On April 26, 2024, the Federal Trade Commission (FTC) finalized changes to the Health Breach Notification Rule (HBNR). The final rule aims to cover a broad range of health apps and similar technology not covered by the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the final rule expands the HBNR’s scope through new or revised definitions of “PHR identifiable health information,” “covered health care provider,” “health care services or supplies,” and “PHR related entity”; clarifies what it means for a “personal health record” to be “drawn from multiple sources”; clarifies that a “breach of security” is not limited to data breaches but also includes unauthorized disclosures of health information; expands the use of email notifications to consumers; increases the content requirements for notices to consumers; and modifies when the FTC must be notified after a breach. Despite the new definitions and clarifications, however, it remains unclear whether and how the HBNR applies to certain service providers (such as data security, cloud computing, advertising, and analytics companies) and to different types of health-related information (and inferences related to such information) that may be generated in a retail or e-commerce context.
To read the full article from Haynes Boone lawyers Jennifer Kreick and Neil Issar for AHLA, click here.