On May 30, 2024, the US Federal Trade Commission (FTC) published significant amendments to its Health Breach Notification Rule (HBNR), which now includes direct-to-consumer health and wellness technologies. These changes, effective from July 29, 2024, will require companies to re-evaluate their compliance with the Rule and update their incident response processes to meet new notification obligations.
The updated HBNR broadens its scope to include foreign and domestic vendors of personal health records (PHRs) and related entities. This includes a wider range of health and wellness apps, such as those tracking vital signs, fitness, fertility, and mental health. The Rule now specifies that breaches of unsecured PHR identifiable health information must be reported to individuals, the FTC, and in some cases, the media.
Key changes to the Rule include a revised definition of a breach to encompass unauthorized disclosures of health information. Additionally, companies must use email and other electronic methods to notify individuals of a breach, with new requirements for the content and format of these notifications. The timeline for notifying the FTC of incidents involving over 500 individuals has also been extended from ten business days to 60 days.
Companies offering connected health devices or mobile health applications should prepare by confirming whether their offerings fall under the updated Rule, revising their incident response processes, and ensuring their notification procedures align with the new requirements. This proactive approach will help them remain compliant with the expanded regulations.
Reference:
