entity in the first place, there would be no need to consider
whether it experienced a reportable breach. 88 FR 37825 n.54.
\184\ The Commission explained, for example, the maker of a
wearable fitness tracker may be both a vendor of personal health
records (to the extent that its tracker interfaces with its own app,
which also accepts consumer inputs) and a PHR related entity (to the
extent that it sends information to another company's health app).
The Commission noted that regardless of whether the maker of the
fitness tracker is a vendor of personal health records or a PHR
related entity, its notice obligations are the same: it must notify
individuals, the FTC, and in some case, the media, of a breach. 16
CFR 318.3(a), 318.5(b). 88 FR 37825 n.55.
---------------------------------------------------------------------------
The proposed Rule also revised Sec. 318.3(b) by adding language
establishing that a third party service provider is not rendered a PHR
related entity when it accesses unsecured PHR identifiable health
information in the course of providing services. The Commission
explained it did not intend for any entity (such as a firm performing
attribution and analytics services for a health app) to be considered
both a PHR related entity (to the extent it accesses unsecured PHR
identifiable health information in a personal health record) and a
third party service provider, which could create competing notice
obligations and confuse consumers with notice from an unfamiliar
company. The Commission explained it considers such firms to be third
party service providers that must notify the health app developers for
whom they provide services, who in turn would notify affected
individuals.
The Commission explained that distinguishing between third party
service providers and PHR related entities would create incentives for
responsible data stewardship and for de-identification because a firm
would only become an entity covered by the Rule in relation to
unsecured PHR identifiable health information. To the extent that firms
must deal with unsecured PHR identifiable health information, PHR
vendors would have incentives to select and retain service providers
capable of treating data responsibly (e.g., by not engaging in any
onward disclosures of data that could result in a reportable breach)
and incentives to oversee their service providers to ensure ongoing
responsible data stewardship (which would avoid a breach).
The Commission observed in most cases, third party service
providers are likely to be non-consumer facing. The Commission noted
examples of PHR related entities would include, as noted above, makers
of fitness trackers and health monitors when consumers sync their
devices with a mobile health app. The Commission noted further examples
of third party service providers would include entities that provide
support or administrative functions to vendors of personal health
records and PHR related entities.
2. Public Comments Regarding ``PHR Related Entity''
The Commission received numerous public comments about the changes
to the definition of PHR related entity. Most commenters supported the
Commission's approach.\185\ One commenter, an industry association for
advertisers, noted that addition of the term ``unsecured'' in the
definition of ``PHR related entity'' created a limitation on the
definition's scope that counterbalances the breadth of including ``any
online service'' in the definition.\186\ Moreover, this commenter
noted, the addition of ``unsecured'' creates appropriate incentives for
firms to secure PHR identifiable health information and to choose
partners who will be good data stewards.\187\ This commenter noted that
limiting the definition to ``unsecured'' PHR identifiable health
information was consistent with the original intent of the Rule, to
cover only the most sensitive types of data not covered by HIPAA.\188\
---------------------------------------------------------------------------
\185\ ANI at 1; AAFP at 3; AHIMA at 3; AHIOS at 4; AOA at 3;
CARIN Alliance at 3; CDT at 12; CHIME at 3; Confidentiality Coal. at
6; Consumer Rep.'s at 6; CHI at 5; DirectTrust at 4; EFF at 2; EPIC
at 7.
\186\ NAI at 4-5.
\187\ Id. at 5.
\188\ Id. at 4.
---------------------------------------------------------------------------
A few commenters proposed changes to the definition of ``third
party service provider'' to further distinguish the term from ``PHR
related entity.'' One commenter recommended defining ``third party
service provider'' as an
[[Page 47044]]
entity that only processes data.\189\ This commenter argued the
Commission could then impose liability on service providers for further
use, sale, disclosure for incompatible purposes.\190\ Another commenter
recommended aligning the definition of ``third party service provider''
with the definition of ``business associate'' under HIPAA.\191\
---------------------------------------------------------------------------
\189\ FPF at 10.
\190\ Id.
\191\ AdvaMed at 8.
---------------------------------------------------------------------------
Some commenters raised concerns that the Commission's approach did
not provide sufficient clarity for companies trying to understand their
obligations as either a third party service provider or PHR related
entity.\192\ Some commenters requested more examples of types of firms
falling within each definition (e.g., examples clearly establishing the
status of health data brokers, health marketing firms, search engines,
email providers, cloud storage providers) \193\--to facilitate
compliance,\194\ avoid overlapping notice requirements \195\ and to
prevent a loophole through which firms may attempt to avoid obtaining
consumers' authorization for data disclosures and to avoid providing
breach notifications.\196\ One commenter urged the Commission to exempt
from the definition of ``PHR related entity'' any firm that complies
with the privacy and data security requirements of HIPAA.\197\
---------------------------------------------------------------------------
\192\ SIIA at 3; CARIN Alliance at 4.
\193\ AHIMA at 3-4; AMIA at 3-4; CHI at 5; Direct Trust at 1;
Light Collective at 4-5.
\194\ SCRS at 1.
\195\ NAI at 5.
\196\ MRO at 3.
\197\ AdvaMed at 5.
---------------------------------------------------------------------------
In response to the Commission's request for comment on whether an
analytics firm would be a third party service provider, many commenters
responded that an analytics firm should fall within that definition
\198\ for the reasons the Commission articulated: It would be confusing
to consumers to receive a notice from a back-end service provider
rather than the firm with whom the consumer has the relationship, and
categorizing analytics firms (and firms that provide other services) as
service providers will create incentives for PHR vendors and PHR
related entities to choose their service providers with care. A few
commenters, however, expressed concern about covering advertising,
analytics, and cloud firms--and health information service providers
(``HISPs'') more generally--as they are unable to determine whether the
data they receive contains unsecured PHR identifiable health
information; only the vendor of the PHR knows what their data
transmissions contain.\199\ One commenter urged the Commission to
address the data recipient's unawareness of the content of the data by
creating a safe harbor that exempts advertising, analytics and cloud
providers that contractually limit their customers, vendors, or
partners from sharing health information with them.\200\
---------------------------------------------------------------------------
\198\ NAI at 5; TMA at 3; Consumer Rep.'s at 11.
\199\ CCIA at 7-8; CTA at 9-10; SIIA at 3; Direct Trust at 5.
\200\ CTA at 13.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes to ``PHR Related Entity''
After considering the comments received, the Commission adopts the
proposed changes regarding ``PHR related entity'' without further
change. The Commission affirms that (1) PHR related entities include
entities offering products and services not only through the websites
of vendors of personal health records, but also through any online
service, including mobile applications; (2) PHR related entities
encompass only entities that access or send unsecured PHR identifiable
health information to a personal health record; and (3) while some
third party service providers may access unsecured PHR identifiable
health information in the course of providing services, this does not
render the third party service provider a PHR related entity.
In response to commenters who expressed concern that certain data
recipients will not be able to understand their obligations under the
Rule because they are unaware of the content of the data transmissions
they receive, the Commission highlights Sec. 318.3(b), which states:
``For purposes of ensuring implementation of this requirement, vendors
of personal health records and PHR related entities shall notify third
party service providers of their status as vendors of personal health
records or PHR related entities subject to this Part.'' This
requirement puts data recipients on notice about the potential content
of the data transmissions they receive.
Firms may also facilitate compliance by stipulating by contract
whether transmissions of data will contain unsecured PHR identifiable
health information. Both the sender and recipient of the data can
monitor for compliance with those contractual agreements through the
use of automated tools, internal auditing, external auditing, or other
mechanisms, as appropriate to the size and sophistication of the firms
and the sensitivity of the data. For example, a large advertising
platform that has routinely received unsecured PHR identifiable health
information, notwithstanding partners' promises not to send this
information, may have different obligations to monitor the data it
receives than small firms that do not engage in high-risk activities
where the contract precludes sending such data and there is no history
of such transmissions.
The Commission believes this approach--notice to service providers
pursuant to Sec. 318.3(b) coupled with contracts and oversight--is
more appropriate than creating a safe harbor in the Rule that exempts
firms that enter into contracts, as there is evidence from FTC cases
that firms do not always abide by contractual obligations to safeguard
data.\201\
---------------------------------------------------------------------------
\201\ Compl. at ] 21, In the Matter of Flo Health, Inc., FTC
File No. 1923133 (Jan. 13, 2021), https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc; Compl. at ] 14(d),
In the Matter of UPromise, Inc., FTC File No. 1023116 (Mar. 27,
2012), https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc; Cf. Compl. at ] 40, U.S. v. Easy
Healthcare Corporation, No. 1:23-cv-3107 (N.D. Ill. 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v (alleging that the defendant's
disclosures of consumers' health information violated the policies
of platforms to which it had agreed).
---------------------------------------------------------------------------
The Commission declines to change the definition of ``third party
service provider'' to distinguish it further from a ``PHR related
entity,'' for two reasons. First, the Commission notes the current
definitions of ``third party service provider'' and ``PHR related
entity'' align closely with the language prescribed by section 13407
and section 13424(b)(1)(A) of the Recovery Act. Jettisoning the current
language entirely, as some commenters suggested, would not be
consistent with the Recovery Act's requirements. Second, the Commission
believes the current language, in conjunction with the examples
provided below, will provide sufficient guidance to the market as to
which types of firms fit within each definition.
In response to comments that requested examples of the types of
firms that fall into the category of ``third party service provider''
or ``PHR related entity,'' the Commission provides the following
examples. The Commission believes these examples, in conjunction with
the language in Sec. 318.3(b), will provide sufficient clarity about
the obligations of third party service providers and PHR related
entities to promote compliance, avoid overlapping notice, and prevent
loopholes.
[[Page 47045]]
Example 1: Four separate firms provide data security,
cloud computing, advertising and analytics services to a health app (a
personal health record), as specified by their service provider
contracts, for the health app vendor's benefit. To perform the services
specified in their respective contracts, the firms access unsecured PHR
identifiable health information. The firms are ``third party service
providers'' of the vendor of the personal health record (the maker of
the health app) because they provide services to a vendor of a personal
health record (the maker of the health app) in connection with the
offering or maintenance of the app, and they access unsecured PHR
identifiable health information as a result of these services. In the
event of a breach, they should abide by their obligations as third
party service providers.
Example 2: An analytics firm provides analytics services
to a health app (a personal health record). The analytics firm and
health app vendor do not have a customized service provider contract,
although the health app vendor agrees to the analytics firm's standard
terms of service. The analytics firm accesses unsecured PHR
identifiable health information (device identifier and whether the
consumer has paid for therapy). The analytics firm uses that data both
to provide analytics services to the health app and for its own
benefit, for research and development and product improvement. The
analytics firm is a third party service provider to the extent that it
provides analytics services to the health app for the health app's
benefit because it is then providing services to a vendor of a PHR in
connection with the offering of the PHR and accessing unsecured PHR
identifiable health information as a result of such services. However,
the analytics firm is a PHR related entity, rather than a third party
service provider, to the extent that it offers its services through the
health app for its own purposes (i.e., for research and development and
product improvement) rather than to provide the services. In the event
of a breach, the analytics firm must fulfill its notification
obligations under the Rule according to which function it was
performing in connection with the breach. If the functions are
indistinguishable, then, pursuant to Sec. 318.3(b), the Commission
will consider the firm a third party service provider for policy
reasons: a firm that functions, at least in part, as a service provider
may not be consumer-facing, such that the consumer may be surprised by
a breach notification from that entity. As a policy matter, it is
better for the consumer to receive notice from the health app with whom
the consumer directly interacts.
Example 3: A health tracking website (a personal health
record) integrates a search bar branded with its maker's logo, which
enables its maker (a search engine firm) to offer its services through
the website. The search engine firm is a PHR related entity because it
offers its services through the website, which is a personal health
record. The search bar branded with its maker's logo is consumer-
facing, so the consumer would not be surprised to receive a notice from
that company if it experiences a reportable breach. By contrast, if the
health tracking website had contracted with the search engine firm to
provide back-end search services to the website (rather than offering
its own branded product or service through the website), and the search
engine firm had accessed unsecured PHR identifiable health information
as a result of such services, it would be a third party service
provider. In the event of a breach, it should abide by its obligations
as a third party service provider.
Example 4: Digital readings from a fitness tracker offered
by Company A can be integrated into a sleep app offered by Company B
(in which the consumer may input other health information). Company A
is a PHR related entity to the extent that it offers its fitness
tracker product through an online service (Company B's sleep app), and
to the extent that it sends unsecured PHR identifiable health
information (fitness tracker readings) to a personal health record (the
sleep app).
E. Facilitating Greater Opportunity for Electronic Notice
1. The Commission's Proposal Regarding Electronic Notice
The Commission proposed to authorize expanded use of email and
other electronic means of providing clear and effective notice of a
breach to consumers. In furtherance of this objective, the Commission
proposed to update Sec. 318.5 to specify that vendors of personal
health records or PHR related entities that discover a breach of
security must provide written notice at the last known contact
information of the individual. Such written notice may be sent by
electronic mail, if an individual has specified electronic mail as the
primary contact method, or by first-class mail. The Commission proposed
defining ``electronic mail'' in Sec. 318.2 to mean email in
combination with one or more of the following: text message, within-
application messaging, or electronic banner. The Commission further
specified that any notification delivered via electronic mail should be
clear and conspicuous, and the proposed Rule defined ``clear and
conspicuous.'' To assist entities that are required to provide notice
to individuals under the Rule, the Commission developed a model notice
for entities to use to notify individuals.\202\
---------------------------------------------------------------------------
\202\ This model notice was attached as appendix A to the NPRM.
88 FR 37837.
---------------------------------------------------------------------------
2. Public Comments Regarding Electronic Notice
Nearly every comment submitted on this proposed change supported
the Commission's efforts to update the Rule to allow for greater
electronic notice.\203\ One commenter noted electronic notices increase
the likelihood that individuals will receive the notice, may reduce the
time it takes for individuals to receive notice, and reduce the burden
on entities providing notice.\204\ Many commenters also supported the
Commission's efforts to provide notice via more than one channel
through the new definition of ``electronic mail.'' \205\
---------------------------------------------------------------------------
\203\ AHIP at 5; AAFP at 3; AHIMA at 5; AHIOS at 3; Anonymous 3
at 1; Anonymous 10 at 1; Beth Barnett; CARIN Alliance at 7; CHI at
5-6; CHIME at 4; Consumer Reports at 8-9; CTA at 21; EPIC at 10;
HIMSS at 4; George Mathew at 1; MRO at 3; NAI at 7; Dharini
Padmanabhan at 1; Nancy Piwowar at 1. One commenter also stated
while there are clear advantages to allowing increased use of
electronic notification of data breaches, this notification method
could also increase the likelihood that breaches escape public
scrutiny. Identity Theft Res. Ctr. (``ITRC'') at 2.
\204\ AdvaMed at 5.
\205\ AAFP at 3; AHIMA at 5; Anonymous 3 at 1; CARIN Alliance at
7; CHIME at 4; CCIA at 7; EPIC at 10; NAI at 7.
---------------------------------------------------------------------------
However, not all commenters agreed with the Commission's proposal
and some commenters offered other suggestions. Some objected to
defining ``electronic mail'' to mean anything more than ``email,''
stating that electronic mail is commonly understood to mean email and
nothing else.\206\ A few commenters noted that defining multiple forms
of electronic notice could result in entities collecting more
information than necessary (and consumers having to provide more
information than needed) in order to comply with the Rule.\207\ Others
preferred a single notice, arguing that multiple forms of notice is
burdensome
[[Page 47046]]
and could result in over-notification, confusion, and notice fatigue
among consumers.\208\ One commenter stated the Commission should revise
the definition of ``electronic mail'' to mean ``one or more of the
following that is reasonable and appropriate based on the relationship
between the individual and the relevant vendor of personal health
records or PHR related entity: email, text message, within-application
messaging, or electronic banner.'' \209\ Another commenter encouraged
the FTC to clarify the in-app messaging method must include push
notifications in the event of a breach so consumers are made aware of a
breach as soon as possible.\210\ One commenter urged the Commission to
specify in Sec. 318.5(i) that a banner notice in the affected app or a
website home page notice must be posted for a period of 90 days.\211\
Another commenter noted that the different mechanisms listed in the
proposed rule are not equivalent--this commenter noted that some are
push notifications that a consumer is likely to see without directly
interacting with the application, website, or device and some require
consumer interaction with the application, website, or device in order
to see the notification.\212\ This commenter recommended that the
requirement be selection of one push notification but that additional
options like in-app notifications and website banners be supported as
additional, secondary notice options.\213\ One commenter stated the FTC
may want to consider adding a provision allowing an individual to
request a copy of the notice in other accessible formats, such as for
hearing- or vision-impaired people, or in a non-English language.\214\
Another commenter argued the Commission should take into consideration
TCPA and CAN-SPAM compliance regarding the delivery of electronic
notification. Another commenter stated the Commission's proposal to
require two contact methods imposes a higher requirement than HIPAA and
State breach notification laws.\215\
---------------------------------------------------------------------------
\206\ ACLA at 5; Mass. Health Data Forum (``MHDF'') at 9.
\207\ Consumer Rep.'s at 7-8; CTA at 22. Consumer Reports
further suggested the Commission clarify that substitute notice may
be effectuated under the Rule via text message, in-app messaging, or
electronic banners for consumers that do not wish to share a mailing
or email address. Consumer Rep.'s at 8.
\208\ AdvaMed at 6; ACLA at 5; AHIP at 5; CTA at 21-22;
\209\ AdvaMed at 6.
\210\ AHIMA at 5.
\211\ TechNet at 5.
\212\ MHDF at 10.
\213\ Id.
\214\ AHIP at 5.
\215\ CHI at 6.
---------------------------------------------------------------------------
Many commenters endorsed the Commission's proposal that any
notification delivered via electronic mail should be ``clear and
conspicuous,'' a newly defined term in the Rule.\216\ One commenter
stated that consistent with FTC's desire for entities to provide a
clear and conspicuous notice, the Commission should consider requiring
an email subject line that starts with ``Breach of Your Health
Information'' so that attention is appropriately drawn to the
importance of the message content.\217\ One commenter disagreed with
the new definition, arguing that the definition is unnecessary and
confusing, and urged the Commission to insert the ``clear and
conspicuous'' definition directly into Sec. 318.5 of the Rule.\218\
---------------------------------------------------------------------------
\216\ AMA at 5; CHIME at 5; EPIC at 9.
\217\ TMA at 4.
\218\ NAI at 7.
---------------------------------------------------------------------------
Regarding the model notice, nearly all who commented on this topic
urged the Commission to make the model notice voluntary.\219\ One
commenter suggested that using the model should be a safe harbor that
shields entities from enforcement.\220\
---------------------------------------------------------------------------
\219\ AdvaMed at 6; AHIP at 6; AMA at 6; CCIA at 7; CHI at 6;
Consumer Rep.'s at 8-9; NAI at 7-8. One commenter stated that making
the model notice mandatory can lead to industry consistency and it
may be easier for consumers to understand the message and the
contents if they are familiar with a uniform, standardized notice.
AHIMA at 5. While the Commission generally agrees that uniform,
consistent notices assist with consumer comprehension, the
Commission declines to make the model notice compulsory because the
facts and circumstances of each breach will vary. Plus, Sec. 318.6
sets forth certain required elements of the content of the notice,
so the presence of these elements in all breach notices achieves
some degree of consistency across notices.
\220\ AHIP at 6.
---------------------------------------------------------------------------
3. The Commission Adopts the Proposed Changes Regarding Electronic
Notice
The Commission adopts without change the modifications regarding
Sec. 318.5 involving electronic notice and adopts without change the
definition of ``electronic mail'' in Sec. 318.2. The Commission
declines to make the other changes commenters requested. First, the
Commission believes it is critical, especially given how consumers are
accessing information today, to modernize the methods of notice to
facilitate greater opportunities for electronic notice. The Commission
believes the changes to Sec. 318.5 and the new definition of
``electronic mail'' \221\ in Sec. 318.2 accomplish this objective.
---------------------------------------------------------------------------
\221\ The Commission disagrees with the commenters who urged the
Commission to avoid defining ``electronic mail'' to mean anything
more than ``email.'' ACLA at 5; MHDF at 9. The definition in Sec.
318.2 is clear and unambiguous. Plus, section 13402(e)(1) of the
Recovery Act requires that notification be provided via ``written
notification by first-class mail'' or ``electronic mail.''
Accordingly, the Commission must use ``electronic mail.''
---------------------------------------------------------------------------
In response to concerns raised about the two-part electronic
notice, the Commission agrees with commenters who stated it increases
the likelihood that individuals will encounter such notices.\222\ The
Commission does not agree that it is burdensome for entities to comply
with this requirement. For example, an entity who complies with the
notice requirement by notifying consumers via email plus posting a
website notice likely would not need to expend significant additional
time and resources by issuing the second part of the notice (i.e., the
website notice), and any ``cost'' of posting such a notice is
outweighed by the benefit to consumers of learning of a breach
involving their health information. The Commission also is not
persuaded that consumers who, for example, receive an email about a
breach coupled with an in-app notice about the same breach will be
confused. The Commission believes consumers will understand that such
notices relate to the same incident, especially given the Rule's
requirement that the notices be ``clear and conspicuous.'' The
Commission also does not find it problematic that the Rule requires
notice effectuated via ``electronic mail'' to occur via two methods
while other breach notice laws require one method. The Commission also
notes while these amendments are intended to facilitate greater
electronic notice, the Rule still permits notice via first-class mail.
Accordingly, the contention that this Rule requires two methods of
electronic notice is incorrect.
---------------------------------------------------------------------------
\222\ AAFP at 3-4 (noting AAFP appreciates ``the proposed
structure of providing notice in two different electronic formats to
increase the likelihood individuals will see them''); CHIME at 5
(``CHIME is supportive of the FTC's approach to revise the ``method
of notice section'' and to structure the breach notification in two
parts in order to increase the likelihood that consumers encounter
the notice.''); EPIC at 10 (``By requiring email and an in-app or
website notice option, the expanded definition enables entities to
have the best chance at notifying consumers regardless of whether
they reliably check their email or continue to use the entity's app
or website.''). The Commission also disagrees with the commenter who
recommended that the Commission abandon the two-part notice and
create a new definition of ``electronic mail'' where, for example,
only a website notice alone would satisfy the notice requirement if
such a notice was ``reasonable and appropriate.'' AdvaMed at 6. The
Commission disagrees with this approach and declines to adopt it.
---------------------------------------------------------------------------
The Commission also declines, in response to public comments,\223\
to mandate how notifications are effectuated when sent via ``electronic
mail,'' as the Commission believes it is important to not be overly
prescriptive given rapidly changing technologies.
[[Page 47047]]
The Commission emphasizes though, as described below, that the notice
must satisfy the Rule's definition of ``clear and conspicuous.''
---------------------------------------------------------------------------
\223\ See supra notes 210-213.
---------------------------------------------------------------------------
Nor does the Commission believe, as some commenters argued, the
two-part electronic notification will result in additional collections
of information by notifying entities. The Commission agrees with
commenters who stated entities are generally already collecting the
information needed for notice via ``electronic mail'' and a data
minimization issue does not exist.\224\
---------------------------------------------------------------------------
\224\ CARIN Alliance at 6; EPIC at 10.
---------------------------------------------------------------------------
In response to the commenter who suggested the FTC consider adding
a provision allowing an individual to request a copy of the notice in
other accessible formats, such as for hearing- or vision-impaired
people, or in non-English languages,\225\ the Commission previously
addressed a similar comment in the 2009 Rule Commentary. There, the
Commission noted that section 13402(e)(l) of the Recovery Act requires
that notification be provided via ``written notification by first-class
mail'' or ``electronic mail.'' The Commission emphasized then, as we do
today, that the Rule does not preclude notifications in accessible
formats. The Commission supports their use in appropriate
circumstances, in addition to the forms of notice prescribed by the
Rule.\226\
---------------------------------------------------------------------------
\225\ See supra note 214.
\226\ 74 FR 42972.
---------------------------------------------------------------------------
The Commission also adopts without modification the definition of
``clear and conspicuous.'' The Commission agrees with the commenter who
indicated it is imperative that a breach notice be reasonably
understandable and call attention to the significance of the
information that is included in the notice.\227\ The Commission
believes its definition of ``clear and conspicuous'' will assist in
achieving this objective. The Commission declines, however, to mandate
specific language for the email subject line to satisfy the Rule's
``clear and conspicuous'' requirement, as one commenter had
suggested.\228\ The Commission emphasizes, however, that the clear and
conspicuous requirement would require a notifying entity to use an
email subject line that draws the reader's attention to the email
notice. The Commission also declines to adopt the suggestion that the
definition of ``clear and conspicuous'' be incorporated directly into
Sec. 318.5. The Commission believes the entities seeking information
on what ``clear and conspicuous'' means will find it clearer to consult
the definition in Sec. 318.2.
---------------------------------------------------------------------------
\227\ AMA at 5.
\228\ See supra note 217.
---------------------------------------------------------------------------
Turning to the model notice,\229\ as the Commission noted in the
NPRM, the model was intended for entities to use, in their discretion,
to notify individuals, and the Commission adopts the same position
here.\230\ The model is voluntary and while the Commission believes it
represents a best practice, using the model is not required to achieve
compliance with the Rule.
---------------------------------------------------------------------------
\229\ The model notice is found in appendix A.
\230\ 88 FR 37827.
---------------------------------------------------------------------------
The Commission declines to adopt the position that use of the model
notice provides a safe harbor, although the Commission would take into
consideration in an enforcement action an entity who follows the model
notice. Further, the Commission notes an entity who follows the model
notice can nevertheless violate the Rule in other ways. For example, an
entity could follow the model notice but fail to provide timely notice.
In such instances, providing a safe harbor because the entity utilized
the model notice would be inappropriate.
F. Revisions to the Required Content of Notice
1. The Commission's Proposal Regarding Content of Notice
The Commission proposed five changes to the content of the notice.
First, in Sec. 318.6(a), as part of relaying what happened regarding
the breach, the Commission proposed the notice to individuals also
include a brief description of the potential harm that may result from
the breach, such as medical or other identity theft. Second, the
Commission proposed to amend the requirements for the notice under
Sec. 318.6(a) to include the full name, website, and contact
information (such as a public email address or phone number) of any
third parties that acquired unsecured PHR identifiable health
information as a result of a breach of security, if this information is
known to the vendor of personal health records or PHR related entity
(such as where the breach resulted from disclosures of users' sensitive
health information without authorization). Third, the Commission
proposed modifications to Sec. 318.6(b), which requires that the
notice include a description of the types of unsecured PHR identifiable
health information that were involved in the breach. The Commission
proposed this exemplar list be expanded to include additional types of
PHR identifiable health information, such as health diagnosis or
condition, lab results, medications, other treatment information, the
individual's use of a health-related mobile application, and device
identifier. Fourth, the Commission proposed revising Sec. 318.6(d) of
the Rule to require the notice to individuals include additional
information providing a brief description of what the entity that
experienced the breach is doing to protect affected individuals, such
as offering credit monitoring or other services. Fifth, the Commission
proposed modifying Sec. 318.6(e) so the contact procedures specified
by the notifying entity must include two or more of the following:
toll-free telephone number; email address; website; within-application;
or postal address.
2. Public Comments Regarding Content of Notice
a. Proposal That Notice Include Description of Potential Harm That May
Result From a Breach
The Commission's proposal to modify Sec. 318.6(a) to include in
the notice to individuals a brief description of the potential harm
that may result from a breach drew a wide range of comments. On the one
hand, many commenters supported the Commission's proposal.\231\ For
example, one commenter noted this proposal would help individuals
better understand the connection between the information breached and
the potential harm that could result from the breach of such
information.\232\ Other commenters stated that providing the potential
harms from a breach better equips consumers to address injuries and
mitigate harms from it.\233\ One commenter stated including some
potential harms would be helpful, but notifying entities should also
include language in the notice stating that other harms may occur.\234\
This same commenter suggested the Commission consider selecting the
most common types of breaches and listing some but not all of the
potential consequences from each.\235\
---------------------------------------------------------------------------
\231\ AAFP at 4; AMA at 6; AOA at 5; Anonymous 3; AHIOS at 3;
CARIN Alliance at 7-8; CHIME at 3, 6; Consumer Reports at 9-10; EFF
at 2; EPIC at 10-11; HIMSS at 3-4; ITRC at 2; Members of the House
of Representatives at 1-2; Dharini Padmanabhan at 1.
\232\ AMA at 6.
\233\ Consumer Rep.'s at 9-10; EPIC at 10-11.
\234\ MHDF at 10-11.
\235\ Id.
---------------------------------------------------------------------------
On the other hand, many commenters criticized this proposal.\236\
Some
[[Page 47048]]
commenters argued this proposal will result in notifying entities
having to speculate about potential harms that may never occur or
providing a list of harms that may be incomplete.\237\ Others pointed
out that notifying individuals about potential harms could cause
consumer anxiety, consumer confusion, and detract from actions the
individuals should take.\238\ One commenter noted the Commission's
proposal might lead consumers to believe the harms listed in the notice
are the only possible harms from a breach, when in fact consumers may
suffer other harms not disclosed in the notice.\239\ This same
commenter also noted it is opposed to entities stating there are no
known harms that may result from a breach solely because a notifying
entity is unaware of any specific bad outcomes.\240\
---------------------------------------------------------------------------
\236\ AdvaMed at 6-7; AHIP at 6; ACLA at 4-5; Confidentiality
Coal. at 7; CTA at 23-24; MHDF at 10; NAI at 9.
\237\ AdvaMed at 6-7; AHIP at 6; MHDF at 10; NAI at 9.
\238\ ACLA at 4-5; AMIA at 5; NAI at 9.
\239\ MHDF at 10.
\240\ Id. at 10-11.
---------------------------------------------------------------------------
b. Proposal That Notice Include Full Name, Website and Contact
Information of Third Parties That Acquired Unsecured PHR Identifiable
Health Information
Next, the Commission proposed to amend the requirements for the
notice under Sec. 318.6(a) to include the full name, website, and
contact information (such as a public email address or phone number) of
any third parties that acquired unsecured PHR identifiable health
information as a result of a breach of security. Although several
commenters supported this proposal,\241\ many others pointed out it is
problematic in certain circumstances.\242\ A few commenters noted the
proposal is ill-suited for security breaches, such as a hacking, where
providing consumers with the name and contact information of an actor
who committed a security breach (e.g., a hacker) could result in
further malicious action against the target entity.\243\ One commenter
noted for security breaches, the malicious actor or hacker would not be
responsive to consumers.\244\ Further, one commenter noted this
requirement could hamper law enforcement efforts.\245\ One commenter
also indicated this requirement could frustrate investigative efforts
or have a chilling effect on an inadvertent recipient from reporting a
wrongful disclosure.\246\
---------------------------------------------------------------------------
\241\ AAFP at 4; AHIMA at 5-6; AMA at 6; AMIA at 5; AOA at 5;
CARIN Alliance at 7; Consumer Rep.'s at 9-10; EFF at 2; EPIC at 10-
11; HIMSS at 3-4; ITRC at 2; Members of the House of Representatives
at 1-2.
\242\ ACLA at 4-5; AHIP at 6; CHI at 6; Confidentiality
Coalition at 7; CTA at 24.
\243\ ACLA at 4-5; Confidentiality Coal. at 7.
\244\ Confidentiality Coal. at 7.
\245\ CTA at 24.
\246\ AHIP at 6.
---------------------------------------------------------------------------
c. Proposal That Notice Include Description of Types of Unsecured PHR
Identifiable Health Information Involved in a Breach
Third, the Commission proposed modifications to Sec. 318.6(b),
which requires the notice to individuals include a description of the
types of unsecured PHR identifiable health information that were
involved in the breach. The Commission proposed this exemplar list be
expanded to include additional types of PHR identifiable health
information, such as health diagnosis or condition, lab results,
medications, other treatment information, the individual's use of a
health-related mobile application, and device identifier. Several
commenters supported this proposal.\247\ One commenter noted it is
important for consumers to receive notice of the specific types of PHR
identifiable health information involved in a breach, given that the
exposure of health information can lead to a wide spectrum of
harms.\248\ Another commenter stated providing individuals with a more
expansive list of exposed data points will also give them a more
complete picture of the risks they face.\249\
---------------------------------------------------------------------------
\247\ AAFP at 4; AHIMA at 6; AMA at 6; AOA at 5; CARIN Alliance
at 7; Consumer Rep.'s at 9-10; Ella Balasa at 2; HIMSS at 3-4; ITRC
at 2; NAI at 9.
\248\ Light Collective at 2.
\249\ ITRC at 2.
---------------------------------------------------------------------------
d. Proposal That Notice Include Description of What Entity Is Doing To
Protect Affected Individuals
Fourth, the Commission proposed revising Sec. 318.6(d) of the Rule
to require that the notice to individuals include additional
information providing a brief description of what the entity that
experienced the breach is doing to protect affected individuals, such
as offering credit monitoring or other services. This proposal
attracted support from multiple commenters.\250\ One commenter stated
that informing individuals about these steps is important so that they
know what additional actions they should take to protect themselves
from potential harm.\251\ Another similarly stated that knowing what
the notifying entity is doing to protect affected individuals can help
consumers who are considering making purchase decisions for fraud
detection or credit monitoring.\252\ One commenter stated that
requiring notifying entities to share this information will incentivize
them to take proactive measures to mitigate harms to consumers.\253\
---------------------------------------------------------------------------
\250\ AAFP at 4; AMA at 6; AOA at 4; CARIN Alliance at 7-8;
HIMSS at 3-4; ITRC at 2.
\251\ AMA at 6.
\252\ AHIMA at 5-6.
\253\ Consumer Rep.'s at 9-10.
---------------------------------------------------------------------------
Some commenters, however, raised concerns about this proposal. For
instance, one commenter believed the Rule already encompasses this
requirement and therefore the Commission's proposal could result in
duplicative information being provided in the notice.\254\ Another
commenter stated the FTC needs to go further in ensuring that
notification requirements help consumers understand what remedies are
available when their health information is breached.\255\
---------------------------------------------------------------------------
\254\ Confidentiality Coal. at 7.
\255\ Light Collective at 6-7.
---------------------------------------------------------------------------
e. Proposal That Notice Include Two or More Contact Procedures
Fifth, the Commission proposed amendments to Sec. 318.6(e) so the
contact procedures specified by the notifying entity in its breach
notification must include two or more of the following: toll-free
telephone number; email address; website; within-application; or postal
address. Many commenters expressed support for this proposal.\256\ One
commenter noted multiple contact options ensures that victims of all
backgrounds and technical capabilities are able to contact the
notifying entity to learn more about how to protect themselves after a
breach.\257\ Another commenter noted that providing multiple contact
options encourages and facilitates communication between the individual
and the notifying entity.\258\ One commenter, however, expressed
concern the proposal is burdensome, the HIPAA breach notice rule
requires only one method of contact, and HHS has not identified any
concerns with individuals having difficulty obtaining information from
covered entities using one contact method under HIPAA's breach notice
rule.\259\
---------------------------------------------------------------------------
\256\ AAFP at 4; AHIMA at 6; AHIP at 5; Anonymous 3 at 1; AOA at
5; CARIN Alliance at 8; Consumer Rep.'s at 9-10; EPIC at 9-10; HIMSS
at 3-4; ITRC at 2; Dharini Padmanabhan at 1.
\257\ AHIMA at 6.
\258\ AMA at 6.
\259\ AdvaMed at 6-7.
---------------------------------------------------------------------------
[[Page 47049]]
3. The Commission Changes Regarding Content of Notice
a. The Commission Declines To Adopt Proposal That Notice Include
Description of Potential Harm That May Result From a Breach
The Commission believes, in light of the public comments, that the
downsides of requiring in the notice a description of the potential
harms that may result from a breach outweigh the upsides. The
Commission is concerned about requiring a consumer notice to include
possible harms that may never materialize. In such cases, consumers may
experience needless anxiety and take actions that are not necessary,
leading to consumer frustration. The Commission also is concerned this
proposal may result in entities describing potential harms so
generically that the description provides minimal value to consumers,
or, alternatively, that entities will provide a laundry list of
potential harms, making such a list meaningless to consumers. The
Commission also agrees with one commenter who noted this proposal might
lead consumers to believe the harms listed in the notice are the only
possible harms from a breach, when in fact consumers may suffer other
harms not disclosed in the notice.\260\
---------------------------------------------------------------------------
\260\ MHDF at 10.
---------------------------------------------------------------------------
Accordingly, the Commission declines to adopt this proposal.\261\
The Commission believes the remaining elements of the content of the
notice will supply individuals with sufficient information about a
breach, especially given the other modifications to Sec. 318.6. The
Commission also emphasizes in certain cases where harms are concrete
and known, notifying entities should as a best practice inform
individuals about those harms in the notice.
---------------------------------------------------------------------------
\261\ The Commission has updated the model notice in appendix A
to reflect this change.
---------------------------------------------------------------------------
b. The Commission Modifies Proposal That Notice Include Full Name,
Website, and Contact Information of Third Parties That Acquired
Unsecured PHR Identifiable Health Information
In light of the public comments, the Commission is modifying Sec.
318.6(a) to require notifying entities to provide the full name or
identity (or where providing name or identity would pose a risk to
individuals or the entity providing notice, a description) of the third
parties that acquired the PHR identifiable health information as a
result of a breach of security.\262\ The Commission believes it is
important for consumers to know who acquired their PHR identifiable
health information as a result of a breach. At the same time, the
Commission acknowledges in some scenarios it could be problematic to
require notifying entities to provide the contact information of those
who acquired PHR identifiable health information.
---------------------------------------------------------------------------
\262\ The Commission has updated the model notice in appendix A
to reflect this change.
---------------------------------------------------------------------------
Accordingly, this revised provision is intended to still provide
individuals with information about who acquired their health
information. Under Sec. 318.6(a), notifying entities are required to
provide the full name or identity of the third parties that acquired
the PHR identifiable health information as a result of a breach of
security, except where providing the full name or identity of the third
parties would pose a risk to affected individuals or the entity
providing notice. In cases where providing the name or identity of the
third parties that acquired the PHR identifiable health information as
a result of a breach of security would pose a risk to affected
individuals or the entity providing notice (e.g., providing the name of
hacker could subject affected individuals or the entity providing
notice to further harm), Sec. 318.6(a) permits notifying entities to
describe the type of third party (e.g., hacker) who acquired
individuals' PHR identifiable health information.
c. The Commission Adopts Proposal That Notice Include Description of
Types of Unsecured PHR Identifiable Health Information Involved in a
Breach
The Commission agrees with the many public comments supporting this
proposal.\263\ The Commission concurs with the commenter who noted it
is important for consumers to receive notice of the specific types of
PHR identifiable health information involved in a breach,\264\ and the
commenter who stated that providing affected individuals with a more
expansive list of health data points implicated in a breach will help
them better understand the risks they face.\265\ The Commission adopts
this proposal without modification.
---------------------------------------------------------------------------
\263\ See supra note 247.
\264\ See supra note 248.
\265\ See supra note 249.
---------------------------------------------------------------------------
d. The Commission Adopts Proposal That Notice Include Description of
What Entity Is Doing To Protect Affected Individuals
Several commenters supported the Commission proposal that the
notice to individuals include a description of what the notifying
entity is doing to protect affected individuals.\266\ The Commission
concurs with the commenter who stated that informing affected
individuals about the steps notifying entities are taking to protect
them is important so that affected individuals know what additional
actions they should take to protect themselves from potential
harm.\267\ The Commission similarly agrees with the commenter who
stated that knowing what the notifying entity is doing to protect
affected individuals can help consumers who are considering making
purchase decisions like fraud detection or credit monitoring.\268\ The
Commission also agrees with the commenter who stated that requiring
notifying entities to share information about what they are doing to
protect affected individuals will incentivize notifying entities to
take proactive measures to mitigate harms to consumers.\269\
---------------------------------------------------------------------------
\266\ See supra note 250.
\267\ See supra note 251.
\268\ See supra note 252.
\269\ See supra note 253.
---------------------------------------------------------------------------
In response to the one commenter who noted the 2009 Rule already
includes this proposed requirement,\270\ the Commission notes Sec.
318.6(d) from the 2009 Rule requires notifying entities to include in
the notice to individuals what the entity is doing to investigate the
breach, to mitigate any losses, and to protect against any further
breaches. Accordingly, under the 2009 Rule, there is no explicit
requirement for the notifying entity to state in the individual notice
what the entity is doing to protect affected individuals. Given this,
the Commission does not believe individuals will receive duplicative
information.
---------------------------------------------------------------------------
\270\ See supra note 254.
---------------------------------------------------------------------------
In response to the commenter who argued the Commission needs to
help consumers understand post-breach remedies,\271\ the Commission
believes this concern is addressed by the combination of Sec.
318.6(c), which requires notifying entities to include in the notice
steps individuals should take to protect themselves from potential harm
resulting from the breach, and Sec. 318.6(d), which requires notifying
entities to include in the notice the steps the notifying entity is
taking to protect affected individuals following the breach.
---------------------------------------------------------------------------
\271\ See supra note 255.
---------------------------------------------------------------------------
The Commission adopts proposed Sec. 318.6(d) without modification.
e. The Commission Adopts Proposal That Notice Include Two or More
Contact Procedures
In response to the comment that providing two or more contact
[[Page 47050]]
procedures in the notice is burdensome,\272\ the Commission believes if
this proposal results in any burden to notifying entities, such burden
will be minimal given the ease with which compliance with this
provision can be achieved, and outweighed by the benefits to consumers
who will have increased options to communicate with notifying entities.
Second, in response to the comment that the HIPAA Breach Notification
Rule requires only one contact method,\273\ the Commission notes while
there are many similarities between the FTC's and HHS's respective
breach notification rules and the agencies have consulted to harmonize
the two rules, there are differences between them, and the Commission
believes it is important to update this provision to reflect new modes
of communication and facilitate greater opportunities for communication
between affected individuals and notifying entities.
---------------------------------------------------------------------------
\272\ See supra note 259.
\273\ Id.
---------------------------------------------------------------------------
The Commission notes multiple commenters supported this
proposal.\274\ Specifically, the Commission agrees with the commenter
who stated multiple contact procedures enables greater opportunities
for affected individuals to communicate with notifying entities.\275\
The Commission also agrees with the commenter who noted multiple
contact options ensures that affected individuals from all backgrounds
and technical capabilities are able to contact the notifying entity
following a breach.\276\ The Commission therefore adopts proposed Sec.
318.6(e) without modification.
---------------------------------------------------------------------------
\274\ See supra note 256.
\275\ See supra note 258.
\276\ See supra note 257.
---------------------------------------------------------------------------
G. Timing of Notice to the FTC
1. The Commission's Proposal Regarding Timing of Notice
Although the Commission did not propose any timing changes in the
NPRM, the Commission requested comments on several issues related to
timing, including the timing of the notification to the FTC. Regarding
the notification timeline to the FTC, the Commission sought comment on
whether it should extend the timeline to give entities more time to
investigate breaches and better ascertain the number of affected
individuals or whether an extension would simply facilitate dilatory
action and minimize the opportunity for an important dialogue with
Commission staff during the fact-gathering stage immediately following
a breach.
2. Public Comments Regarding Timing of Notice
Several commenters expressed support for extending the notification
timeline to the FTC.\277\ Commenters provided several reasons why the
existing requirement of notice to the FTC ``as soon as possible and in
no case later than ten business days following the date of discovery of
the breach'' for breaches involving 500 or more individuals should be
amended. For example, commenters noted that ten days does not provide
entities with sufficient time to adequately investigate incidents and
fully understand the facts, possibly leading to notices that may be
incomplete and require amendment or correction.\278\ Others commented
that the existing requirement diverts key resources from investigating
potential breaches, indicating when a breach is suspected or has been
discovered, the target entity's focus should be responding to the
incident, conducting a thorough investigation of what may have
occurred, and addressing and mitigating vulnerabilities to ensure
additional information is not compromised.\279\
---------------------------------------------------------------------------
\277\ AdvaMed at 9; AHIP at 7; ACLA at 3-4; ATA Action at 2;
CCIA at 8; CHI at 6; CTA at 20-21; TechNet at 5.
\278\ AdvaMed at 9; ACLA at 3-4; AHIP at 7; TechNet at 5-6.
\279\ ACLA at 3-4; CTA at 19-21.
---------------------------------------------------------------------------
Several commenters urged the FTC to align the timeframe to notify
the FTC with the timing requirement under HIPAA's Health Breach
Notification Rule,\280\ which requires notification to the Secretary of
HHS without unreasonable delay and in no case later than 60 calendar
days following a breach.\281\ One commenter, irrespective of HIPAA,
suggested the Commission give entities up to 60 days to investigate a
breach and provide notification to the Commission.\282\ One commenter
recommended the FTC adopt a ``risk-based'' notification approach
whereby the agency could create a shorter notification timeline for
high-risk incidents and a longer notification timeline or even no
notification for low-risk incidents.\283\
---------------------------------------------------------------------------
\280\ 45 CFR 164.400 through 414.
\281\ AdvaMed at 9; AHIP at 7; ACLA at 3; ATA Action at 2;
TechNet at 5-6.
\282\ ACLA at 3-4.
\283\ CTA at 19-21.
---------------------------------------------------------------------------
3. The Commission Adopts Changes to the Timing of Notice
Having considered the public comments, the Commission agrees with
commenters who recommended that the notification timeline to the FTC
for breaches of security involving 500 or more individuals should be
adjusted. The Commission agrees that in certain incidents, especially
large, complex breaches, it can be challenging for entities to fully
understand the scope of a breach in ten business days, leading to the
possibility of incomplete breach notices.
Accordingly, the Commission is revising Sec. 318.4(b) to read:
``All notifications required under Sec. 318.5(c) involving the
unsecured PHR identifiable health information of 500 or more
individuals shall be provided contemporaneously with the notice
required by paragraph (a) of this section.'' This change requires
entities, for breaches involving 500 or more individuals, to notify the
FTC consistent with the notice required by Sec. 318.4(a)--i.e.,
without unreasonable delay and in no case later than 60 calendar days
after the discovery of a breach of security. This change also requires
the notice to the FTC be sent at the same time as the notice to the
individuals. This requirement thus ensures the notice to the FTC
includes all of the information provided in the notice to the
individual. It also avoids a scenario where individuals receive notice
before the FTC receives notice and affected individuals contact the FTC
about a breach for which the Commission has not been notified.
As a result of this change, the Commission anticipates entities
will have sufficient time to provide complete and fulsome notifications
to the Commission. The Commission emphasizes, however, that notice to
the FTC should occur ``without unreasonable delay,'' with 60 days
serving as the outer limit.\284\ The Commission believes, consistent
with public comments, this change effectively harmonizes the
notification timeline to the FTC with the notification timeline to the
Secretary of HHS under the HIPAA Breach Notification Rule.
[[Page 47051]]
The Commission also believes this notification timeline satisfies the
Recovery Act requirement that notice be provided ``immediately.'' \285\
The Commission also notes this change does not affect in any way the
timing of the notice to the FTC for breaches involving less than 500
individuals.
---------------------------------------------------------------------------
\284\ As the Commission stated in the 2009 Rule Commentary, in
some cases, it may be an ``unreasonable delay'' to wait until the
60th day to provide notification. For example, if a vendor of
personal health records or PHR related entity learns of a breach,
gathers all necessary information, and has systems in place to
provide notification within 30 days, it would be unreasonable to
wait until the 60th day to send the notice. Similarly, the
Commission noted there may be circumstances where a vendor of
personal health records discovers that its third party service
provider has suffered a breach before the service provider notifies
the vendor that the breach has occurred. In such circumstances, the
vendor should begin taking steps to address the breach immediately,
and should not wait until receiving notice from the service
provider. 74 FR 42971 n.94 (2009).
\285\ 42 U.S.C. 17932(e)(3). Like the Department of Health and
Human Services previously concluded with respect to notification to
the Secretary under the HIPAA Breach Notification Rule (74 FR 42753
(2009)), the Commission concludes this interpretation satisfies the
statutory requirement that notifications of larger breaches be
provided to the FTC immediately as compared to the notifications of
smaller breaches (i.e., those involving less than 500 individuals),
which the statute allows to be reported annually to the FTC.
---------------------------------------------------------------------------
Finally, a small number of commenters addressed other issues
related to timing, such as the timeline for providing notice to
consumers or the media. The Commission believes, for the reasons stated
in the commentary accompanying the 2009 NPRM and the 2009 Rule
Commentary, the current timelines are appropriate to give consumers and
the media timely notice without overburdening notifying firms.\286\
---------------------------------------------------------------------------
\286\ 74 FR 17918 (2009); 74 FR 42971 (2009).
---------------------------------------------------------------------------
H. Proposed Changes To Improve Rule's Readability
1. The Commission Proposed Changes To Promote Readability
The Commission proposed several changes to improve the Rule's
readability. Specifically, the Commission proposed to include
explanatory parentheticals for internal cross-references, add statutory
citations in relevant places, consolidate notice and timing
requirements in single sections, and revise the Enforcement section to
state more plainly the penalties for non-compliance.
2. Public Comments Regarding Readability
Commenters supported the Commission's proposed changes to improve
the Rule's readability and promote comprehension by including
explanatory parentheticals and statutory citations.\287\ Commenters
also expressed support for the proposed changes to improve the Rule's
readability and promote compliance by consolidating into single
sections, respectively, the Rule's breach notification and timing
requirements.\288\ Commenters also favored the proposal to modify Sec.
318.7 to make plain that a violation of the Rule constitutes a
violation of a rule promulgated under section 18 of the FTC Act and is
subject to civil penalties, stating this clarification will decrease
the burden on the FTC in enforcement actions and prevent unintended
barriers to enforcement.\289\
---------------------------------------------------------------------------
\287\ AMA at 6; CARIN Alliance at 9.
\288\ AHIMA at 7; AMA at 6-7.
\289\ AHIMA at 7; AMA at 6-7; AHIOS at 5; MRO at 4. As part of
its comment, AMA recommended the FTC, as Rule violations are filed,
use actual examples as case study models for future educational
resources. The Commission notes that its existing enforcement
actions under the Rule already provide guidance for the marketplace
and the FTC also has issued business guidance regarding the Rule.
E.g., Fed. Trade Comm'n, Collecting, Using, or Sharing Consumer
Health Information? Look to HIPAA, the FTC Act, and the Health
Breach Notification Rule (Sept. 2023), https://www.ftc.gov/business-guidance/resources/collecting-using-or-sharing-consumer-health-information-look-hipaa-ftc-act-health-breach (last visited Jan. 11,
2023); Fed. Trade Comm'n, Health Breach Notification Rule: The
Basics for Business (Jan. 2022), https://www.ftc.gov/business-guidance/resources/health-breach-notification-rule-basics-business
(last visited Jan. 11, 2024); Fed. Trade Comm'n, Complying with
FTC's Health Breach Notification Rule (Jan. 2022), https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0 (last visited Jan. 11, 2024) One
commenter also asserted the Commission was seeking to apply the
NPRM's proposed changes retrospectively to breaches of security that
were discovered on or after September 24, 2009. This commenter urged
the Commission to modify Sec. 318.8 so that the Rule would only
apply to breaches of security discovered at least 30 days after the
effective date of this final rule. TechNet at 5-6. The 2023 NPRM set
out the entire part for the convenience of commenters but did not
propose any changes to Sec. 318.8. The Commission notes this
effective date section was codified in 2009 when part 318 was added
to the CFR and has been in effect since September 24, 2009. As
explained in the 2009 Rule Commentary, ``the Commission does not
have discretion to change the effective date of the rule because the
Recovery Act establishes the effective date.'' See 74 FR 42976; see
also 42 U.S.C. 17937(g)(1) (``The provisions of this section shall
apply to breaches of security that are discovered on or after the
date that is 30 days after the date of publication of such interim
final regulations.''). The Commission emphasizes that this final
rule does not apply retroactively.
---------------------------------------------------------------------------
3. The Commission Adopts Changes Regarding Readability
In light of support from commenters and the Commission's belief
that these proposed changes improve readability, the Commission adopts
these changes without modification.\290\
---------------------------------------------------------------------------
\290\ Relatedly, the Commission also is making a non-substantive
grammatical change to Sec. 318.5(a)(2)(ii), which involves
substitute notice. This provision currently states: ``Such a notice
in media or web posting shall include a toll-free phone number,
which shall remain active for at least 90 days, where an individual
can learn whether or not the individual's unsecured PHR identifiable
health information may be included in the breach.'' The Commission
is revising Sec. 318.5(a)(2)(ii) so it reads: ``Such a notice in
media or web posting shall include a toll-free phone number, which
shall remain active for at least 90 days, where an individual can
learn if the individual's unsecured PHR identifiable health
information may have been included in the breach.'' The Commission
made this grammatical change to improve the rule's readability; the
change does not alter the provision's substantive meaning.
---------------------------------------------------------------------------
III. Paperwork Reduction Act
The Paperwork Reduction Act (``PRA''), 44 U.S.C. chapter 35,
requires Federal agencies to seek and obtain Office of Management and
Budget (``OMB'') approval before undertaking a collection of
information directed to ten or more persons.\291\ This final rule is
modifying an existing collection of information,\292\ which OMB has
approved through July 31, 2025 (OMB Control No. 3084-0150). As required
by the PRA, the Commission sought OMB review of the modified
information collection requirement at the time of the publication of
the NPRM. OMB directed the Commission to resubmit its request at the
time the final rule is published. Accordingly, simultaneously with the
publication of this final rule, the Commission is resubmitting its
clearance request to OMB. FTC staff has estimated the burdens
associated with the amendments as set forth below.
---------------------------------------------------------------------------
\291\ 44 U.S.C. 3502(3)(A)(i).
\292\ See 44 U.S.C. 3502(3)(A)(i).
---------------------------------------------------------------------------
FTC staff estimates the amendments to 16 CFR part 318 will likely
result in more reportable breaches by covered entities to the FTC. In
the event of a breach of security, the covered firms will be required
to investigate and, if certain conditions are met, notify consumers,
the Commission, and, in some cases, the media.\293\
---------------------------------------------------------------------------
\293\ Third party service providers who experience a breach are
required to notify the vendor of personal health records or PHR
related entity, which in turn is then required to notify consumers.
The Commission expects the cost of notification to third party
service providers would be small, relative to the entities that have
to notify consumers. As part of the NPRM, the Commission solicited
public comment on this issue and data that may be used to quantify
the costs to third party service providers. The Commission did not
receive any responsive submissions pertaining to this issue.
---------------------------------------------------------------------------
Based on industry reports, FTC staff estimates the amendments will
cover approximately 193,000 entities, which, in the event they
experience a breach, may be required to notify consumers, the
Commission, and, in some cases, the media. While there are
approximately 1.8 million apps in the Apple App Store \294\ and 2.4
million apps in the Google Play Store,\295\ as of March 2024, it
appears that roughly 193,000 of the apps offered in either store are
categorized as ``Health and Fitness.'' \296\
---------------------------------------------------------------------------
\294\ See App Store--Apple, https://www.apple.com/app-store/.
\295\ See AppBrain: Number of Android Apps on Google Play (Mar
2024), https://www.appbrain.com/stats/number-of-android-apps.
\296\ See Business of Apps, ``App Data Report: App Store Stats,
Downloads, Revenues and App Rankings,'' https://www.businessofapps.com/data/report-app-data/ (reporting 90,913 apps
in the Apple iOS App Store and 102,402 apps in the Google Play Store
were categorized as ``Health and Fitness''). Together, this suggests
there are approximately 193,000 Health and Fitness apps. This figure
is likely both under- and over-inclusive as a proxy for covered
entities. For example, this figure does not include apps categorized
elsewhere (i.e., outside ``Health and Fitness'') that may be PHRs.
However, at the same time, this figure also overestimates the number
of covered entities, since many developers make more than one app
and may specialize in the Health and Fitness category.
---------------------------------------------------------------------------
[[Page 47052]]
The Commission received three comments in response to the NPRM
arguing the Rule's scope is broader than apps categorized as ``Health
and Fitness'' and the NPRM's PRA analysis therefore underestimated the
number of covered entities and the resulting number of reportable
breaches.\297\ As discussed above,\298\ the Commission is adopting
these amendments to clarify that the Rule applies to mobile health
applications and similar technologies. The Commission also highlighted
several key limitations to the Rule's scope.\299\ Thus, the 193,000
covered entities is a rough proxy for all covered PHRs, because it
encompasses mobile health applications categorized as ``Health and
Fitness.'' Similar health technologies are included in the roughly
193,000 covered entities because most websites and connected health
devices that will be covered by the amendments act in conjunction with
an app.\300\
---------------------------------------------------------------------------
\297\ See Chamber at 2; CHI at 6-7; CCIA at 8-9.
\298\ See section II.1.c.
\299\ Id.
\300\ Indeed, one of the commenters who argued the Rule's
coverage is broader than projected in the NPRM's PRA analysis
acknowledged that there has been growth in the number of websites
and apps since the 2009 PRA analysis estimated 700 covered entities
to be covered by the Rule. Chamber at 2. Further, the approximately
193,000 covered entities may overestimate the number of covered
entities, as some apps or websites may not qualify as a covered
entity given the Rule's boundaries. For example, a website or app
must have the technical capacity to draw information from multiple
sources and that same website or app must still be ``managed,
shared, and controlled by or primarily for the individual'' to be
covered by the Rule.
---------------------------------------------------------------------------
FTC staff estimates these entities will, cumulatively, experience
82 breaches per year for which notification may be required. With the
proviso that there is insufficient data at this time about the number
and incidence rate of breaches at entities covered by the amendments
(due to underreporting prior to issuance of the Policy Statement), FTC
staff determined the number of estimated breaches by calculating the
breach incidence rate for HIPAA-covered entities, and then applied this
rate to the estimated total number of entities that will be subject to
the amendments.\301\ Additionally, as the number of breaches per year
has grown significantly in the recent years,\302\ and FTC staff expects
this trend to continue, FTC staff relied on the average number of
breaches from 2021 through 2023 to estimate the annual breach incidence
rate for HIPAA-covered entities.
---------------------------------------------------------------------------
\301\ FTC staff used information publicly available from HHS on
HIPAA related breaches because the HIPAA Breach Notification Rule is
similarly constructed. However, while there are similarities between
HIPAA-covered entities and HBNR-covered entities, it is not
necessarily the case that rates of breaches would follow the same
pattern. For instance, HIPAA-covered entities are generally subject
to stronger data security requirements under HIPAA, but also may be
more likely targets for security incidents (e.g., ransomware attacks
on hospitals and other medical treatment centers covered by HIPAA
have increased dramatically in recent years); thus, this number
could be an under- or overestimate of the number of potential
breaches per year.
\302\ According to HHS's Office for Civil Rights (``OCR''), the
number of breaches per year grew from 276 in 2013 to 739 breaches in
2023. See Breach Portal, U.S. Dep't of Health & Human Servs., Office
for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited March 1, 2024). The data was
downloaded on March 1, 2024, resulting in limited data for 2024.
Thus, breaches from 2024 were excluded from the calculations.
However, breach investigations that remain open (under
investigation) from years prior to 2024 are included in the count of
yearly breaches.
---------------------------------------------------------------------------
Specifically, HHS's OCR reported 715 breaches in 2021, 719 breaches
in 2022, and 733 breaches in 2023,\303\ which results in an average of
722 breaches between 2021 and 2023. Based on the 1.7 million entities
that are covered by the HIPAA Breach Notification Rule \304\ and the
average number of breaches for 2021-2023, FTC staff determined an
annual breach incidence rate of 0.000425 (722/1.7 million).
Accordingly, multiplying the breach incidence rate (0.000425) by the
estimated number of entities covered by the amendments (193,000)
results in an estimated 82 breaches per year.\305\
---------------------------------------------------------------------------
\303\ See Breach Portal, U.S. Dep't of Health & Human Servs.,
Office for Civil Rights, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited March 1, 2024).
\304\ In a Federal Register publication titled ``Proposed
Modifications to the HIPAA Privacy Rule to Support, and Remove
Barriers to, Coordinated Care and Individual Engagement'', OCR
proposes increasing the number of covered entities from 700,000 to
774,331. 86 FR 6446, 6497 (Jan. 21, 2021). For purposes of
calculating the annual breach incidence rate, FTC staff utilized
700,000 covered entities because the proposed estimate of 774,331
covered entities represents a projected increase that has not been
finalized by OCR. The OCR publication also lists the number of
covered Business Associates as 1,000,000. 86 FR 6528. FTC staff
arrived at 1.7 million entities subject to the HIPAA Breach
Notification Rule by adding 700,000 covered entities and 1,000,000
Business Associates.
\305\ One commenter argued that basing the NPRM's projection of
the annual number of breaches on the breach incidence rate for
HIPAA-covered entities is problematic because the NPRM's proposed
definition of a breach of security ``goes far and beyond'' the HIPAA
definition of a breach. CCIA at 8-9. To the extent the commenter is
referring to the fact that the Rule's definition of breach of
security covers unauthorized disclosures, the Commission notes the
HIPAA Breach Notification Rule similarly covers unauthorized
disclosures. See Breach Notification Rule, U.S. Dep't of Health &
Human Servs., Office for Civil Rights, https://www.hhs.gov/hipaa/for-professionals/breach-notification/ (``A breach is,
generally, an impermissible use or disclosure under the Privacy Rule
that compromises the security or privacy of the protected health
information.'').
---------------------------------------------------------------------------
Costs
To determine the costs for purposes of this analysis, FTC staff has
developed estimates for two categories of potential costs: (1) the
estimated annual burden hours and labor cost of determining what
information has been breached, identifying the affected customers,
preparing the breach notice, and making the required report to the
Commission; and (2) the estimated capital and other non-labor costs
associated with notifying consumers.
Estimated Annual Burden Hours: 12,300.
Estimated Annual Labor Cost: $883,140.
First, to determine what information has been breached, identify
the affected customers, prepare the breach notice, and make the
required report to the Commission, FTC staff estimates covered firms
will require per breach, on average, 150 hours of employee labor at a
cost of $10,770.\306\ This estimate does not include the cost of
equipment or other tangible assets of the breached firms because they
likely will use the equipment and other assets they have for ordinary
business purposes. Based on the estimate that there will be 82 breaches
per year the annual hours of burden for affected entities will be
12,300 hours (150 hours x 82 breaches) with an associated labor cost of
$883,140 (82 breaches x $10,770).
---------------------------------------------------------------------------
\306\ This estimate is the sum of 40 hours of marketing
managerial time (at an average wage of $76.10), 40 hours of computer
programmer time ($49.42), 20 hours of legal staff ($78.74), and 50
hours of computer and information systems managerial time ($83.49).
See Occupational Employment and Wage Statistics, U.S. Bureau of
Labor Statistics (May 2022), https://www.bls.gov/oes/current/oes_nat.htm#00-0000.
---------------------------------------------------------------------------
Estimated Capital and Other Non-Labor Costs: $91,984,370.
The capital and non-labor costs associated with breach
notifications depend upon the number of consumers contacted and whether
covered firms are likely to retain the services of a forensic expert.
For breaches affecting large numbers of consumers, covered firms are
likely to retain the services of a forensic expert. FTC staff
estimates, for each breach requiring the services of forensic experts,
forensic experts will spend approximately 40 hours to assist in the
response to the cybersecurity intrusion, at an estimated cost of
$20,000.\307\ FTC staff estimates the
[[Page 47053]]
services of forensic experts will be required in 60% of the 82
breaches. Based on the estimate that there will be 49 breaches per year
requiring forensic experts (60% x 82 breaches), the annual hours burden
for affected entities will be 1,960 hours (49 breaches requiring
forensic experts x 40 hours) with an associated cost of $980,000 (49
breaches requiring forensic experts x $20,000).
---------------------------------------------------------------------------
\307\ This estimate is the sum of 40 hours of forensic expert
time at a cost of $500 per hour, which yields a total cost of
$20,000 (40 hours x $500/hour).
---------------------------------------------------------------------------
Using the data on HIPAA-covered breach notices available from HHS
for the years 2018-2023, FTC staff estimates the average number of
individuals affected per breach is 93,497.\308\ Given an estimated 82
breaches per year, FTC staff estimates an average of 7,666,754
consumers per year will receive a breach notification (82 breaches x
93,497 individuals per breach).
---------------------------------------------------------------------------
\308\ HHS Breach Data, supra note 303. This analysis uses the
last six years of HHS breach data to generate the average, in order
to account for the variation in number of individuals affected by
breaches observed in the HHS data over time.
---------------------------------------------------------------------------
Based on a recent study of data breach costs, FTC staff estimates
the cost of providing notice to consumers to be $11.87 per breached
record.\309\ This estimate includes the costs of electronic notice,
letters, outbound calls or general notice to data subjects; and
engagement of outside experts.\310\ Applied to the above-stated
estimate of 7,666,754 consumers per year receiving breach notification
yields an estimated total annual cost for all forms of notice to
consumers of $91,004,370 (7,666,754 consumers x $11.87 per record).
Accordingly, the estimated capital and non-labor costs total
$91,984,370 ($980,000 + $91,004,370).
---------------------------------------------------------------------------
\309\ See IBM Security, Costs of a Data Breach Report 2023
(2023), https://www.ibm.com/reports/data-breach (``2023 IBM Security
Report''). The research for the 2023 IBM Security Report is
conducted independently by the Ponemon Institute, and the results
are reported and published by IBM Security. Figure 2 of the 2023 IBM
Security Report shows that cost per record of a breach was $165 per
record in 2023, $164 in 2022, and $161 in 2021, resulting in an
average cost of $163.33. Figure 5 of the 2023 IBM Security Report
shows that 8.3% ($0.37m/$4.45m) of the average cost of a data breach
are due to ``Notification'' costs. The fraction of average breach
costs due to ``Notification'' were 7.1% in 2022 and 6.4% in 2021
(IBM Security, Costs of a Data Breach Reports 2022 and 2021). Using
the average of these numbers (7.27%), FTC staff estimates that
notification costs per record across the three years are 7.27% x
$163.33 = $11.87 per record.
\310\ See 2023 IBM Security Report at 72.
---------------------------------------------------------------------------
FTC staff notes these estimates likely overstate the costs imposed
by the amendments because FTC staff made conservative assumptions in
developing many of the underlying estimates. Moreover, many entities
covered by the amendments already have similar notification obligations
under State data breach laws.\311\ In addition, the Commission has
taken several steps designed to limit the potential burden on covered
entities that are required to provide notice, including by providing
exemplar notices that entities may choose to use if they are required
to provide notifications and expanding the use of electronic
notifications.
---------------------------------------------------------------------------
\311\ Many State data breach notification statutes require
notification when a breach occurs involving certain health or
medical information of individuals in that State. See, e.g., Ala.
Code 8-38-1 et seq.; Alaska Stat. 45.48.010 et seq.; Ariz. Rev.
Stat. 18-551 et seq.; Ark. Code 4-110-101 et seq.; Cal. Civ. Code
1798.80 et seq.; Cal. Health & Safety Code 1280.15; Colo. Rev. Stat.
6-1-716; Del. Code Ann. tit. 6 12B-101 et seq.; D.C. Code 28-3851 et
seq.; Fla. Stat. 501.171; 815 Ill. Comp. Stat. 530/5 et seq.; Md.
Code Com. Law 14-3501 et seq; Mo. Rev. Stat. 407.1500; Nev. Rev.
Stat. 603A.010 et seq.; N.H. Rev. Stat. 359-C:19-C:21; N.H. Rev.
Stat. 332-I:5; N.D. Cent. Code 51-30-01-07; Or. Rev. Stat. 646A.600-
646A.628; R.I. Gen. Laws 11-49.3-1--11-49.3-6; SDCL 22-40-19--22-40-
26; Tex. Bus. & Com. Code 521.002, 521.053, 521.151-152; 9 V.S.A.
2430, 2435; Va. Code 18.2-186.6; Va. Code 32.1-127.1:05; Va. Code
58.1-341.2; Wash. Rev. Code 19.255.010 et seq.
---------------------------------------------------------------------------
IV. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA) \312\ requires that the
Commission provide an Initial Regulatory Flexibility Analysis
(``IRFA'') with a proposed rule and a Final Regulatory Flexibility
Analysis (``FRFA'') with a final rule, unless the Commission certifies
that the rule will not have a significant economic impact on a
substantial number of small entities. As discussed in the IRFA, the
Commission believes the final rule will not have a significant economic
impact upon small entities.
---------------------------------------------------------------------------
\312\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------
In this document, the Commission largely adopts the amendments
proposed in its NPRM. The Commission believes the amendments will not
have a significant economic impact upon small entities, although they
may affect a substantial number of small businesses. Among other
things, the amendments clarify certain definitions, revise the
disclosures that must accompany notice of a breach under the Rule, and
modernize the methods of notice to allow additional use of electronic
notice such as email by entities affected by a breach. In addition, the
amendments improve the Rule's readability by clarifying cross-
references and adding statutory citations. The Commission does not
anticipate that these changes will add significant additional costs for
entities covered by the Rule, and by authorizing electronic notice in
additional circumstances, the amendments may reduce costs for many
entities covered by the Rule. Therefore, the Commission certifies that
the amendments will not have a significant economic impact on a
substantial number of small entities. Although the Commission certifies
under the RFA that the Rule will not have a significant impact on a
substantial number of small entities, and hereby provides notice of
that certification to the Small Business Administration (``SBA''), the
Commission has determined, nonetheless, that it is appropriate to
publish an FRFA to inquire into the impact of the proposed amendments
on small entities.
A. Need for and Objectives of the Amendments
The objective of the amendments is to clarify existing notice
obligations for entities covered by the Rule. The legal basis for the
amendments is section 13407 of the Recovery Act.
B. Significant Issues Raised in Public Comments
Although the Commission received several comments that argued that
the amendments would be burdensome for businesses, none argued
specifically that smaller businesses in particular would be subject to
special burdens. The Commission did not receive any comments filed by
the Chief Counsel for Advocacy of the SBA.
C. Small Entities to Which the Amendments Will Apply
The amendments, like the current Rule, will apply to vendors of
personal health records, PHR related entities, and third party service
providers, including developers and purveyors of health apps, connected
health devices, and similar technologies. As discussed in the
Commission's PRA estimates above, FTC staff estimates the amendments
will apply to approximately 193,000 covered entities. The Commission
estimates that a substantial number of these entities likely qualify as
small businesses. According to the Statistics on Small Businesses
Census data, approximately 94% of ``Software Publishers'' (the category
to which health and fitness apps belong) are small businesses.\313\
---------------------------------------------------------------------------
\313\ 2017 SUSB Annual Data Tables by Establishment Industry,
U.S. Census Bureau (May 2021), https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html, using ``Data by Enterprise
Receipts Size.'' The U.S. Small Business Administration (``SBA'')
categorizes Software Publishers as a small business if the annual
receipts are less than $41.5 million; the 2017 data is the most
recent data available reporting receipts size.
---------------------------------------------------------------------------
[[Page 47054]]
D. Projected Reporting, Recordkeeping, and Other Compliance
Requirements, Including Classes of Covered Small Entities and
Professional Skills Needed To Comply
The Recovery Act and the amendments contain certain reporting
requirements. The amendments will clarify which entities are subject to
those reporting requirements. Specifically, the Act and amendments
require vendors of personal health records and PHR related entities to
provide notice to consumers, the Commission, and in some cases the
media in the event of a breach of unsecured PHR identifiable health
information. The Act and amendments also require third party service
providers to provide notice to vendors of personal health records and
PHR related entities in the event of such a breach. If a breach occurs,
each entity covered by the Act and amendments will expend costs to
determine the extent of the breach and the individuals affected. If the
entity is a vendor of personal health records or a PHR related entity,
additional costs will include the costs of preparing a breach notice,
notifying the Commission, compiling a list of consumers to whom a
breach notice must be sent, and sending a breach notice. Such entities
may incur additional costs in locating consumers who cannot be reached,
and in certain cases, posting a breach notice on a website, notifying
consumers through media advertisements, or sending breach notices
through press releases to media outlets.
In-house costs may include technical costs to determine the extent
of breaches; investigative costs of conducting interviews and gathering
information; administrative costs of compiling address lists;
professional/legal costs of drafting the notice; and potentially, costs
for postage, web posting, and/or advertising. Costs may also include
the purchase of services of a forensic expert. As discussed in the
context of the PRA, FTC staff estimates that compliance with these
requirements will likely result in $883,148 in labor costs and
$91,984,370 in capital and other non-labor costs. The estimated cost
per covered entity is $481 (the total labor, capital, and non-labor
costs of $92,867,518 divided by 193,000 covered entities). The SBA
categorizes Software Publishers with annual receipts under $41.5
million as a small business; the per entity cost of $481 represents
0.0001% of this annual receipts threshold.
E. Significant Alternatives to the Amendments
In drafting the Rule, the Commission has made every effort to avoid
unduly burdensome requirements for entities. In particular, the
Commission believes that the changes to facilitate electronic notice
will assist small entities by significantly reducing the costs of
sending breach notices. In addition, the Commission is making available
exemplar notices that entities covered by the Rule may use, in their
discretion, to notify individuals. The Commission anticipates these
exemplar notices will further reduce the burden on entities that are
required to provide notice under the Rule. The Commission is not aware
of alternative methods of compliance that will reduce the impact of the
amendments on small entities, while also comporting with the Recovery
Act. The statutory requirements are specific as to the timing, method,
and content of notice.
V. Other Matters
Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.),
the Office of Information and Regulatory Affairs designated this rule
as not a ``major rule,'' as defined by 5 U.S.C. 804(2).
List of Subjects in 16 CFR Part 318
Breach, Consumer protection, Health, Privacy, Reporting and
recordkeeping requirements, Trade practices.
0
Accordingly, the Federal Trade Commission revises and republishes 16
CFR part 318 to read as follows:
PART 318--HEALTH BREACH NOTIFICATION RULE
Sec.
318.1 Purpose and scope.
318.2 Definitions.
318.3 Breach notification requirement.
318.4 Timeliness of notification.
318.5 Methods of notice.
318.6 Content of notice.
318.7 Enforcement.
318.8 Applicability date.
318.9 Sunset.
Authority: 42 U.S.C. 17937 and 17953.
Sec. 318.1 Purpose and scope.
(a) This part, which shall be called the ``Health Breach
Notification Rule,'' implements section 13407 of the American Recovery
and Reinvestment Act of 2009, 42 U.S.C. 17937. This part applies to
foreign and domestic vendors of personal health records, PHR related
entities, and third party service providers, irrespective of any
jurisdictional tests in the Federal Trade Commission (FTC) Act, that
maintain information of U.S. citizens or residents. This part does not
apply to HIPAA-covered entities, or to any other entity to the extent
that it engages in activities as a business associate of a HIPAA-
covered entity.
(b) This part preempts State law as set forth in section 13421 of
the American Recovery and Reinvestment Act of 2009, 42 U.S.C 17951.
Sec. 318.2 Definitions.
Breach of security means, with respect to unsecured PHR
identifiable health information of an individual in a personal health
record, acquisition of such information without the authorization of
the individual. Unauthorized acquisition will be presumed to include
unauthorized access to unsecured PHR identifiable health information
unless the vendor of personal health records, PHR related entity, or
third party service provider that experienced the breach has reliable
evidence showing that there has not been, or could not reasonably have
been, unauthorized acquisition of such information. A breach of
security includes an unauthorized acquisition of unsecured PHR
identifiable health information in a personal health record that occurs
as a result of a data breach or an unauthorized disclosure.
Business associate means a business associate under the Health
Insurance Portability and Accountability Act, Public Law 104-191, 110
Stat. 1936, as defined in 45 CFR 160.103.
Clear and conspicuous means that a notice is reasonably
understandable and designed to call attention to the nature and
significance of the information in the notice.
(1) Reasonably understandable. You make your notice reasonably
understandable if you:
(i) Present the information in the notice in clear, concise
sentences, paragraphs, and sections;
(ii) Use short explanatory sentences or bullet lists whenever
possible;
(iii) Use definite, concrete, everyday words and active voice
whenever possible;
(iv) Avoid multiple negatives;
(v) Avoid legal and highly technical business terminology whenever
possible; and
(vi) Avoid explanations that are imprecise and readily subject to
different interpretations.
(2) Designed to call attention. You design your notice to call
attention to the nature and significance of the information in it if
you:
(i) Use a plain-language heading to call attention to the notice;
(ii) Use a typeface and type size that are easy to read;
[[Page 47055]]
(iii) Provide wide margins and ample line spacing;
(iv) Use boldface or italics for key words; and
(v) In a form that combines your notice with other information, use
distinctive type size, style, and graphic devices, such as shading or
sidebars, when you combine your notice with other information. The
notice should stand out from any accompanying text or other visual
elements so that it is easily noticed, read, and understood.
(3) Notices on websites or within-application messaging. If you
provide a notice on a web page or using within-application messaging,
you design your notice to call attention to the nature and significance
of the information in it if you use text or visual cues to encourage
scrolling down the page if necessary to view the entire notice and
ensure that other elements on the website or software application (such
as text, graphics, hyperlinks, or sound) do not distract attention from
the notice, and you either:
(i) Place the notice on a screen that consumers frequently access,
such as a page on which transactions are conducted; or
(ii) Place a link on a screen that consumers frequently access,
such as a page on which transactions are conducted, that connects
directly to the notice and is labeled appropriately to convey the
importance, nature and relevance of the notice.
Covered health care provider means a provider of services (as
defined in 42 U.S.C. 1395x(u)), a provider of medical or other health
services (as defined in 42 U.S.C. 1395x(s)), or any other entity
furnishing health care services or supplies.
Electronic mail means email in combination with one or more of the
following: text message, within-application messaging, or electronic
banner.
Health care services or supplies means any online service such as a
website, mobile application, or internet-connected device that provides
mechanisms to track diseases, health conditions, diagnoses or
diagnostic testing, treatment, medications, vital signs, symptoms,
bodily functions, fitness, fertility, sexual health, sleep, mental
health, genetic information, diet, or that provides other health-
related services or tools.
HIPAA-covered entity means a covered entity under the Health
Insurance Portability and Accountability Act (HIPAA), Public Law 104-
191, 110 Stat. 1936, as defined in 45 CFR 160.103.
Personal health record (PHR) means an electronic record of PHR
identifiable health information on an individual that has the technical
capacity to draw information from multiple sources and that is managed,
shared, and controlled by or primarily for the individual.
PHR identifiable health information means information that:
(1) Relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care to
an individual, or the past, present, or future payment for the
provision of health care to an individual; and
(i) Identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe
that the information can be used to identify the individual; and
(2) Is created or received by a:
(i) Covered health care provider;
(ii) Health plan (as defined in 42 U.S.C. 1320d(5));
(iii) Employer; or
(iv) Health care clearinghouse (as defined in 42 U.S.C. 1320d(2));
and
(3) With respect to an individual, includes information that is
provided by or on behalf of the individual.
PHR related entity means an entity, other than a HIPAA-covered
entity or an entity to the extent that it engages in activities as a
business associate of a HIPAA-covered entity, that:
(1) Offers products or services through the website, including any
online service, of a vendor of personal health records;
(2) Offers products or services through the websites, including any
online service, of HIPAA-covered entities that offer individuals
personal health records; or
(3) Accesses unsecured PHR identifiable health information in a
personal health record or sends unsecured PHR identifiable health
information to a personal health record.
State means any of the several States, the District of Columbia,
Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern
Mariana Islands.
Third party service provider means an entity that:
(1) Provides services to a vendor of personal health records in
connection with the offering or maintenance of a personal health record
or to a PHR related entity in connection with a product or service
offered by that entity; and
(2) Accesses, maintains, retains, modifies, records, stores,
destroys, or otherwise holds, uses, or discloses unsecured PHR
identifiable health information as a result of such services.
Unsecured means PHR identifiable information that is not protected
through the use of a technology or methodology specified by the
Secretary of Health and Human Services in the guidance issued under
section 13402(h)(2) of the American Reinvestment and Recovery Act of
2009, 42 U.S.C. 17932(h)(2).
Vendor of personal health records means an entity, other than a
HIPAA-covered entity or an entity to the extent that it engages in
activities as a business associate of a HIPAA-covered entity, that
offers or maintains a personal health record.
Sec. 318.3 Breach notification requirement.
(a) In general. In accordance with Sec. Sec. 318.4 (regarding
timeliness of notification), 318.5 (regarding methods of notice), and
318.6 (regarding content of notice), each vendor of personal health
records, following the discovery of a breach of security of unsecured
PHR identifiable health information that is in a personal health record
maintained or offered by such vendor, and each PHR related entity,
following the discovery of a breach of security of such information
that is obtained through a product or service provided by such entity,
shall:
(1) Notify each individual who is a citizen or resident of the
United States whose unsecured PHR identifiable health information was
acquired by an unauthorized person as a result of such breach of
security;
(2) Notify the Federal Trade Commission; and
(3) Notify prominent media outlets serving a State or jurisdiction,
following the discovery of a breach of security, if the unsecured PHR
identifiable health information of 500 or more residents of such State
or jurisdiction is, or is reasonably believed to have been, acquired
during such breach.
(b) Third party service providers. A third party service provider
shall, following the discovery of a breach of security, provide notice
of the breach to an official designated in a written contract by the
vendor of personal health records or the PHR related entity to receive
such notices or, if such a designation is not made, to a senior
official at the vendor of personal health records or PHR related entity
to which it provides services, and obtain acknowledgment from such
official that such notice was received. Such notification shall include
the identification of each customer of the vendor of personal health
records or PHR related entity whose unsecured PHR identifiable health
information has been, or is reasonably believed to have been, acquired
during such breach. For
[[Page 47056]]
purposes of ensuring implementation of this paragraph (b), vendors of
personal health records and PHR related entities shall notify third
party service providers of their status as vendors of personal health
records or PHR related entities subject to this part. While some third
party service providers may access unsecured PHR identifiable health
information in the course of providing services, this does not render
the third party service provider a PHR related entity.
(c) Breaches treated as discovered. A breach of security shall be
treated as discovered as of the first day on which such breach is known
or reasonably should have been known to the vendor of personal health
records, PHR related entity, or third party service provider,
respectively. Such vendor, entity, or third party service provider
shall be deemed to have knowledge of a breach if such breach is known,
or reasonably should have been known, to any person, other than the
person committing the breach, who is an employee, officer, or other
agent of such vendor of personal health records, PHR related entity, or
third party service provider.
Sec. 318.4 Timeliness of notification.
(a) In general. Except as provided in paragraph (d) of this section
(exception for law enforcement), all notifications required under Sec.
318.3(a)(1) (required notice to individuals), (a)(3) (required notice
to media), and (b) (required notice by third party service providers),
shall be sent without unreasonable delay and in no case later than 60
calendar days after the discovery of a breach of security.
(b) Timing of notice to FTC. All notifications required under Sec.
318.5(c) (regarding notice to FTC) involving the unsecured PHR
identifiable health information of 500 or more individuals shall be
provided contemporaneously with the notice required by paragraph (a) of
this section. All logged notifications required under Sec. 318.5(c)
(regarding notice to FTC) involving the unsecured PHR identifiable
health information of fewer than 500 individuals may be sent annually
to the Federal Trade Commission no later than 60 calendar days
following the end of the calendar year.
(c) Burden of proof. The vendor of personal health records, PHR
related entity, and third party service provider involved shall have
the burden of demonstrating that all notifications were made as
required under this part, including evidence demonstrating the
necessity of any delay.
(d) Law enforcement exception. If a law enforcement official
determines that a notification, notice, or posting required under this
part would impede a criminal investigation or cause damage to national
security, such notification, notice, or posting shall be delayed. This
paragraph (d) shall be implemented in the same manner as provided under
45 CFR 164.528(a)(2), in the case of a disclosure covered under Sec.
164.528(a)(2).
Sec. 318.5 Methods of notice.
(a) Individual notice. A vendor of personal health records or PHR
related entity that discovers a breach of security shall provide notice
of such breach to an individual promptly, as described in Sec. 318.4
(regarding timeliness of notification), and in the following form:
(1) Written notice at the last known address of the individual.
Written notice may be sent by electronic mail if the individual has
specified electronic mail as the primary method of communication. Any
written notice sent by electronic mail must be Clear and Conspicuous.
Where notice via electronic mail is not available or the individual has
not specified electronic mail as the primary method of communication, a
vendor of personal health records or PHR related entity may provide
notice by first-class mail at the last known address of the individual.
If the individual is deceased, the vendor of personal health records or
PHR related entity that discovered the breach must provide such notice
to the next of kin of the individual if the individual had provided
contact information for his or her next of kin, along with
authorization to contact them. The notice may be provided in one or
more mailings as information is available.
(2) If, after making reasonable efforts to contact all individuals
to whom notice is required under Sec. 318.3(a), through the means
provided in paragraph (a)(1) of this section, the vendor of personal
health records or PHR related entity finds that contact information for
ten or more individuals is insufficient or out-of-date, the vendor of
personal health records or PHR related entity shall provide substitute
notice, which shall be reasonably calculated to reach the individuals
affected by the breach, in the following form:
(i) Through a conspicuous posting for a period of 90 days on the
home page of its website; or
(ii) In major print or broadcast media, including major media in
geographic areas where the individuals affected by the breach likely
reside. Such a notice in media or web posting shall include a toll-free
phone number, which shall remain active for at least 90 days, where an
individual can learn if the individual's unsecured PHR identifiable
health information may have been included in the breach.
(3) In any case deemed by the vendor of personal health records or
PHR related entity to require urgency because of possible imminent
misuse of unsecured PHR identifiable health information, that entity
may provide information to individuals by telephone or other means, as
appropriate, in addition to notice provided under paragraph (a)(1) of
this section.
(b) Notice to media. As described in Sec. 318.3(a)(3), a vendor of
personal health records or PHR related entity shall provide notice to
prominent media outlets serving a State or jurisdiction, following the
discovery of a breach of security, if the unsecured PHR identifiable
health information of 500 or more residents of such State or
jurisdiction is, or is reasonably believed to have been, acquired
during such breach.
(c) Notice to FTC. Vendors of personal health records and PHR
related entities shall provide notice to the Federal Trade Commission
following the discovery of a breach of security, as described in Sec.
318.4(b) (regarding timing of notice to FTC). If the breach involves
the unsecured PHR identifiable health information of fewer than 500
individuals, the vendor of personal health records or PHR related
entity may maintain a log of any such breach and submit such a log
annually to the Federal Trade Commission as described in Sec. 318.4(b)
(regarding timing of notice to FTC), documenting breaches from the
preceding calendar year. All notices pursuant to this paragraph (c)
shall be provided according to instructions at the Federal Trade
Commission's website.
Sec. 318.6 Content of notice.
Regardless of the method by which notice is provided to individuals
under Sec. 318.5 (regarding methods of notice), notice of a breach of
security shall be in plain language and include, to the extent
possible, the following:
(a) A brief description of what happened, including: the date of
the breach and the date of the discovery of the breach, if known; and
the full name or identity (or, where providing the full name or
identity would pose a risk to individuals or the entity providing
notice, a description) of any third parties that acquired unsecured PHR
identifiable health information as a result of a breach of security, if
this information is known to the vendor of
[[Page 47057]]
personal health records or PHR related entity;
(b) A description of the types of unsecured PHR identifiable health
information that were involved in the breach (such as but not limited
to full name, Social Security number, date of birth, home address,
account number, health diagnosis or condition, lab results,
medications, other treatment information, the individual's use of a
health-related mobile application, or device identifier (in combination
with another data element));
(c) Steps individuals should take to protect themselves from
potential harm resulting from the breach;
(d) A brief description of what the entity that experienced the
breach is doing to investigate the breach, to mitigate harm, to protect
against any further breaches, and to protect affected individuals, such
as offering credit monitoring or other services; and
(e) Contact procedures for individuals to ask questions or learn
additional information, which must include two or more of the
following: toll-free telephone number; email address; website; within-
application; or postal address.
Sec. 318.7 Enforcement.
Any violation of this part shall be treated as a violation of a
rule promulgated under section 18 of the Federal Trade Commission Act,
15 U.S.C. 57a, regarding unfair or deceptive acts or practices, and
thus subject to civil penalties (as adjusted for inflation pursuant to
Sec. 1.98 of this chapter), and the Commission will enforce this part
in the same manner, by the same means, and with the same jurisdiction,
powers, and duties as are available to it pursuant to the Federal Trade
Commission Act, 15 U.S.C. 41 et seq.
Sec. 318.8 Applicability date.
This part shall apply to breaches of security that are discovered
on or after September 24, 2009.
Sec. 318.9 Sunset.
If new legislation is enacted establishing requirements for
notification in the case of a breach of security that apply to entities
covered by this part, the provisions of this part shall not apply to
breaches of security discovered on or after the effective date of
regulations implementing such legislation.
By direction of the Commission, Commissioners Holyoak and Ferguson
dissenting.
April J. Tabor,
Secretary.
Note: The following appendices will not appear in the Code of
Federal Regulations.
Appendix A--Health Breach Notification Rule Exemplar Notices
The notices below are intended to be examples of notifications
that entities may use, in their discretion, to notify individuals of
a breach of security pursuant to the Health Breach Notification
Rule. The examples below are for illustrative purposes only. You
should tailor any notices to the particular facts and circumstances
of your breach. While your notice must comply with the Health Breach
Notification Rule, you are not required to use the notices below.
Mobile Text Message and In-App Message Exemplars
Text Message Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. Visit [add non-clickable URL] to learn what
happened, how it affects you, and what you can do to protect your
information. We also sent you an email with additional information.
Text Message Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [describe why the company shared the info] without
your permission. Visit [add non-clickable URL] to learn what
happened, how it affects you, and what you can do to protect your
information. We also sent you an email with more information.
In-App Message Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. This could include your [Add specifics--for
example, your name, email, address, blood pressure data]. Visit
[URL] to learn what happened, how it affects you, and what you can
do to protect your information. We also sent you an email with
additional information.
In-App Message Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [if known, describe why the company shared the
info] without your permission. This could include your [Add
specifics--for example, your name, email, address, blood pressure
data]. Visit [URL] to learn what happened, how it affects you, and
what you can do to protect your information. We also sent you an
email with additional information.
Web Banner Exemplars
Web Banner Notification Exemplar 1
Due to a security breach on our system, the health information
you shared with us through [name of product] is now in the hands of
unknown attackers. This could include your [Add specifics--for
example, your name, email, address, blood pressure data]. Visit
[URL] to learn what happened, how it affects you, and what you can
do to protect your information.
Recommend: Include clear ``Take action'' call to action
button, such as the example below:
[GRAPHIC] [TIFF OMITTED] TR30MY24.018
Web Banner Notification Exemplar 2
You shared health information with us when you used [product
name]. We discovered that we shared your health information with
third parties for [if known, describe why the company shared the
info] without your permission. This could include your [Add
specifics--for example, your name, email, address, blood pressure
data]. Visit [URL] to learn what happened, how it affects you, and
what you can do to protect your information.
Recommend: Include clear ``Take action'' call to action
button, such as the example below:
[[Page 47058]]
[GRAPHIC] [TIFF OMITTED] TR30MY24.019
Email Exemplars
Exemplar Email Notice 1
Email Sender: [Company]
Email Subject Line: [Company] Breach of Your Health Information
Dear [Name],
We are contacting you because an attacker recently gained
unauthorized access to our system and stole health information about
our customers, including you.
What happened and what it means for you
On [March 1, 2024], we learned that an attacker had accessed a
file containing our customers' health information on [February 28,
2024]. The file included your name, the name of your health
insurance company, your date of birth, and your group or policy
number.
What you can do to protect yourself
You can take steps now to reduce the risk of identity theft.
1. Review your medical records, statements, and bills for signs
that someone is using your information. Under the health privacy law
known as HIPAA, you have the right to access your medical records.
Get your records and review them for any treatments or doctor visits
you don't recognize. If you find any, report them to your healthcare
provider in writing. Then go to www.IdentityTheft.gov/steps to see
what other steps you can take to limit the damage.
Also review the Explanation of Benefits statement your insurer
sends you when it pays for medical care.
Some criminals wait before using stolen information so keep
monitoring your benefits and bills.
2. Review your credit reports for errors. You can get your free
credit reports from the three credit bureaus at
www.annualcreditreport.com or call 1-877-322-8228. Look for medical
billing errors, like medical debt collection notices that you don't
recognize. Report any medical billing errors to all three credit
bureaus by following the ``What To Do Next'' steps on
www.IdentityTheft.gov.
3. Sign up for free credit monitoring to detect suspicious
activity. Credit monitoring detects and alerts you about activity on
your credit reports. Activity you don't recognize could be a sign
that someone stole your identity. We're offering free credit
monitoring for two years through [name of service]. Learn more and
sign up at [URL].
4. Consider freezing your credit report or placing a fraud alert
on your credit report. A credit report freeze means potential
creditors can't get your credit report without your permission. That
makes it less likely that an identity thief can open new accounts in
your name. A freeze remains in place until you ask the credit bureau
to temporarily lift it or remove it.
A fraud alert will make it harder for someone to open a new
credit account in your name. It tells creditors to contact you
before they open any new accounts in your name or change your
accounts. A fraud alert lasts for one year. After a year, you can
renew it.
To freeze your credit report, contact each of the three credit
bureaus, Equifax, Experian, and TransUnion.
To place a fraud alert, contact any one of the three credit
bureaus, Equifax, Experian, and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others are notified to place
fraud alerts on your credit report.
Credit bureau contact information
Equifax, www.equifax.com/personal/credit-report-services, 1-800-685-
1111
Experian, www.experian.com/help, 1-888-397-3742
TransUnion, www.transunion.com/credit-help, 1-888-909-8872
Learn more about how credit report freezes and fraud alerts can
protect you from identity theft or prevent further misuse of your
personal information at www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.
What we are doing in response
We hired security experts to secure our system. We are working
with law enforcement to find the attacker. And we are investigating
whether we made mistakes that made it possible for the attackers to
get in.
Learn more about the breach.
Go to [URL] to learn more about what happened and what you can
do to protect yourself. If we have any updates, we will post them
there.
If you have questions or concerns, call us at [telephone
number], email us at [address], or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 2
Email Sender: [Company]
Email Subject Line: Unauthorized disclosure of your health
informationby [Company]
Dear [Name],
We are contacting you because you use our company's app [name of
app]. When you downloaded our app, we promised to keep your personal
health information private. Instead, we disclosed health information
about you without your approval.
What happened?
We told [insert Company name, identity, or, where providing full
name or identity would pose a risk to individuals or the entity
providing notice, a description of type of company] that you use our
app, and between [January 10, 2024] and [March 1, 2024], we gave
them your name and your email address.
We gave [insert Company name, identity, or where providing full
name or identity would pose a risk to individuals or the entity
providing notice, a description of type of company] this information
so they could use it for advertising and marketing purposes. For
example, to target you for ads for cancer drugs.
What we are doing in response
We will stop selling or sharing your health information with
other companies. We will stop using your health information for
advertising or marketing purposes. We have asked Company XYZ to
delete your health information, but it's possible they could
continue to use it for advertising and marketing.
What you can do
We made important changes to our app to fix this problem.
Download the latest updates to our app then review your privacy
settings. You can also contact Company XYZ to request that it delete
your data.
Learn more
Learn more about our privacy and security practices at [URL]. If
we have any updates, we will post them there.
If you have any questions or concerns, call us at [telephone
number] or email us at [address].
Sincerely,
First name Last Name
[Role], [Company]
Exemplar Email Notice 3
Email Sender: [Company]
Email Subject Line: [Company] Breach of Your Health Information
Dear [Name],
We are contacting you about a breach of your health information
collected through the [product], a device sold by our company,
[Company].
What happened?
On [March 1, 2024], we discovered that our employee had
accidentally posted a database online on [February 28, 2024]. That
database included your name, your credit or debit card information,
and your blood pressure readings. We don't know if anyone else found
the database and saw your information. If someone found the
database, they could use personal information to steal your identity
or make unauthorized charges in your name.
What you can do to protect yourself
You can take steps now to reduce the risk of identity theft.
1. Get your free credit report and review it for signs of
identity theft. Order your free credit report at
www.annualcreditreport.com. Review it for accounts and activity you
don't recognize. Recheck your credit reports periodically.
[[Page 47059]]
2. Consider freezing your credit report or placing a fraud alert
on your credit report. A credit report freeze means potential
creditors can't get your credit report without your permission. That
makes it less likely that an identity thief can open new accounts in
your name. A freeze remains in place until you ask the credit bureau
to temporarily lift it or remove it.
A fraud alert will make it harder for someone to open a new
credit account in your name. It tells creditors to contact you
before they open any new accounts in your name or change your
accounts. A fraud alert lasts for one year. After a year, you can
renew it.
To freeze your credit report, contact each of the three credit
bureaus, Equifax, Experian, and TransUnion.
To place a fraud alert, contact any one of the three credit
bureaus, Equifax, Experian, and TransUnion. As soon as one credit
bureau confirms your fraud alert, the others are notified to place
fraud alerts on your credit report.
Credit bureau contact information
Equifax, www.equifax.com/personal/credit-report-services, 1-800-685-
1111
Experian, www.experian.com/help, 1-888-397-3742
TransUnion, www.transunion.com/credit-help, 1-888-909-8872
Learn more about how credit report freezes and fraud alerts can
protect you from identity theft or prevent further misuse of your
personal information at www.consumer.ftc.gov/articles/what-know-about-credit-freezes-and-fraud-alerts.
3. Sign up for free credit monitoring to detect suspicious
activity. Credit monitoring detects and alerts you about activity on
your credit reports. Activity you don't recognize could be a sign
that someone stole your identity. We're offering free credit
monitoring for two years through [name of service]. Learn more and
sign up at [URL].
What we are doing in response
We are investigating our mistakes. We know the database
shouldn't have been online and it should have been encrypted. We are
making changes to prevent this from happening again.
We are working with experts to secure our system. We are
reviewing our databases to make sure we store health information
securely.
Learn more about the breach.
Go to [URL] to learn more about what happened and what you can
do to protect yourself. If we have any updates, we will post them
there.
If you have questions or concerns, call us at [telephone
number], email us at [address], or go to [URL].
Sincerely,
First name Last Name
[Role], [Company]
Appendix B--Joint Statement by FTC Chair and Commissioners
Joint Statement of Chair Lina M. Khan, Commissioner Rebecca Kelly
Slaughter, and Commissioner Alvaro M. Bedoya
Today, the FTC finalizes an update to the Health Breach
Notification Rule (``the Final Rule'') that ensures its protections
keep pace with the rapid proliferation of digital health records. We
do so to fulfill a clear statutory directive given to us by
Congress.
In 2009, as part of the American Recovery and Reinvestment Act
(``ARRA''), Congress passed the Health Information Technology for
Economic and Clinical Health Act (``HITECH Act'').\314\ Among other
things, the HITECH Act sought to fill the gaps left by the privacy
and security protections created under the Health Insurance
Portability and Accountability Act (``HIPAA''), which was passed
more than a decade earlier.\315\ Specifically, it expanded the kinds
of entities subject to the privacy and security provisions of
HIPAA,\316\ gave state attorneys general enforcement powers,\317\
and--most relevant here--directed the Commission to issue a rule
requiring entities not covered by HIPAA to provide notification of
any breach of unsecured health records.\318\ The Commission issued
the original rule in 2009.\319\ In 2020, the Commission initiated
its regular decennial rule review and, in 2021, the Commission
issued a policy statement clarifying how the rule applies to health
apps and other connected devices.\320\ In the years since, the
Commission has brought enforcement actions against health apps
alleging violations of the Health Breach Notification Rule.\321\
Today's issuance of the Final Rule codifies this approach, honoring
the statutory directive that people must be notified when their
health records are breached.
---------------------------------------------------------------------------
\314\ Am. Recovery and Reinvestment Act of 2009, Public Law 111-
5, 123 Stat. 115 (2009) at Sec. 13400 et seq.
\315\ Health Insurance Portability and Accountability Act,
Public Law 104-191, 110 Stat. 1936, 2022 (1996) at Sec. 1171,
codified at 42 U.S.C. 1320d.
\316\ Health Information Technology for Economic and Clinical
Health Act, Public Law 111-5, Div. A, Title XIII, Subtitle D,
sections 13401 and 13404 (codified at 42 U.S.C. 17937(a))
\317\ Id. 13410(e).
\318\ Id. 13407(g)(1).
\319\ 74 FR 42962 (Aug. 25, 2009).
\320\ Statement of the Commission on Breaches by Health Apps and
Other Connected Devices (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf.
\321\ See, e.g., Fed. Trade Comm'n, FTC Enforcement Action to
Bar GoodRx from Sharing Consumers' Sensitive Health Info for
Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising; Fed. Trade Comm'n,
Ovulation Tracking App Premom Will be Barred from Sharing Health
Data for Advertising Under Proposed FTC Order (May 17, 2023),
https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc.
---------------------------------------------------------------------------
The dissent argues that the Commission's action ``exceeds the
Commission's statutory authority.'' \322\ But its analysis
contravenes a plain reading of the statute.
---------------------------------------------------------------------------
\322\ Dissenting Statement of Comm'rs Melissa Holyoak and Andrew
Ferguson at 1 (Apr. 25, 2024) (hereinafter ``Dissent'').
---------------------------------------------------------------------------
In the HITECH Act, Congress directed the FTC to issue rules
requiring vendors of personal health records (``PHR'') to notify
consumers and the FTC following ``a breach of security of unsecured
PHR identifiable health information.'' \323\ The statute defines the
term ``PHR identifiable health information'' as ``individually
identifiable health information, as defined in section 1320d(6) of
this title.'' \324\ Section 1320d(6), a portion of the Social
Security Act created by HIPAA, defines ``individually identifiable
health information'' as ``any information . . . that is created or
received by a health care provider, health plan, employer, or health
care clearinghouse.'' \325\ Section 1320d(3), another section of the
Social Security Act created by HIPAA, defines ``health care
provider'' as, first, ``a provider of services'' as defined in
section 1395x(u); \326\ second, ``a provider of medical or other
health services'' as defined in section 1395x(s); \327\ and, third,
``any other person furnishing health care services or supplies.''
\328\
---------------------------------------------------------------------------
\323\ Health Information Technology for Economic and Clinical
Health Act, Public Law 111-5, Div. A, Title XIII, Subtitle D,
section 13407 (codified at 42 U.S.C. 17937(a)).
\324\ 42 U.S.C. 17937(f)(2).
\325\ 42 U.S.C. 1320d(6).
\326\ See 42 U.S.C. 1395x(u) (``The term ``provider of
services'' means a hospital, critical access hospital, rural
emergency hospital, skilled nursing facility, comprehensive
outpatient rehabilitation facility, home health agency, hospice
program, or, for purposes of section 1395f(g) and section 1395n(e)
of this title, a fund.'').
\327\ 42 U.S.C. 1395x(s) (listing a vast array of services,
tests, supplies, and measurements, comprising over 2000 words and 15
categories, one of which has over 30 subcategories).
\328\ 42 U.S.C. 1320d(3) (emphasis added).
---------------------------------------------------------------------------
The term ``health care services or supplies,'' undefined in the
statute, is defined in the Final Rule as follows:
Health care services or supplies means any online service such
as a website, mobile application, or internet-connected device that
provides mechanisms to track diseases, health conditions, diagnoses
or diagnostic testing, treatment, medications, vital signs,
symptoms, bodily functions, fitness, fertility, sexual health,
sleep, mental health, genetic information, diet, or that provides
other health-related services or tools.\329\
---------------------------------------------------------------------------
\329\ HBNR Final Rule Sec. 318.2(e).
---------------------------------------------------------------------------
The dissent argues that this definition violates certain canons
of statutory construction.\330\ But its effort to cabin the third
category of HIPAA's ``health care provider'' reads it out of
existence, violating the canon that holds interpretations giving
effect to every clause of a statute are superior to those that
render distinct clauses superfluous.\331\ Specifically, the second
[[Page 47060]]
category of ``health care provider'' already comprises a vast array
of ``provider[s] of medical and other services.'' \332\ If the
Commission were to interpret the third category as comprising, as
the dissent recommends, only ``traditional forms of health care
providers,'' this distinct provision would be entirely redundant.
---------------------------------------------------------------------------
\330\ Dissent at 2 (``When a statute contains a list, ``each
word in that list presumptively has a `similar' meaning'' under the
canon of noscitur a sociis. And when a general term follows a list
of specific terms, the ejusdem generis canon teaches that the
general term ``should usually be read in light of those specific
words to mean something `similar.' '' Together, these canons
instruct that the final category of health care provider that
includes the general term ``other person'' must be similar to the
more specific terms that precede it.'' (citations omitted)).
\331\ Marx v. Gen. Revenue Corp., 568 U.S. 371, 386 (2013)
(Thomas, J.) (``Finally, the canon against surplusage is strongest
when an interpretation would render superfluous another part of the
same statutory scheme.'').
\332\ 42 U.S.C. 1320(d)(3) (citing 42 U.S.C. 1395x(u)).
---------------------------------------------------------------------------
The dissent's approach also fails to give meaning to other
textual differences between the second and third category. The
second category in the definition of ``health care provider''
discusses a ``provider'' and ``medical'' services.\333\ The third
category, by contrast, drops the terms ``provider'' in favor of
``person furnishing'' and drops ``medical'' in favor of ``health
care.'' \334\ Honoring the materially different words of the statute
requires us to read these two categories as covering distinct, not
entirely overlapping, entities.\335\ The Final Rule faithfully
follows these textual markers and identifies specific services and
tools that comprise ``health care services or supplies.'' \336\
Contrary to this plain reading of the text, the dissent claims that
Congress must have meant for this provision to apply only to
``traditional forms of health care providers.'' \337\ But we cannot
subordinate the text of the statute to speculative accounts of what
Congress intended.
---------------------------------------------------------------------------
\333\ 42 U.S.C. 1320(d)(3).
\334\ Id.
\335\ See Southwest Airlines Co. v. Saxon, 596 U.S. 450, 458
(2022) (Thomas, J.) (``Where a document has used one term in one
place, and a materially different term in another, the presumption
is that the different term denotes a different idea'' (cleaned up)).
\336\ In addition to defining this term by identifying specific
services, the Final Rule actually also narrowed the definition
originally proposed in the NPRM, by eliminating ``includes'' from
the definition. SBP at 27 (``[T]he Commission has substituted the
word `means' for `includes' to avoid implying greater breadth than
the Commission intends.'').
\337\ Dissent at 3. This rejection of the text of the statute,
in favor of vague speculation about what Congress intended, mirrors
the argument advanced by the Chamber of Commerce (``the Chamber'').
The Chamber purports to rely on a ``plain text reading'' of the
statute but immediately switches--in the very same sentence--to
vague notions of Congressional intent: ``It is clear from a plain
text reading of both the HITECH Act and HIPPA [sic] that Congress
intended for the HBNR to cover health records more aligned with the
provision of health services provided by traditional health
providers at a time when it was attempting to digitize traditional
health records.'' Comment submitted by U.S. Chamber of Com., Health
Breach Notification Rule, Regulations.gov (Aug. 8, 2023) at 3,
https://www.regulations.gov/comment/FTC-2023-0037-010.
\337\ Dissent at 3.
---------------------------------------------------------------------------
The dissent also notes that the Department of Health and Human
Services (``HHS'') ``has never interpreted the term `health care
provider' to reach the expansive, creative conclusion that the
Commission does today.'' \338\ HHS has, however, interpreted
``health care provider,'' and its interpretation of this term is
consistent with the Commission's definition.\339\ In the HIPAA
Privacy Rule, HHS defines first two categories of ``health care
provider'' using the same language as the statute, but the third
category is changed from ``any other person furnishing health care
services or supplies'' to ``any other person or organization who
furnishes, bills, or is paid for health care in the normal course of
business.'' \340\ HHS also defines ``health care'' broadly, as any
``care, services, or supplies related to the health of an
individual.'' \341\
---------------------------------------------------------------------------
\338\ Dissent at 3.
\339\ That the HIPAA Privacy rule has a narrower overall scope
does not change this fact.
\340\ 45 CFR 160.103.
\341\ Id. (emphasis added). The dissent asserts that we
``mischaracterize[] the HIPAA Privacy Rule, which only applies to
HIPAA `covered entities' and their `business associates,'--i.e., to
traditional health care providers, that do not include the broad
swath of app developers the Final Rule will encompass.'' Dissent at
4 n.24 (internal citations omitted). It is not clear how this
qualifies as a mischaracterization. Indeed, this is precisely the
stated purpose of the Health Breach Notification Rule: To cover
entities that HIPAA does not. The dissent also notes that we fail to
recognize that HHS provides two examples of ``health care.'' But,
HHS expressly states that the definition ``includes, but is not
limited to'' these categories. 45 CFR 160.103. In any case, the
breadth of these categories further underscores the expansive scope
of HHS's definition of health care. Id.
\341\ Dissent at 2.
---------------------------------------------------------------------------
Notably, in its 1999 Notice of Proposed Rulemaking for the HIPAA
Privacy Rule, HHS originally had proposed to define the term
``health care'' as constituting ``the provision of care, services,
or supplies. . . .'' \342\ But, in its final rule, HHS eliminated
the concept of ``provision'' in order to distinguish the broader
term of ``health care'' from the narrower term ``treatment.'' \343\
HHS explained: ``We delete the term `providing' from the definition
[of health care] to delineate more clearly the relationship between
`treatment,' as the term is defined in Sec. 164.501, and `health
care.' '' \344\ HHS defined ``treatment,'' in contrast to ``health
care,'' as ``the provision, coordination, or management of health
care and related services.'' \345\ In short, HHS defines ``health
care'' broadly, covering all aspects related to the health of an
individual, and defines ``treatment'' more narrowly, referring to
the provision of medical care to an individual. The dissent's
proposal to narrow the third category of ``health care provider'' to
``traditional forms of health care providers'' closely mirrors the
approach that HHS rejected when it defined this term.\346\
---------------------------------------------------------------------------
\342\ Proposed Rule, Standards for Privacy of Individually
Identifiable Health Information, 64 FR 59918, 60049 (Nov. 3, 1999)
(emphasis added).
\343\ 65 FR 82462, 82477.
\344\ Id.
\345\ 45 CFR 164.501.
\346\ Dissent at 2.
---------------------------------------------------------------------------
The dissent also claims that changing the phrase ``can be
drawn'' to ``has the technical capacity to draw'' violates the
surplusage canon because it renders the limitation meaningless as to
health apps, because ``virtually every app has the technical
capacity to draw some information from more than one source.'' \347\
This argument fails for two reasons. First, as the Statement of
Basis and Purpose (``SBP'') explains, there are products and
services that do not satisfy this requirement.\348\ Second, even if
the definition did reach every health app, that would not itself
suggest that the Final Rule's definition was wrongly crafted.
Rather, it would reflect the rapid growth in digital applications
and services related to consumers' health.\349\
---------------------------------------------------------------------------
\347\ Dissent at 4.
\348\ SBP at 29-30.
\349\ The dissent's argument anachronistically assumes that
Congress intended for the Rule to cover some health apps, but not
other health apps. But, in fact, the Apple and Google app stores
were in their infancy when Congress drafted this legislation in
2009, and so there is no indication that Congress was thinking about
specific health apps at all. To the extent the dissent's argument is
that Congress simply did not anticipate the vast number of products
that would end up covered by the broad category of ``supplies and
services,'' it is not within the Commission's authority to re-write
the statute based on the Commission's belief of what Congress would
have wanted. MCI Telecomms. Corp. v. Am. Telephone & Telegraph Co.,
512 U.S. 218, 229 (1994) (holding that FCC's authority to ``modify''
does not extend to eliminating altogether a statutory requirement).
---------------------------------------------------------------------------
The practical ramifications of the dissent's legal shortcomings
are significant.
Just last year, the Commission brought an action against Easy
Healthcare Corporation, alleging privacy violations by its fertility
tracking application Premom.\350\ As laid out in the complaint,
Premom--which encourages users to provide information about their
menstrual cycles, fertility, and pregnancy, as well as to import
their data from other services, such as Apple Health--shared
information with advertisers and China-based companies through
software development kits (``SDKs'') embedded in the application.
The Commission's eight-count complaint against Easy Healthcare
reflected the seriousness of this misconduct, charging the business
with deceptive and unfair practices, as well as a violation of the
Health Breach Notification Rule, which triggered civil penalties.
---------------------------------------------------------------------------
\350\ Press Release, Fed. Trade Comm'n, Ovulation Tracking App
Premom Will be Barred from Sharing Health Data for Advertising Under
Proposed FTC Order (May 17, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc.
---------------------------------------------------------------------------
Under the dissent's analysis of health care services or
supplies, the developer of the Premom application--Easy Healthcare--
would not be covered by the Health Breach Notification Rule. This
reading would mean that when companies like Easy Healthcare suffer a
breach that may divulge health information to companies located in
China, the Health Breach Notification Rule would not require them to
disclose the breach to its users. It would also mean that when Easy
Healthcare broadcasts women's sensitive health data across the vast
commercial surveillance network propped up by SDKs and ad networks,
the Health Breach Notification Rule would not require Easy
Healthcare to alert women. Today's Final Rule rejects this atextual
and cramped reading of the law, ensuring that businesses that hold
themselves out as health care services companies--like Easy
Healthcare--
[[Page 47061]]
are considered ``health care services'' companies under the law.
Lastly, the dissent claims that the Final Rule introduces
ambiguity where previous there was none. But GoodRx suggests
otherwise. In a unanimous action, the Commission charged GoodRx with
making unauthorized disclosures of people's health data to Facebook
and Google, among others.\351\ GoodRx, meanwhile, disputed the
applicability of the HBNR to its practices, calling it a ``novel''
application.\352\ By codifying how HBNR applies to online platforms
and applications, today's Final Rule provides market participants
with more clarity about what entities are covered--thereby providing
greater certainty and notice.\353\
---------------------------------------------------------------------------
\351\ Press Release, Fed. Trade Comm'n, FTC Enforcement Action
to Bar GoodRx from Sharing Consumers' Sensitive Health Info for
Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising; See also, Concurring
Statement of Comm'r Christine S. Wilson, GoodRx Holdings, Inc. (Feb.
1, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/2023090_goodrx_final_concurring_statement_wilson.pdf (``Today's
settlement marks the first enforcement matter in which the FTC has
invoked the HBNR. I congratulate staff on this important step--the
agency rightly is focused on protecting the privacy of sensitive
health data and empowering consumers to make informed choices about
the goods and services they use.''); see also id. at 5 (describing
the GoodRx case as ``an important milestone in the Commission's
privacy work.''). The dissent suggests that Commissioners Holyoak
and Ferguson would have supported the application of HBNR to GoodRx.
\352\ See GoodRx, GoodRx Response to FTC Settlement (Feb. 1,
2023) (``We believe this is a novel application of the Health Breach
Notification Rule by the FTC. . . . We do not agree with the
assertion that this was a violation of the HBNR.'').
\353\ The dissent concedes that it does support an update to the
rule that provides more clarity--and specifically an update that
provides clarity to show that the rule covers GoodRx. Dissent at 7
(``I would support changes to the Rule that clarify the Rule's
application to companies like GoodRx.''). That is precisely what
today's Final Rule does. Previously, the rule did not define
``health care services or supplies,'' and today's Final Rule does.
Previously, health apps like GoodRx stated that it was unclear
whether the rule applies to them, and today's Final Rule makes clear
that it does. This concession from the dissent suggests a more
modest disagreement with the contours of how the Rule defines
``health care services or supplies,'' though--notably--the dissent
does not provide an alternative definition.
---------------------------------------------------------------------------
GoodRx marked the first time the Commission had ever enforced
the Health Breach Notification Rule. A top priority for us at the
Commission is ensuring we are faithfully discharging our statutory
duties, rather than letting the authorities that Congress has
granted us sit dormant, and we are proud of the work the Commission
and the staff are doing to take care that the full set of laws
assigned to the FTC are being faithfully executed.\354\ We agree
with the dissent that we must look out for the institutional
integrity of the Commission. Failing to use the full scope of our
statutory tools to protect Americans--and failing to update our
application of these tools even as technologies change--would
undermine the agency's integrity and credibility alike.
---------------------------------------------------------------------------
\354\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Hits R360
and its Owner With $3.8 Million Civil Penalty Judgment for Preying
on People Seeking Treatment for Addiction (May 17, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-hits-r360-its-owner-38-million-civil-penalty-judgment-preying-people-seeking-treatment-addiction (the Commission's first action brought under the
Opioid Addiction Recovery Fraud Prevention Act); Harris Jewelry,
Press Release, Fed. Trade Comm'n, FTC and 18 States Sue to Stop
Harris Jewelry from Cheating Military Families with Illegal
Financing and Sales Tactics (Jul. 20, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/07/ftc-18-states-sue-stop-harris-jewelry-cheating-military-families-illegal-financing-sales-tactics (the Commission's first action brought under the Military
Lending Act); Press Release, Fed. Trade Comm'n, Smart Home
Monitoring Company Vivint Will Pay $20 Million to Settle FTC Charges
That It Misused Consumer Credit Reports (Apr. 29, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/04/smart-home-monitoring-company-vivint-will-pay-20-million-settle-ftc-charges-it-misused-consumer (the Commission's first action brought under the
Red Flags Rule, brought under Acting Chair Slaughter); Press
Release, Fed. Trade Comm'n, FTC Sues Burger Franchise Company That
Targets Veterans and Others With False Promises and Misleading
Documents (Feb. 8, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/02/ftc-sues-burger-franchise-company-targets-veterans-others-false-promises-misleading-documents (the
Commission's first action under the Franchise Rule since 2007);
Press Release, Fed. Trade Comm'n, FTC Issues Rule to Deter Rampant
Made in USA Fraud (Jul. 1, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/07/ftc-issues-rule-deter-rampant-made-usa-fraud (issuance of the Made in the USA Rule, more than 25 years
after Congress authorized the Commission to promulgate a rule).
---------------------------------------------------------------------------
We are deeply grateful to the Division of Privacy and Identity
Protection for leading the Commission's work to activate the Health
Breach Notification Rule and for finalizing this Rule update. In an
environment rife with new and evolving threats to Americans' health
data, ensuring we are faithfully harnessing all of our statutory
tools to protect people from data breaches is paramount.
Dissenting Statement of Commissioner Melissa Holyoak, Joined by
Commissioner Andrew Ferguson
The Health Breach Notification Rule (``Final Rule'') that the
Commission adopts today exceeds the Commission's statutory
authority, puts companies at risk of perpetual non-compliance, and
opens the Commission to legal challenge that could undermine its
institutional integrity. I share the majority's goal of protecting
the privacy and security of consumers' identifiable health
information,\1\ and I support vigorous enforcement of laws
protecting sensitive personal information with which Congress has
entrusted the FTC.\2\ I would support finalizing a rule that extends
and clarifies the scope of the Commission's enforcement in this
important area of consumer protection if that rule were consistent
with our grant of authority from Congress. But, no matter how the
majority attempts to shoehorn its desired policy goal into a ``plain
reading'' of the statute,\3\ I cannot support a rule that exceeds
the bounds Congress clearly established. Indeed, a core principle
guiding my tenure at the Commission will be that our rules must
effectuate the law as it is--not as the Commission may wish it to
be. For these reasons, I respectfully dissent.
---------------------------------------------------------------------------
\1\ Like the majority, and other Commissioners before me, I
support federal privacy legislation, particularly where such
legislation could address gaps in sector-specific laws and level the
playing field for companies navigating a patchwork of laws. And like
the majority, and other Commissioners before me, I care deeply about
protecting the privacy and security of consumers' health
information, particularly where it falls outside the bounds of the
Health Insurance Portability and Accountability Act (``HIPAA''). For
more than two decades, the FTC has been in a leader in protecting
consumers' health information. See, e.g., Eli Lilly, FTC File No.
0123214 (May 10, 2002), https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3214-eli-lilly-company-matter. I look forward
to continuing the Commission's important work in this area.
\2\ See, e.g., Children's Online Privacy Protection Rule, 16 CFR
part 312, as authorized by the Children's Online Privacy Protection
Act of 1998, 15 U.S.C. 6501 et seq.
\3\ Joint Statement of Chair Lina M. Khan, Comm'r Rebecca Kelly
Slaughter, and Comm'r Alvaro M. Bedoya at 2 (Apr. 24, 2024)
(``Majority Statement'').
---------------------------------------------------------------------------
The American Recovery and Reinvestment Act of 2009 (``Recovery
Act'') \4\ authorized the Commission to issue a rule requiring
vendors of ``personal health records'' (``PHRs'') and related
entities that are not covered by HIPAA to notify individuals and the
FTC of a ``breach of security'' of ``unsecured PHR identifiable
health information.'' \5\ The Commission issued the Health Breach
Notification Rule in 2009,\6\ initiated a routine review of the Rule
in 2020,\7\ issued a policy statement re-interpreting the then-
current Rule in 2021 (``2021 Policy Statement''),\8\ issued a Notice
of Proposed Rulemaking on June 9, 2023 (``NPRM''),\9\ and today
issues the Final Rule.\10\
---------------------------------------------------------------------------
\4\ Am. Recovery and Reinvestment Act of 2009, Public Law 111-5,
123 Stat. 115 (2009).
\5\ 42 U.S.C. 17937(a), (g).
\6\ 74 FR 42962 (Aug. 25, 2009).
\7\ 85 FR 31085 (May 22, 2020).
\8\ See Statement of the Comm'n on Breaches by Health Apps and
Other Connected Devices (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf (``2021 Policy Statement'').
\9\ 88 FR 37819 (June 9, 2023).
\10\ See Statement of Basis and Purpose (``SBP'') accompanying
the Final Rule, Section I (summarizing procedural history).
---------------------------------------------------------------------------
I am encouraged that today the Commission is acting by
rulemaking, as authorized by statute and following a period of
notice and comment that elicited a range of views, rather than
acting by fiat in a policy statement, as the Commission did in
2021.\11\ I cannot endorse any policy statement that either
displaces Congress's authority to make law or subverts the
rulemaking process. The 2021 Policy Statement did both. The majority
clearly recognizes this overreach. After all, if the 2021 Policy
Statement had any force, today's rulemaking would be unnecessary.
---------------------------------------------------------------------------
\11\ See 2021 Policy Statement, supra note 8.
---------------------------------------------------------------------------
Setting aside this troubling history, I turn to the Final Rule
itself, which, unfortunately, I find equally troubling in its
extension beyond the parameters established by Congress.
[[Page 47062]]
Some background first. Under the Recovery Act, PHR identifiable
health information means ``individually identifiable health
information,'' as defined by the Social Security Act, 42 U.S.C.
1320d(6).\12\ The Social Security Act defines ``individually
identifiable health information'' as information that is ``created
or received by a health care provider, health plan, employer, or
health care clearinghouse.'' \13\ The Social Security Act then
defines ``health care provider'' to include three categories: ``[1]
a provider of services (as defined in section 1395x(u) of this
title), [2] a provider of medical or other health services (as
defined in section 1395x(s) of this title), and [3] any other person
furnishing health care services or supplies.'' \14\
---------------------------------------------------------------------------
\12\ 42 U.S.C. 17937(f)(2).
\13\ 42 U.S.C. 1320d(6).
\14\ Id. 1320d(3).
---------------------------------------------------------------------------
The Commission takes liberties with the final category in that
definition (``any other person furnishing health care services or
supplies'') to adopt a new, capacious definition of ``covered health
care provider'' and a new, similarly capacious definition of
``health care services and supplies,'' whose joint effect is to
sweep a large swath of apps and app developers under the purview of
the Final Rule. These expansive definitions are not consistent with
the statute. Under longstanding principles of statutory
interpretation, the final category of provider (``any other person .
. .'') must be understood in relation to the first two categories
(``provider of services'' and ``provider of medical or other health
services'').\15\ When a statute contains a list, ``each word in that
list presumptively has a `similar' meaning'' under the canon of
noscitur a sociis.\16\ And when a general term follows a list of
specific terms, the ejusdem generis canon teaches that the general
term ``should usually be read in light of those specific words to
mean something `similar.' '' \17\ Together, these canons instruct
that the final category of health care provider that includes the
general term ``other person'' must be similar to the more specific
terms that precede it.
---------------------------------------------------------------------------
\15\ See Yates v. United States, 574 U.S. 528, 549-51 (2015)
(Alito, J., concurring); Antonin Scalia & Bryan A. Garner, Reading
Law: The Interpretation of Legal Texts 195-196,199-200 (2012).
\16\ Yates, 574 U.S. at 549.
\17\ Id. at 550.
---------------------------------------------------------------------------
The first two categories of health care provider incorporate the
definitions of sections 1395x(u) and 1395x(s) of the Social Security
Act, respectively.\18\ The first category of provider includes ``a
hospital, critical access hospital, rural emergency hospital,
skilled nursing facility, comprehensive outpatient rehabilitation
facility, home health agency, hospice program, or . . . a fund.''
\19\ The second category of provider includes an extensive list
(section 1395x(s) includes 17 paragraphs and over 35 subparagraphs)
of medical professionals including physicians, physician assistants,
nurse practitioners, clinical psychologists, clinical social
workers, and others, and the specific services administered by
medical professionals.\20\ These two categories comprise traditional
forms of health care providers.
---------------------------------------------------------------------------
\18\ 42 U.S.C. 1320d(3).
\19\ 42 U.S.C. 1395x(u).
\20\ Id. 1395x(s).
---------------------------------------------------------------------------
The final category, addressing ``any other person furnishing
health care services or supplies,'' must therefore only include
persons that are ``similar in nature'' to these first two
categories.\21\ The majority argues that my ``effort to cabin the
third category . . . reads it out of existence, violating the canon
that holds interpretations giving effect to every clause of a
statute are superior to those that render distinct clauses
superfluous.'' \22\ This application of the canon is incorrect.
Requiring similarity among categories does not result in
superfluity; it merely prevents interpretations that extend beyond
what the text permits. A catch-all's limited application due to its
context is not a reason to expand that phrase to encompass
dissimilar applications.
---------------------------------------------------------------------------
\21\ Yates, 574 U.S. at 545 (internal quotation marks omitted).
\22\ Majority Statement at 2.
---------------------------------------------------------------------------
The Final Rule's definition of ``covered health care provider''
is not remotely similar, because it incorporates a new,
astonishingly broad definition of ``health care services or
supplies,'' which means ``any online service such as a website,
mobile application, or internet-connected device that provides
mechanisms to track diseases, health conditions, diagnoses or
diagnostic testing, treatment, medications, vital signs, symptoms,
bodily functions, fitness, fertility, sexual health, sleep, mental
health, genetic information, diet, or that provides other health-
related services or tools.'' \23\ Thus, the Commission transforms
``health care provider,'' which both under common usage and in
context of the statutory provision means entities such as physicians
and hospitals, to now include any company ``furnishing'' a health-
related app.\24\ As a result, the Final Rule creates a tautology:
Health app developers may be ``vendors of personal health records''
by offering an app containing health information that has been
created or received by a health care provider, where the health app
developer is itself the health care provider that creates or
receives that health information by virtue of offering the app.
---------------------------------------------------------------------------
\23\ Final Rule at 98.
\24\ The SBP explains that an app developer (or any company
``furnishing'' a health app) would be covered as a health care
provider because its health app is a health care service or supply.
SBP at 7, 22-28.
---------------------------------------------------------------------------
Notably, even though the Department of Health and Human Services
(``HHS'') interprets this same provision of the Social Security Act,
HHS has--notwithstanding the majority's assertion to the contrary
\25\--never interpreted the term ``health care provider'' to reach
the expansive, creative conclusion that the Commission does
today.\26\ The majority's argument misstates the scope and language
of the HIPAA Privacy Rule, which only applies to HIPAA ``covered
entities'' and their ``business associates,'' \27\--i.e., to
traditional health care providers that do not include the broad
swath of app developers the Final Rule will encompass.
Significantly, the majority omits from its characterization of the
term ``health care'' HHS's own illustrations of that term, which
highlight the proximity to traditional forms of health care by
different kinds of medical professionals:
---------------------------------------------------------------------------
\25\ Majority Statement at 3.
\26\ See NPRM at 37823.
\27\ 45 CFR 160.102 through 103.
---------------------------------------------------------------------------
(1) Preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, and counseling, service,
assessment, or procedure with respect to the physical or mental
condition, or functional status, of an individual or that affects
the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other
item in accordance with a prescription.\28\
---------------------------------------------------------------------------
\28\ Id. Sec. 160.103.
---------------------------------------------------------------------------
The Majority Statement repeatedly says that HHS defines ``health
care'' broadly,\29\ but the language it cites provides no such
support.
---------------------------------------------------------------------------
\29\ Majority Statement at 3-4.
---------------------------------------------------------------------------
Aware of this incongruency, the Commission seeks to
differentiate its use of ``health care provider'' from that of
``other government agencies.'' \30\ Yet the Commission provides no
explanation why its definition should differ, particularly where it
is unclear whether the Commission has interpretative authority over
the Social Security Act's definition of health care provider and
where other agencies are delegated such interpretative
authority.\31\
---------------------------------------------------------------------------
\30\ SBP at 26.
\31\ Id. at 13 (noting that HHS interprets these provisions of
the Social Security Act). Cf. City of Arlington, Tex. v. F.C.C., 569
U.S. 290, 323 (2013) (Roberts, C.J., dissenting) (``When presented
with an agency's interpretation of such a statute, a court cannot
simply ask whether the statute is one that the agency administers;
the question is whether authority over the particular ambiguity at
issue has been delegated to the particular agency.'').
---------------------------------------------------------------------------
[[Page 47063]]
The Commission also takes troubling liberties with the statute's
definition of ``personal health record,'' which are evident from a
side-by-side comparison of the statute and the Final Rule:
------------------------------------------------------------------------
Recovery act Final rule
------------------------------------------------------------------------
``an electronic record of PHR ``an electronic record of PHR
identifiable health information . . . identifiable health
on an individual that can be drawn information on an individual
from multiple sources and is managed, that has the technical
shared, and controlled by or primarily capacity to draw information
for the individual.'' \32\. from multiple sources and that
is managed, shared, and
controlled by or primarily for
the individual.'' \33\
------------------------------------------------------------------------
Under the Final Rule, a PHR need not actually draw health
information from multiple sources, as the statute contemplates
(because the statutory phrase ``that can be drawn'' modifies its
immediate antecedent, ``health information''). Rather, under the
Final Rule, a single source of health information will render an app
a PHR as long as the ``PHR'' has the ``technical capacity'' to draw
some other information elsewhere.\34\ The implications of this
change, in conjunction with the expansion of ``health care
provider,'' are significant. Any retailer that offers an app that
tracks health-related purchases (e.g., bandages, vitamins, dandruff
shampoo) may be a vendor of a PHR covered by the Rule if the app
draws health information (e.g., purchasing information) from the
consumer and the app has the ``technical capacity'' to draw any
information from any other source. As the Statement of Basis and
Purpose notes, commenters warned that virtually every app has the
technical capacity to draw some information from more than one
source.\35\ That expansive scope could be appropriate if Congress's
language permitted it. But the Commission's interpretation, which
effectively renders the Recovery Act's ``multiple sources''
requirement meaningless, ignores longstanding principles of
statutory interpretation that require each provision of a statute to
be given effect.\36\
---------------------------------------------------------------------------
\32\ 42 U.S.C. 17921(11).
\33\ Final Rule at 99.
\34\ See SBP at 32 (``Next, adding the phrase `technical
capacity to draw information' clarifies that a product is a personal
health record if it can draw any information from multiple sources,
even if it only draws health information from one source.'').
\35\ See id. at 34.
\36\ Scalia & Garner, supra note 15 at 174 (discussing
surplusage canon).
---------------------------------------------------------------------------
The Commission's expansive definitions of ``covered health care
provider,'' ``health care services and supplies,'' and ``personal
health record'' have a profound effect on the scope of the Rule:
Most companies that offer or disseminate health-related apps or
similar products would be treated as ``covered health care
providers'' that therefore hold ``PHR identifiable health
information'' in their apps (i.e., PHRs), such that they are vendors
of PHRs--even if their app is merely health-adjacent.
Remarkably, the Commission imposes no limit on this
extraordinary breadth in the Rule itself. Rather, in a post-NPRM
attempt to check the scope, the Commission fashions a limiting
principle: Apps are covered only if they are ``more than
tangentially relating to health.'' \37\ This extra-statutory, extra-
regulatory limit has several significant problems.
---------------------------------------------------------------------------
\37\ SBP at 28.
---------------------------------------------------------------------------
First, if the majority were correct, from where would it draw
the authority to impose this ``more than tangentially relating to
health'' limitation? If Congress in fact commanded us to cover all
the apps the majority claims, this extra-textual limitation would be
beyond our power to impose.\38\ Why, then, does the majority blink
in the face of what it understands Congress to have required? There
may be good policy reasons not to follow Congress's language--as the
majority understands it--wherever it leads, but we do not have power
to shortchange Congress's commands. That even the majority feels
compelled to adopt this extra-textual limitation--again, as the
majority understands the text--on the statute's reach suggests that
the language probably does not mean what the majority says.
---------------------------------------------------------------------------
\38\ See Nat'l Fed'n of Indep. Business v. Dep't of Labor, 595
U.S. 109, 117 (2022) (per curiam) (``Administrative agencies are
creatures of statute. They accordingly possess only the authority
that Congress has provided.'').
---------------------------------------------------------------------------
The second problem is substantive: What does this language mean?
When does an app cross the line between tangentially related to
health and more than tangentially related? If a gas station with a
loyalty app sells Advil, is the app only tangentially related to
health and outside the Final Rule's purview? If the gas station adds
Robitussin and pregnancy tests to its inventory, does it cross the
line to more than tangentially related to health? If a clothing
store with an e-commerce app sells a handful of maternity shirts, is
the app only tangentially related to health? If the store adds more
maternity clothes, nursing bras, and some anti-nausea ginger tea to
its in-app offerings, is the app more than tangentially related to
health? If vitamins, over-the-counter medicines, acne creams,
bandages, and similar items comprise 0.1% or 1% or 10% of a
superstore's inventory, when is the retailer's e-commerce app more
than tangentially related to health? I see no clear answers to any
of these hypotheticals in today's Final Rule, which suggests that
the marketplace will see no clear answers either.\39\
---------------------------------------------------------------------------
\39\ The expansive coverage increases the likelihood of creating
unintended consequences. Will the gas station decline to add over-
the-counter medicines to its inventory to avoid crossing the line of
``more than tangentially related to health''? Will the clothing
retailer shy away from maternity apparel? Will the e-commerce giant
avoid selling bandages and dandruff shampoo? These potentially
detrimental outcomes undermine a Rule intended to benefit consumers.
---------------------------------------------------------------------------
The third problem is procedural. The Commission did not propose
this ambiguous but impactful limitation in a Notice of Proposed
Rulemaking--likely because there is no statutory basis for this
newly-created language. Rather, it introduces this crucial concept
for the first time in a Statement of Basis and Purpose (a purely
interpretive document) as a post hoc fix to the problem the
Commission itself created with its expansive definitions. As a
result, the Commission did not provide notice or receive public
comment on the efficacy or propriety of this limitation, depriving
the public of its opportunity to meaningfully participate in the
rulemaking process and depriving itself of potentially valuable
input from commenters.
The final problem is that this post hoc, extra-regulatory
limitation renders the Commission's burden analysis inadequate. The
Paperwork Reduction Act (``PRA'') requires the Commission to
estimate the reportable breaches by entities covered by the Rule and
compliance costs.\40\ The Regulatory Flexibility Act (``RFA'')
requires the Commission to assess the economic impact on small
businesses.\41\ Apparently relying on the SBP's ``more than
tangentially related to health'' limitation, the PRA and RFA
analyses only address breaches by apps categorized as ``Health and
Fitness.'' \42\ Because the Rule itself contains no such limitation,
general retailers with e-commerce apps, gas stations with loyalty
apps, and other similar generalists that sell any health-related
items do not factor into these analyses. As a result, they likely
dramatically underestimate the numbers of regulated entities, number
of breaches, and costs to businesses.
---------------------------------------------------------------------------
\40\ See generally 44 U.S.C. 3501 et seq.; SBP at 86.
\41\ 5 U.S.C. 601 through 612.
\42\ SBP at 86, 93.
---------------------------------------------------------------------------
Perhaps the breath of the Final Rule would be more of a
theoretical than practical concern to businesses, if they could
adopt practices sufficient to avoid any breach that would trigger
notice obligations under the Final Rule, or, in the event of a
breach, err on the side of notification. But Sec. 318.3(b) of the
Final Rule imposes affirmative obligations on companies to notify
their service providers if they are covered by the Final Rule,
regardless of whether they experience a breach.\43\ To comply with
this requirement, companies must know whether they are covered by
the Rule--that is, which side of ``more than tangentially relating
to health'' they fall on. Without clarity on that line, companies
run the risk of being in
[[Page 47064]]
perpetual violation of the Final Rule and, therefore, perpetually at
the mercy of the Commission's enforcement discretion. The
Commission, at this moment, may not intend to pursue such technical
violations. But any expression of intended restraint will be cold
comfort to companies that have seen the Commission's self-imposed
restraint wax and wane in other areas.\44\
---------------------------------------------------------------------------
\43\ This may have been a sensible requirement in 2009, when the
scope of the Rule was much narrower, but it has dramatic
consequences in this much-expanded Rule.
\44\ Significantly, the Majority Statement is silent as to the
propriety and consequences of its ``tangentially related'' limiting
principle, likely because this approach is indefensible.
---------------------------------------------------------------------------
I find the majority's liberties with the statute particularly
troubling because they are unnecessary to reach health apps. Indeed,
the Commission's own recent enforcement action against digital
healthcare platform GoodRx makes that clear. Only last year, a
bipartisan Commission applied the 2009 Rule to GoodRx's online
platform and app because the company received identifiable health
information on prescription medications (among other things) from
pharmacy benefit managers and pharmacies, among other sources, so
that consumers could manage their information.\45\ The majority
argues that today's changes are necessary to provide clarity to the
market about the Rule's scope,\46\ but GoodRx has already done
that--and I would support changes to the Rule that are consistent
with the statute. In short, I agree with the majority's goals--
safeguarding consumers' sensitive health information and
implementing a Congressional mandate to put consumers on notice of
the breach of that data--but I believe that we must effectuate those
goals within the scope of the law as it is, rather than legislating
in the guise of applying the law.
---------------------------------------------------------------------------
\45\ See Concurring Statement of Commissioner Christine S.
Wilson, GoodRx, Matter No. 2023090 1 n.2 (Feb. 1, 2023) (``GoodRx
has violated the HBNR based on a plain reading of the text, setting
aside any gloss the Commission sought to add in its September 2021
Statement on Breaches by Health Apps and Other Connected
Devices.''), https://www.ftc.gov/system/files/ftc_gov/pdf/2023090_goodrx_final_concurring_statement_wilson.pdf.
\46\ Majority Statement at 5.
---------------------------------------------------------------------------
The FTC is a venerable institution that does vital work to
protect consumers and promote competition, thanks to its hardworking
and devoted career staff. I commend the staff attorneys, economists,
and technologists who worked on the rule for their careful and
thoughtful consideration of difficult issues. Ultimately, while I am
sympathetic to the majority's goal, I fear that adopting a Final
Rule that is irreconcilable with the statute and that puts companies
in an untenable position puts the Commission at risk. Legal
challenges may undermine the Commission's institutional integrity,
and Congress may be reluctant to trust the Commission with other
authority--even the much-needed authority to protect the privacy of
consumers' sensitive personal information. I therefore respectfully
dissent.
[FR Doc. 2024-10855 Filed 5-29-24; 8:45 am]
BILLING CODE 6750-01-P
