Editors Note: nice article by Rachel Nemeth explaining the CTA opposition or comments on the FTC NPRM
In mid-May, the Federal Trade Commission (FTC) proposed modifications to the Health Breach Notification Rule, sparking an important discussion on health data privacy. As North America’s largest technology trade association, the Consumer Technology Association (CTA) stands committed to protecting personal health data while supporting innovation. However, certain aspects of the proposed rule have raised concerns.
Some background first.
The Health Breach Notification Rule requires certain entities (like businesses and non-profits) that are not covered by HIPAA (which covers most hospitals, doctors’ offices and insurance companies) to notify customers and the FTC if there’s a breach of health data information.
Congress directed the FTC to implement this Rule via the Health Information Technology for Economic and Clinical Health Act (HITECH Act), but the recent proposed changes extend beyond Congress’ originally intended scope. The fundamental purpose of the Rule is to facilitate timely notification of significant health data breaches – not broadly regulate health data.
CTA responded to the FTC.
While CTA shares the FTC’s priority of protecting personal health data privacy and security, we find certain proposals impractical, unhelpful for consumers, and unduly burdensome. This week, CTA officially responded to the FTC on these unnecessary proposals.
Our full comments are available here, but below is a summary of what we said:
Scope of Covered Parties should be limited.
The scope of the entities covered by the Rule should be limited, consistent with the original intent of the HITECH Act. This means excluding merchants who sell diverse products, but including apps that collect health data from various sources. Additionally, exclude service providers like cloud computing, analytics, and advertising, especially if they are not intentionally handling covered health data.
Scope of a “Breach of Security” should be narrowed.
The Rule should focus on unauthorized “acquisition” of covered health data, excluding accidental or well-intentioned unauthorized access or sharing where the information isn’t actually taken by a third party. This avoids reporting minor incidents and wasting resources. CTA supports not defining “authorization” as it goes beyond the Rule’s purpose. CTA also recommends adding exceptions for “unauthorized” data taking, similar to HIPAA and state privacy laws, to enhance regulatory clarity.
Arbitrary reporting timelines and triggers should be avoided.
The Commission should replace fixed timelines for reporting breaches based on when a company finds a potential security issue. Instead, reporting should happen when a company reasonably confirms an actual security breach and should offer more time for certain incidents. This approach decreases unnecessary reports, lets companies focus on investigating possible issues, and aligns better with state data breach reporting laws.
Notice procedures should be simplified.
Simplifying the consumer notice form and content ensures actionable information reaches consumers efficiently. Streamlining email notifications and avoiding speculative breach risk requirements improves communication clarity.
In conclusion, CTA remains committed to working with the FTC in creating a balanced, practical, and consumer-focused Health Breach Notification Rule. One of our goals is to safeguard personal health data privacy and security while fostering innovation and economic growth. Considering industry feedback and recommendations will ensure a Rule that enhances consumer trust, protects data, and supports the continued growth of the technology industry.
Together, we can build a secure and innovative digital future for all.