The Federal Trade Commission (FTC) has taken a significant stride in bolstering consumer protection in the digital health realm with its recent overhaul of the Health Breach Notification Rule (HBNR). Now, health apps and analogous technologies are brought under stringent scrutiny, filling a regulatory void that previously left them outside the scope of existing legislation like HIPAA.

Under the revamped regulations, entities not covered by HIPAA, such as vendors of personal health records (PHR) and related entities, are mandated to promptly notify individuals, the FTC, and potentially the media in the event of a breach of unsecured personally identifiable health information. This expansion of coverage represents a proactive measure by the FTC to adapt to the changing landscape of digital health, where traditional frameworks may fall short in addressing emerging risks.

The updated HBNR broadens the definition of a breach to encompass not only data security breaches but also unauthorized disclosures of unsecured PHR identifiable health information. This comprehensive approach ensures that any unauthorized access or sharing of personal health data triggers the required notification process, enhancing transparency and accountability.

Key provisions of the Final Rule include:

Inclusion of Health Apps and Similar Technologies: The revised regulations explicitly extend coverage to health apps and related technologies, reflecting the growing importance of these tools in managing health information.

Enhanced Consumer Notifications: Notifications to affected individuals must now include detailed information about the breach, such as the identity of third parties involved and the types of health information compromised. Clarity and transparency are prioritized to ensure consumers understand the implications of the breach.

Swift Reporting Requirements: Covered entities must promptly report breaches affecting 500 or more people to the FTC and affected individuals. Failure to comply with reporting obligations may result in civil penalties.

Clearer Compliance Guidelines: The Final Rule provides practical guidance on achieving clear and understandable notifications, helping businesses navigate compliance requirements effectively.

Businesses operating in the digital health space must familiarize themselves with the updated regulations and take proactive steps to ensure compliance. With the Final Rule set to take effect 60 days after its publication, healthcare companies must prioritize compliance or face the brunt.