FTC Finalizes Health Breach Notification Rule Modifications, Improving Health Privacy Safeguards for Consumers

The Federal Trade Commission recently finalized changes to modernize the Health Breach Notification Rule (HBNR), expanding its scope and improving its efficacy to address health privacy and data security risks that fall outside of HIPAA. In the event of a breach of security, the HBNR lays out requirements for covered entities to notify consumers, the Commission, and the public based on the nature of the breach. In addition modifying the HBNR and increased enforcement activity to protect the privacy of consumer health information, the Commission brought its first enforcement actions against entities for failing to comply with HBNR last year.

In our comments to the Commission in June 2023, EPIC highlighted various proposed changes that have now become finalized in the HBNR. First, it is critical that the Commission expanded the scope of covered entities to include mobile apps and other digital service providers to more accurately reflect how consumers create and share identifiable health information in today’s digital ecosystem. Second, the Commission importantly clarified that a breach of security includes unauthorized access to identifiable health information. In other words, beyond a data breach, a breach of security under the HBNR would also include a scenario where an entity acquires identifiable health data without the authorization of the individual.  

EPIC regularly files comments in response to proposed FTC rulemakings regarding business practices that violate privacy rights. Additionally, EPIC has long advocated for health privacy safeguards, including comments to the Department of Health and Human Services supporting its efforts to update the HIPAA Privacy Rule to protect reproductive privacy.