The Federal Trade Commission made changes to the Health Breach Notification Rule as it aims to better address the evolving landscape of health technology.
The changes clarify the rule's scope regarding health apps and similar technologies while expanding the information covered entities must provide to consumers in the event of a breach of their health data, according to an April 26 FTC news release.
Under the new rule, vendors of personal health records and related entities not governed by HIPAA are mandated to notify individuals, the FTC and, when applicable, the media, in case of a breach of unsecured personally identifiable health data.
Additionally, third-party service providers to vendors of protected health records must inform such vendors and entities upon the discovery of a breach.
Here are other key revisions to the rule:
- Revised definitions: Definitions such as "PHR identifiable health information" were adjusted to underscore the rule's applicability to health apps and similar technologies not covered by HIPAA.
- Clarification of breach of security: The rule clarifies that a "breach of security" encompasses unauthorized acquisition or disclosure of identifiable health information resulting from a data security breach.
- Expansion of electronic notification: The final rule permits expanded use of email and other electronic means for notifying consumers of a breach.
- Enhanced consumer notice content: The required content of breach notices to consumers is expanded, including disclosure of any third parties that acquired unsecured PHR identifiable health information due to the breach.
- Modified timing requirement: For breaches involving 500 or more individuals, covered entities must notify the FTC simultaneously with affected individuals, within 60 calendar days of discovering a breach.
The final rule will become effective 60 days after its publication in the Federal Register.