Protecting Health Data Privacy: CTA’s Stance on FTC’s Proposed Changes
Editors Note: nice article by Rachel Nemeth explaining the CTA opposition or comments on the FTC NPRM
Rachel Nemeth
In mid-May, the Federal Trade Commission (FTC) proposed modifications to the Health Breach Notification Rule, sparking an important discussion on health data privacy. As North America’s largest technology trade association, the Consumer Technology Association (CTA) stands committed to protecting personal health data while supporting innovation. However, certain aspects of the proposed rule have raised concerns.
Some background first.
The Health Breach Notification Rule requires certain entities (like businesses and non-profits) that are not covered by HIPAA (which covers most hospitals, doctors’ offices and insurance companies) to notify customers and the FTC if there’s a breach of health data information.
Congress directed the FTC to implement this Rule via the Health Information Technology for Economic and Clinical Health Act (HITECH Act), but the recent proposed changes extend beyond Congress’ originally intended scope. The fundamental purpose of the Rule is to facilitate timely notification of significant health data breaches – not broadly regulate health data.
CTA responded to the FTC.
While CTA shares the FTC’s priority of protecting personal health data privacy and security, we find certain proposals impractical, unhelpful for consumers, and unduly burdensome. This week, CTA officially responded to the FTC on these unnecessary proposals.
Our full comments are available here, but below is a summary of what we said:
Scope of Covered Parties should be limited.
The scope of the entities covered by the Rule should be limited, consistent with the original intent of the HITECH Act. This means excluding merchants who sell diverse products, but including apps that collect health data from various sources. Additionally, exclude service providers like cloud computing, analytics, and advertising, especially if they are not intentionally handling covered health data.
Scope of a “Breach of Security” should be narrowed.
The Rule should focus on unauthorized “acquisition” of covered health data, excluding accidental or well-intentioned unauthorized access or sharing where the information isn’t actually taken by a third party. This avoids reporting minor incidents and wasting resources. CTA supports not defining “authorization” as it goes beyond the Rule’s purpose. CTA also recommends adding exceptions for “unauthorized” data taking, similar to HIPAA and state privacy laws, to enhance regulatory clarity.
Arbitrary reporting timelines and triggers should be avoided.
The Commission should replace fixed timelines for reporting breaches based on when a company finds a potential security issue. Instead, reporting should happen when a company reasonably confirms an actual security breach and should offer more time for certain incidents. This approach decreases unnecessary reports, lets companies focus on investigating possible issues, and aligns better with state data breach reporting laws.
Notice procedures should be simplified.
Simplifying the consumer notice form and content ensures actionable information reaches consumers efficiently. Streamlining email notifications and avoiding speculative breach risk requirements improves communication clarity.
In conclusion, CTA remains committed to working with the FTC in creating a balanced, practical, and consumer-focused Health Breach Notification Rule. One of our goals is to safeguard personal health data privacy and security while fostering innovation and economic growth. Considering industry feedback and recommendations will ensure a Rule that enhances consumer trust, protects data, and supports the continued growth of the technology industry.
Together, we can build a secure and innovative digital future for all.
Comments on Rachel Nemeth’s article
FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule
The Federal Trade Commission is seeking comment on proposed changes to the Health Breach Notification Rule (HBNR) that include clarifying the rule’s applicability to health apps and other similar t
The Federal Trade Commission is seeking comment on proposed changes to the Health Breach Notification Rule (HBNR) that include clarifying the rule’s applicability to health apps and other similar technologies.
Since the rule’s issuance, health apps and other direct-to-consumer health technologies, such as fitness trackers, have become commonplace. The proposed changes to the rule come as business practices and technological developments increase both the amount of health data collected from consumers, and the incentive for companies to use or disclose that sensitive data for marketing and other purposes.
“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.”
The rule requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third party service providers to vendors of PHRs and PHR-related entities to provide notification to such vendors and PHR-related entities following the discovery of a breach.
Protecting the privacy and security of personal health data is a high priority for the FTC, which has brought several cases in recent years involving the misuse of consumers personal health data, including two enforcement actions that alleged HBNR violations.
Earlier this week, the FTC announced a proposed order settling allegations that fertility app Premom violated the HBNR. In February 2023, the FTC announced its first enforcement action under the HBNR against telehealth and prescription drug discount provider GoodRx Holdings Inc. The FTC says GoodRx and Premom each violated the rule by failing to notify users about the companies’ unauthorized disclosure of users’ personally identifiable health information to third parties.
As part of a regular review of Commission rules, the FTC in 2020 sought comment on whether changes were needed to the HBNR. In September 2021, the FTC issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule.
After reviewing the public comments and consistent with the policy statement, the Commission has proposed the following changes to the HBNR:
- Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies”;
- Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
- Revising the definition of “PHR related entity” in two ways that pertain to the rule’s scope. For example, it makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
- Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;
- Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;
- Expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information; and
- Adding changes to improve the rule’s readability and promote compliance.
The public will have 60 days after the notice is published in the Federal Register to submit comments on the proposed changes to the rule. Information on how to submit a comment can be found in the notice. Once processed, the comments will be posted to Regulations.gov.
The Commission voted 3-0 at an open Commission meeting to publish the proposed changes to the HBNR in the Federal Register.
The lead staff attorneys on this matter are Ryan Mehm, Ronnie Solomon, and Elisa Jillson of the FTC’s Bureau of Consumer Protection.