EPIC Commends FTC Rulemaking to Expand Health Breach Notification Rule, Urges Expansion

In comments to the Federal Trade Commission, EPIC applauded the proposed modifications to the Health Breach Notification Rule (HBNR). EPIC commended the proposed rule’s expanded scope of HBNR-covered entities to include mobile applications and other digital services, a reflection of how consumers interact with health service providers today. Additionally, EPIC praised the Commission’s expanded definition of a “breach of security” but urged the FTC to also classify overcollection—that is, the collection of more identifiable health information than is reasonably necessary to provide a product or service sought by the consumer—as a breach.

EPIC regularly files comments in response to proposed FTC rulemakings regarding business practices that violate privacy rights. Additionally, EPIC has long advocated for health privacy safeguards. Recently, EPIC published an analysis of the FTC’s focus on health privacy and HBNR authority after the GoodRx enforcement action.