The Federal Trade Commission (“FTC”) recently issued a proposal to amend its Health Breach Notification Rule (“Rule”) in light of technological changes over the decade since the FTC issued the Rule, such as the increasing availability and use of apps and similar direct-to consumer health technologies. The Rule, which was first issued in 2009, is directed towards entities that were not covered under HIPAA and its breach notification requirements, but also deal with personal health records or electronic records of personal health information. The Rule requires these non-HIPAA covered entities to provide notification of any breach of unsecured personal health record information to consumers, the FTC and media outlets.
The proposed rule clarifies that the FTC’s Rule covers most health apps and other technologies that are not covered by HIPAA, but specifically use or provide services surrounding personal health records or electronic records of personal health record information. These apps and other technologies collect individually identifiable health information from a variety of sources and retains this information as part of their products. Furthermore, the FTC’s proposed rule also revises the definition of breach of security to establish that a security breach is not limited to some nefarious activity but may also result from unauthorized disclosures of sensitive health information.