FTC HEALTH BREACH NOTIFICATION RULE (USA)

The FTC Health Breach Notification Rule is an important part of U.S. laws that protect people’s health information, especially now that so much of it is stored digitally. This rule was created in 2009 as part of a bigger law aimed at improving health technology. While some health information is protected by another law called HIPAA, this rule covers companies that are not included under HIPAA, such as those that manage personal health records (PHRs) or provide related services.

Historical Context

As digital health tools like apps and wearable devices became more popular, the need for extra protection for health data grew. HIPAA did not cover these new tools, so this rule was made to fill that gap. Now, companies that are not covered by HIPAA must tell people, the FTC, and sometimes the media if their health information is breached (or exposed).

A breach happens when someone gets, uses, or shares health information in a way they should not, which puts that information at risk. If a breach affects 500 or more people, it must be reported to the FTC within 10 business days. Smaller breaches are reported once a year.

Significance of the FTC Health Breach Notification Rule

This rule is important because it protects health information in a world where healthcare and technology are coming together more and more. By requiring companies to report breaches, it helps keep people informed and allows them to take steps to protect themselves.

The rule also pushes companies that manage health information to be more careful and to put strong protections in place. This is crucial as new technologies continue to collect and store more health data. Building trust in these digital health tools is key to their success and growth.

Current Challenges

Even though the rule is important, it faces some challenges:

Scope and Coverage: Some companies, especially tech startups, might not be familiar with healthcare laws and may struggle to comply with the rule, leading to gaps in protection.

Technological Complexity: As technology advances, hackers are using more sophisticated methods, making it harder to detect and respond to breaches quickly. This complexity can make it difficult to determine if a breach happened and what information was compromised.

Consumer Trust: With so many breaches happening, people are becoming more concerned about the safety of their health information. Even though the rule requires companies to notify people about breaches, there are so many that people might start ignoring these notifications and trust digital health tools less.

Opportunities 

Despite these challenges, the rule offers some good opportunities:

Improving Compliance: The rule encourages companies to improve their data protection methods, like using encryption and regular security checks, to reduce the chance of breaches.

Educating Consumers: The rule’s transparency can be used to educate people about the importance of data security. By being open about breaches and how they’re handled, companies can build trust with their users.

Driving Innovation: The need to follow the rule can lead to the development of new tools and technologies that make it easier to detect breaches, protect data, and notify people quickly. These innovations can help the entire healthcare industry improve its data security.

The pie chart shows that in 2024, most data breaches in the USA were caused by ransomware attacks (35%), followed by phishing and social engineering (25%), and unauthorized access (20%). Misconfigured systems led to 10% of breaches, while insider threats and physical theft made up 7% and 3% respectively. This highlights the need for strong cybersecurity, proper system setup, and employee awareness to protect against these common threats.

 This shows the number of data breaches and the number of victims (in millions) in the USA, comparing the full year of 2023 with the first half of 2024. The blue bars represent the number of breaches, while the red line shows the number of victims affected by these breaches. As depicted, while the number of breaches in the first half of 2024 is lower than the total for 2023, the number of victims has skyrocketed, indicating that breaches in 2024 have been much larger in scale.

EXPLANATION OF THE TOPIC

 With more people using health apps and devices like fitness trackers, a lot of health information is being collected and shared online. For most hospitals and doctors, HIPAA is the law that protects this information. But many companies that collect health data—like fitness trackers, diet apps, or connected devices—are not covered by HIPAA. Does this mean the information is not protected? No, it still has legal protections.

The Federal Trade Commission (FTC) enforces a rule that requires companies not covered by HIPAA to notify their customers, the FTC, and sometimes the media if their health information is breached. Recent changes in July 2024 made it clear that health apps, connected devices, and similar products must follow this rule.

As healthcare and technology overlap more, this rule makes sure health data breaches do not go unnoticed. Issued over ten years ago, the rule ensures that companies responsible for maintaining personal health records (PHRs) must notify people if their data is compromised. As virtual care and health apps advance, the rule has been updated to make sure consumers are promptly informed if their health data is at risk.

WHAT ENTITY TYPES DOES THE HBNR APPLY TO?

The HBNR (Health Breach Notification Rule) applies to three types of entities: vendors of personal health records (PHRs), PHR-related entities, and third-party service providers for vendors or related entities.

Vendor of Personal Health Records:

Your business is a vendor of personal health records if you offer or manage a personal health record, which is an electronic record that can pull information from different sources and is managed by or for the individual. For example, if you create a health app that collects data from users and syncs with a fitness tracker, you are probably a vendor of personal health records. You aren’t a vendor if you’re covered by HIPAA.

PHR-Related Entity:

Your business is a PHR-related entity if you work with a vendor of personal health records, either by offering services through their website or by accessing or sending health information to a personal health record. For example, a company that offers a fitness tracker that sends data to health apps might be a PHR-related entity. You aren’t a PHR-related entity if you’re covered by HIPAA.

Third-Party Service Provider:

Your business is a third-party service provider if you offer services like using, maintaining, disclosing, or disposing of health information for vendors of personal health records or PHR-related entities. For example, if a vendor of personal health records hires your company to handle billing or data storage, you’re a third-party service provider covered by the Rule.

WHAT TRIGGERS THE NOTIFICATION REQUIREMENT?

The Rule requires you to notify people when there is an unauthorized acquisition of unsecured personal health record (PHR) identifiable health information. Here’s what those terms mean:

Unauthorized Acquisition:

If health information you have or use is taken by someone else without the person’s approval, it’s considered unauthorized. For example, if a thief steals an employee’s laptop with unsecured personal health records or someone on your staff downloads these records without approval, these are unauthorized acquisitions that require notification. A breach is not just about hackers; even unauthorized access or sharing of information by a company triggers the need for notification.

PHR Identifiable Health Information:

You only need to notify people if the breach involves health information that identifies or could reasonably identify someone. For example, if you share medical information along with mobile identifiers with an ad network without consent, or if someone hacks into your database and accesses email addresses, dates of birth, and medication info, this information could identify individuals, so it counts as PHR identifiable health information.

Unsecured Information:

The Rule only applies to unsecured health information, meaning information that is not encrypted or destroyed. For example, if an employee loses a laptop with encrypted personal health records, you would not need to notify people.

Personal Health Record:

A personal health record (PHR) is an electronic health record that can pull information from multiple sources and is managed by the individual. If a breach only involves paper health records, the FTC Rule does not require notification. But if your product pulls data from different sources, like a diet app that tracks weight and pulls calorie counts from menus, you probably have a PHR covered by the Rule.

WHAT TO DO IF A BREACH OCCURS?

If your business is a vendor of personal health records or a PHR-related entity and there is a breach, the Rule outlines what you need to do. You must notify:

·       Each affected person who is a U.S. citizen or resident.

·       The Federal Trade Commission (FTC) by submitting the online Notice of Breach of Health Information.

·       In some cases, the media.

WHO YOU MUST NOTIFY AND WHEN YOU MUST NOTIFY THEM?

People: If you experience a breach of unsecured personal health information, you must notify each affected person “without unreasonable delay” and within 60 calendar days after the breach is discovered. The countdown starts the day someone in your company knows or should have known about the breach. While the Rule gives you 60 days, you should notify people as soon as possible. Waiting until the 60th day when you already have the information might be seen as unreasonable.

The FTC: The timing depends on how many people are affected.

If 500 or more people are affected, you must notify the FTC when you notify the affected people. This should be done without unreasonable delay and no later than 60 days after the breach is discovered.

If fewer than 500 people are affected, you have more time. You must notify the FTC within 60 days after the end of the calendar year in which the breach occurred. For example, if there’s a breach in April affecting 100 people and another in September affecting 50 people, the 60-day countdown starts January 1st of the next year.

The Media: If a breach affects 500 or more residents of a particular state, the District of Columbia, or a U.S. territory, you must notify prominent media outlets in that area. This must be done without unreasonable delay and within 60 days of discovering the breach. Media notification is in addition to notifying the affected individuals.

CONCLUSION

The FTC Health Breach Notification Rule has been crucial in making sure companies that are not covered by HIPAA are still accountable for protecting people’s health information. By requiring these companies to notify consumers and the FTC of breaches, the rule has helped protect sensitive health data and build trust in digital health tools.

However, the rule also points out some ongoing challenges, like the complexity of digital health systems, the need for strong compliance, and how breaches can hurt consumer trust. Tackling these challenges will require ongoing innovation in health technology, stronger enforcement of regulations, and continuous consumer education.

Insights

The rule’s success in promoting transparency shows the importance of extending similar protections to new areas of digital health, like AI and wearable technology. As these technologies grow, new regulations may be needed to address their challenges.

Implications

For healthcare organizations and digital health companies, the FTC rule is a reminder of how important it is to protect data. Companies must invest in advanced security, regularly update their data protection practices, and be ready to respond quickly to breaches.

Recommendations

To better comply with the FTC Health Breach Notification Rule, companies should consider these steps:

Invest in Advanced Security: Use the latest security tools and methods to protect health information from breaches.

Develop a Breach Response Plan: Create and regularly update a plan for responding to breaches, including how to notify people and what corrective actions to take.

Educate Consumers: Provide clear information to consumers about the importance of data security and how they can protect their health information.