CTA Stance on FTC Proposed Changes

By | August 26, 2023

Protecting Health Data Privacy: CTA’s Stance on FTC’s Proposed Changes

Editors Note: nice article by Rachel Nemeth explaining the CTA opposition or comments on the FTC NPRM

Rachel Nemeth

Rachel Nemeth

Senior Director Regulatory Affairs at Consumer Technology Association

In mid-May, the Federal Trade Commission (FTC) proposed modifications to the Health Breach Notification Rule, sparking an important discussion on health data privacy. As North America’s largest technology trade association, the Consumer Technology Association (CTA) stands committed to protecting personal health data while supporting innovation. However, certain aspects of the proposed rule have raised concerns.

Some background first.

The Health Breach Notification Rule requires certain entities (like businesses and non-profits) that are not covered by HIPAA (which covers most hospitals, doctors’ offices and insurance companies) to notify customers and the FTC if there’s a breach of health data information.

Congress directed the FTC to implement this Rule via the Health Information Technology for Economic and Clinical Health Act (HITECH Act), but the recent proposed changes extend beyond Congress’ originally intended scope. The fundamental purpose of the Rule is to facilitate timely notification of significant health data breaches – not broadly regulate health data.

CTA responded to the FTC.

While CTA shares the FTC’s priority of protecting personal health data privacy and security, we find certain proposals impractical, unhelpful for consumers, and unduly burdensome. This week, CTA officially responded to the FTC on these unnecessary proposals.

Our full comments are available here, but below is a summary of what we said:

Scope of Covered Parties should be limited.

The scope of the entities covered by the Rule should be limited, consistent with the original intent of the HITECH Act. This means excluding merchants who sell diverse products, but including apps that collect health data from various sources. Additionally, exclude service providers like cloud computing, analytics, and advertising, especially if they are not intentionally handling covered health data.

Scope of a “Breach of Security” should be narrowed.

The Rule should focus on unauthorized “acquisition” of covered health data, excluding accidental or well-intentioned unauthorized access or sharing where the information isn’t actually taken by a third party. This avoids reporting minor incidents and wasting resources. CTA supports not defining “authorization” as it goes beyond the Rule’s purpose. CTA also recommends adding exceptions for “unauthorized” data taking, similar to HIPAA and state privacy laws, to enhance regulatory clarity.

Arbitrary reporting timelines and triggers should be avoided.

The Commission should replace fixed timelines for reporting breaches based on when a company finds a potential security issue. Instead, reporting should happen when a company reasonably confirms an actual security breach and should offer more time for certain incidents. This approach decreases unnecessary reports, lets companies focus on investigating possible issues, and aligns better with state data breach reporting laws.

Notice procedures should be simplified.

Simplifying the consumer notice form and content ensures actionable information reaches consumers efficiently. Streamlining email notifications and avoiding speculative breach risk requirements improves communication clarity.

In conclusion, CTA remains committed to working with the FTC in creating a balanced, practical, and consumer-focused Health Breach Notification Rule. One of our goals is to safeguard personal health data privacy and security while fostering innovation and economic growth. Considering industry feedback and recommendations will ensure a Rule that enhances consumer trust, protects data, and supports the continued growth of the technology industry.

Together, we can build a secure and innovative digital future for all.

Published by

Rachel Nemeth
Senior Director Regulatory Affairs at Consumer Technology Association
Author: Site Manager

Many years in the kiosk industry and in the healthcare sector in particular. EPIC being the primary EHR worked with and patient check-in kiosks were the big element.